apparmor

author: netblue30 <netblue30@yahoo.com> 2016-08-02 13:09:23 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-02 13:09:23 -0400
commit: 48dd1fbece66d6e13a099da24e651d57c3491028 (patch)
tree: b1a4f2ab1a407a8226b5fc93850a924f2c0d55be
parent: apparmor (diff)
download: firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.gz
firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.zst
firejail-48dd1fbece66d6e13a099da24e651d57c3491028.zip
9 files changed, 156 insertions, 30 deletions
diff --git a/RELNOTES b/RELNOTES
index 3bdd21caa..ca3683838 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
  * --read-write option rework
  * allow symlinks in home directory for --whitelist option
  * AppImage support (--appimage)
+  * AppArmor support (--apparmor)
  * Sandbox auditing support (--audit)
  * remove environment variable (--rmenv)
  * noexec support (--noexec)
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 7de491f5f..12921e294 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -239,3 +239,84 @@ errout:
        exit(1);
 }
+void print_compiletime_support(void) {
+        printf("Compile time support:\n");
+        printf("\t- AppArmor support is %s\n",
+#ifdef HAVE_APPARMOR
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- bind support is %s\n",
+#ifdef HAVE_BIND
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- chroot support is %s\n",
+#ifdef HAVE_CHROOT
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- file and directory whitelisting support is %s\n",
+#ifdef HAVE_WHITELIST
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- file transfer support is %s\n",
+#ifdef HAVE_FILE_TRANSFER
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- networking support is %s\n",
+#ifdef HAVE_NETWORK
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+#ifdef HAVE_NETWORK_RESTRICTED
+        printf("\t- networking features are available only to root user\n");
+#endif
+        printf("\t- seccomp-bpf support is %s\n",
+#ifdef HAVE_SECCOMP
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- user namespace support is %s\n",
+#ifdef HAVE_USERNS
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+        printf("\t- X11 snadboxing support is %s\n",
+#ifdef HAVE_X11
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1546dc403..821a8e003 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -263,6 +263,7 @@ extern int arg_writable_var;	// writable var
 extern int arg_appimage;        // appimage
 extern int arg_audit;           // audit
 extern char *arg_audit_prog;    // audit
+extern int arg_apparmor;        // apparmor
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -584,6 +585,7 @@ extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;
 int checkcfg(int val);
+void print_compiletime_support(void);
 // appimage.c
 void appimage_set(const char *appimage_path);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8bb438ba4..b6fd745a2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -102,6 +102,7 @@ int arg_writable_var = 0;			// writable var
 int arg_appimage = 0;                           // appimage
 int arg_audit = 0;                              // audit
 char *arg_audit_prog;                           // audit
+int arg_apparmor;                               // apparmor
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -241,6 +242,7 @@ void check_user_namespace(void) {
 }
 #endif
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
        EUID_ASSERT();
@@ -255,33 +257,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        }
        else if (strcmp(argv[i], "--version") == 0) {
                printf("firejail version %s\n", VERSION);
-#ifndef HAVE_NETWORK
+                printf("\n");
-                printf("Networking support is disabled.\n");
+                print_compiletime_support();
-#endif
+                printf("\n");
-#ifdef HAVE_NETWORK_RESTRICTED
-                printf("Networking support is allowed only to root user.\n");
-#endif
-#ifndef HAVE_USERNS
-                printf("User namespace support is disabled.\n");
-#endif
-#ifndef HAVE_SECCOMP
-                printf("Seccomp-bpf support is disabled.\n");
-#endif
-#ifndef HAVE_BIND
-                printf("Bind support is disabled.\n");
-#endif
-#ifndef HAVE_CHROOT
-                printf("Chroot support is disabled.\n");
-#endif
-#ifndef HAVE_X11
-                printf("X11 support is disabled.\n");
-#endif
-#ifndef HAVE_FILE_TRANSFER
-                printf("File transfer support is disabled.\n");
-#endif
-#ifndef HAVE_WHITELIST
-                printf("whitelisting support is disabled.\n");
-#endif
                exit(0);
        }
 #ifdef HAVE_X11
@@ -905,6 +883,10 @@ int main(int argc, char **argv) {
                //*************************************
                // filtering
                //*************************************
+#ifdef HAVE_APPARMOR
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+#endif  
 #ifdef HAVE_SECCOMP
                else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                        if (checkcfg(CFG_SECCOMP)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 8c2970639..15cc1e55a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -446,6 +446,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "apparmor") == 0) {
+#ifdef HAVE_APPARMOR            
+                arg_apparmor = 1;
+#endif
+                return 0;
+        }
        if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 1502a0312..9bf2a0a39 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -804,9 +804,17 @@ int sandbox(void* sandbox_arg) {
        if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-                errno = 0;
+                if (arg_apparmor) {
-                if (aa_change_onexec("firejail-default")) 
+                        errno = 0;
-                        fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno);
+                        if (aa_change_onexec("firejail-default")) {
+                                fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
+                                fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
+                                fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
+                                exit(1);
+                        }
+                        else if (arg_debug)
+                                printf("AppArmor enabled\n");
+                }
 #endif          
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                start_application();    // start app
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index f7a93174f..958a16da7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
        printf("\n");
        printf("Options:\n\n");
        printf("    -- - signal the end of options and disables further option processing.\n\n");
+        printf("    --apparmor - enable AppArmor confinement\n\n");
        printf("    --appimage - sandbox an AppImage application\n\n");
        printf("    --audit - audit the sandbox, see Audit section for more details\n\n");
        printf("    --audit=test-program - audit the sandbox, see Audit section for more details\n\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b6908dd00..637519902 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -211,6 +211,9 @@ Mount /var directory read-write.
 The following security filters are currently implemented:
 .TP
+\fBapparmor
+Enable AppArmor confinement.
+.TP
 \fBcaps
 Enable default Linux capabilities filter.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d34cfdb20..9e6916534 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-apparmor
+Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
+.TP
 \fB\-\-appimage
 Sandbox an AppImage (http://appimage.org/) application.
 .br
@@ -1672,6 +1675,44 @@ $ firejail --tree
      1221:netblue:/usr/lib/firefox/firefox
 .RE
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
+.br
+$ ./configure --prefix=/usr --enable-apparmor
+.TP
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+.br
+.br
+# aa-enforce firejail-default
+.TP
+The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+.br
+.br
+- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+commands such as "top" and "ps aux".
+.br
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+.br
+- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+You should have no problems running Chromium or Firefox.
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+.br
+$ firejail --apparmor firefox
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files from the container to the host filesystem.
author	netblue30 <netblue30@yahoo.com>	2016-08-02 13:09:23 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-02 13:09:23 -0400
commit	48dd1fbece66d6e13a099da24e651d57c3491028 (patch)
tree	b1a4f2ab1a407a8226b5fc93850a924f2c0d55be
parent	apparmor (diff)
download	firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.gz firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.zst firejail-48dd1fbece66d6e13a099da24e651d57c3491028.zip

