manpages: update AppArmor info

author: Vincent43 <31109921+Vincent43@users.noreply.github.com> 2018-09-22 16:34:45 +0100
committer: GitHub <noreply@github.com> 2018-09-22 16:34:45 +0100
commit: e575a2cd66a751cd20ac3ff9f67d667f630294b9 (patch)
tree: 11c7f79e8b41231199ab796d4224e578eaf901d0
parent: Add profile for spectre-meltdown-checker (diff)
download: firejail-e575a2cd66a751cd20ac3ff9f67d667f630294b9.tar.gz
firejail-e575a2cd66a751cd20ac3ff9f67d667f630294b9.tar.zst
firejail-e575a2cd66a751cd20ac3ff9f67d667f630294b9.zip
1 files changed, 18 insertions, 10 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 4d24bdd7e..d34725dc5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2494,33 +2494,41 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c
 .br
 $ ./configure --prefix=/usr --enable-apparmor
 .TP
-During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be
+placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading
+apparmor.service or rebooting the system:
 .br
 .br
-# aa-enforce firejail-default
+# apparmor_parser -r firejail-default
 .TP
-The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+The installed profile is supplemental for main firejail functions and among other things does the following:
 .br
 .br
- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+- Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging.
-commands such as "top" and "ps aux".
+You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
+.br
+.br
+- Whitelist write access to several files under /run, /proc and /sys.
 .br
 .br
- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running
 programs and scripts from user home or other directories writable by the user is not allowed.
 .br
 .br
- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt,
+- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
-/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var
 .br
 .br
- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+- Deny access to known sensitive paths like .snapshots.
-You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
+.br
+.br
+- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
 .TP
 To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
author	Vincent43 <31109921+Vincent43@users.noreply.github.com>	2018-09-22 16:34:45 +0100
committer	GitHub <noreply@github.com>	2018-09-22 16:34:45