diff --git a/RELNOTES b/RELNOTES index 3bdd21caa..ca3683838 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
3	* --read-write option rework	3	* --read-write option rework
4	* allow symlinks in home directory for --whitelist option	4	* allow symlinks in home directory for --whitelist option
5	* AppImage support (--appimage)	5	* AppImage support (--appimage)
		6	* AppArmor support (--apparmor)
6	* Sandbox auditing support (--audit)	7	* Sandbox auditing support (--audit)
7	* remove environment variable (--rmenv)	8	* remove environment variable (--rmenv)
8	* noexec support (--noexec)	9	* noexec support (--noexec)


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7de491f5f..12921e294 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -239,3 +239,84 @@ errout:
239	exit(1);	239	exit(1);
240	}	240	}
241		241
		242
		243	void print_compiletime_support(void) {
		244	printf("Compile time support:\n");
		245	printf("\t- AppArmor support is %s\n",
		246	#ifdef HAVE_APPARMOR
		247	"enabled"
		248	#else
		249	"disabled"
		250	#endif
		251	);
		252
		253
		254	printf("\t- bind support is %s\n",
		255	#ifdef HAVE_BIND
		256	"enabled"
		257	#else
		258	"disabled"
		259	#endif
		260	);
		261
		262	printf("\t- chroot support is %s\n",
		263	#ifdef HAVE_CHROOT
		264	"enabled"
		265	#else
		266	"disabled"
		267	#endif
		268	);
		269
		270	printf("\t- file and directory whitelisting support is %s\n",
		271	#ifdef HAVE_WHITELIST
		272	"enabled"
		273	#else
		274	"disabled"
		275	#endif
		276	);
		277
		278	printf("\t- file transfer support is %s\n",
		279	#ifdef HAVE_FILE_TRANSFER
		280	"enabled"
		281	#else
		282	"disabled"
		283	#endif
		284	);
		285
		286	printf("\t- networking support is %s\n",
		287	#ifdef HAVE_NETWORK
		288	"enabled"
		289	#else
		290	"disabled"
		291	#endif
		292	);
		293
		294
		295	#ifdef HAVE_NETWORK_RESTRICTED
		296	printf("\t- networking features are available only to root user\n");
		297	#endif
		298
		299	printf("\t- seccomp-bpf support is %s\n",
		300	#ifdef HAVE_SECCOMP
		301	"enabled"
		302	#else
		303	"disabled"
		304	#endif
		305	);
		306
		307	printf("\t- user namespace support is %s\n",
		308	#ifdef HAVE_USERNS
		309	"enabled"
		310	#else
		311	"disabled"
		312	#endif
		313	);
		314
		315	printf("\t- X11 snadboxing support is %s\n",
		316	#ifdef HAVE_X11
		317	"enabled"
		318	#else
		319	"disabled"
		320	#endif
		321	);
		322	}


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1546dc403..821a8e003 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -263,6 +263,7 @@ extern int arg_writable_var; // writable var
263	extern int arg_appimage; // appimage	263	extern int arg_appimage; // appimage
264	extern int arg_audit; // audit	264	extern int arg_audit; // audit
265	extern char *arg_audit_prog; // audit	265	extern char *arg_audit_prog; // audit
		266	extern int arg_apparmor; // apparmor
266		267
267	extern int parent_to_child_fds[2];	268	extern int parent_to_child_fds[2];
268	extern int child_to_parent_fds[2];	269	extern int child_to_parent_fds[2];
@@ -584,6 +585,7 @@ extern char *xephyr_screen;
584	extern char *xephyr_extra_params;	585	extern char *xephyr_extra_params;
585	extern char *netfilter_default;	586	extern char *netfilter_default;
586	int checkcfg(int val);	587	int checkcfg(int val);
		588	void print_compiletime_support(void);
587		589
588	// appimage.c	590	// appimage.c
589	void appimage_set(const char *appimage_path);	591	void appimage_set(const char *appimage_path);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 8bb438ba4..b6fd745a2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -102,6 +102,7 @@ int arg_writable_var = 0; // writable var
102	int arg_appimage = 0; // appimage	102	int arg_appimage = 0; // appimage
103	int arg_audit = 0; // audit	103	int arg_audit = 0; // audit
104	char *arg_audit_prog; // audit	104	char *arg_audit_prog; // audit
		105	int arg_apparmor; // apparmor
105		106
106	int parent_to_child_fds[2];	107	int parent_to_child_fds[2];
107	int child_to_parent_fds[2];	108	int child_to_parent_fds[2];
@@ -241,6 +242,7 @@ void check_user_namespace(void) {
241	}	242	}
242	#endif	243	#endif
243		244
		245
244	// exit commands	246	// exit commands
245	static void run_cmd_and_exit(int i, int argc, char **argv) {	247	static void run_cmd_and_exit(int i, int argc, char **argv) {
246	EUID_ASSERT();	248	EUID_ASSERT();
@@ -255,33 +257,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
255	}	257	}
256	else if (strcmp(argv[i], "--version") == 0) {	258	else if (strcmp(argv[i], "--version") == 0) {
257	printf("firejail version %s\n", VERSION);	259	printf("firejail version %s\n", VERSION);
258	#ifndef HAVE_NETWORK	260	printf("\n");
259	printf("Networking support is disabled.\n");	261	print_compiletime_support();
260	#endif	262	printf("\n");
261	#ifdef HAVE_NETWORK_RESTRICTED
262	printf("Networking support is allowed only to root user.\n");
263	#endif
264	#ifndef HAVE_USERNS
265	printf("User namespace support is disabled.\n");
266	#endif
267	#ifndef HAVE_SECCOMP
268	printf("Seccomp-bpf support is disabled.\n");
269	#endif
270	#ifndef HAVE_BIND
271	printf("Bind support is disabled.\n");
272	#endif
273	#ifndef HAVE_CHROOT
274	printf("Chroot support is disabled.\n");
275	#endif
276	#ifndef HAVE_X11
277	printf("X11 support is disabled.\n");
278	#endif
279	#ifndef HAVE_FILE_TRANSFER
280	printf("File transfer support is disabled.\n");
281	#endif
282	#ifndef HAVE_WHITELIST
283	printf("whitelisting support is disabled.\n");
284	#endif
285	exit(0);	263	exit(0);
286	}	264	}
287	#ifdef HAVE_X11	265	#ifdef HAVE_X11
@@ -905,6 +883,10 @@ int main(int argc, char **argv) {
905	//*************************************	883	//*************************************
906	// filtering	884	// filtering
907	//*************************************	885	//*************************************
		886	#ifdef HAVE_APPARMOR
		887	else if (strcmp(argv[i], "--apparmor") == 0)
		888	arg_apparmor = 1;
		889	#endif
908	#ifdef HAVE_SECCOMP	890	#ifdef HAVE_SECCOMP
909	else if (strncmp(argv[i], "--protocol=", 11) == 0) {	891	else if (strncmp(argv[i], "--protocol=", 11) == 0) {
910	if (checkcfg(CFG_SECCOMP)) {	892	if (checkcfg(CFG_SECCOMP)) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8c2970639..15cc1e55a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -446,6 +446,13 @@ int profile_check_line(char ptr, int lineno, const char fname) {
446	return 0;	446	return 0;
447	}	447	}
448		448
		449	if (strcmp(ptr, "apparmor") == 0) {
		450	#ifdef HAVE_APPARMOR
		451	arg_apparmor = 1;
		452	#endif
		453	return 0;
		454	}
		455
449	if (strncmp(ptr, "protocol ", 9) == 0) {	456	if (strncmp(ptr, "protocol ", 9) == 0) {
450	#ifdef HAVE_SECCOMP	457	#ifdef HAVE_SECCOMP
451	if (checkcfg(CFG_SECCOMP))	458	if (checkcfg(CFG_SECCOMP))


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1502a0312..9bf2a0a39 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -804,9 +804,17 @@ int sandbox(void* sandbox_arg) {
804		804
805	if (app_pid == 0) {	805	if (app_pid == 0) {
806	#ifdef HAVE_APPARMOR	806	#ifdef HAVE_APPARMOR
807	errno = 0;	807	if (arg_apparmor) {
808	if (aa_change_onexec("firejail-default"))	808	errno = 0;
809	fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno);	809	if (aa_change_onexec("firejail-default")) {
		810	fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
		811	fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
		812	fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
		813	exit(1);
		814	}
		815	else if (arg_debug)
		816	printf("AppArmor enabled\n");
		817	}
810	#endif	818	#endif
811	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	819	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
812	start_application(); // start app	820	start_application(); // start app


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index f7a93174f..958a16da7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -34,6 +34,7 @@ void usage(void) {
34	printf("\n");	34	printf("\n");
35	printf("Options:\n\n");	35	printf("Options:\n\n");
36	printf(" -- - signal the end of options and disables further option processing.\n\n");	36	printf(" -- - signal the end of options and disables further option processing.\n\n");
		37	printf(" --apparmor - enable AppArmor confinement\n\n");
37	printf(" --appimage - sandbox an AppImage application\n\n");	38	printf(" --appimage - sandbox an AppImage application\n\n");
38	printf(" --audit - audit the sandbox, see Audit section for more details\n\n");	39	printf(" --audit - audit the sandbox, see Audit section for more details\n\n");
39	printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n");	40	printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n");


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b6908dd00..637519902 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -211,6 +211,9 @@ Mount /var directory read-write.
211	The following security filters are currently implemented:	211	The following security filters are currently implemented:
212		212
213	.TP	213	.TP
		214	\fBapparmor
		215	Enable AppArmor confinement.
		216	.TP
214	\fBcaps	217	\fBcaps
215	Enable default Linux capabilities filter.	218	Enable default Linux capabilities filter.
216	.TP	219	.TP


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d34cfdb20..9e6916534 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
75	\fB\-\-	75	\fB\-\-
76	Signal the end of options and disables further option processing.	76	Signal the end of options and disables further option processing.
77	.TP	77	.TP
		78	\fB\-\-apparmor
		79	Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
		80	.TP
78	\fB\-\-appimage	81	\fB\-\-appimage
79	Sandbox an AppImage (http://appimage.org/) application.	82	Sandbox an AppImage (http://appimage.org/) application.
80	.br	83	.br
@@ -1672,6 +1675,44 @@ $ firejail --tree
1672	1221:netblue:/usr/lib/firefox/firefox	1675	1221:netblue:/usr/lib/firefox/firefox
1673	.RE	1676	.RE
1674		1677
		1678	.SH APPARMOR
		1679	.TP
		1680	AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
		1681	.br
		1682
		1683	.br
		1684	$ ./configure --prefix=/usr --enable-apparmor
		1685	.TP
		1686	During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
		1687	.br
		1688
		1689	.br
		1690	# aa-enforce firejail-default
		1691	.TP
		1692	The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
		1693	.br
		1694
		1695	.br
		1696	- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
		1697	commands such as "top" and "ps aux".
		1698	.br
		1699
		1700	.br
		1701	- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
		1702	programs and scripts from user home or other directories writable by the user is not allowed.
		1703	.br
		1704
		1705	.br
		1706	- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
		1707	You should have no problems running Chromium or Firefox.
		1708
		1709	.TP
		1710	To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
		1711	.br
		1712
		1713	.br
		1714	$ firejail --apparmor firefox
		1715
1675	.SH FILE TRANSFER	1716	.SH FILE TRANSFER
1676	These features allow the user to inspect the filesystem container of an existing sandbox	1717	These features allow the user to inspect the filesystem container of an existing sandbox
1677	and transfer files from the container to the host filesystem.	1718	and transfer files from the container to the host filesystem.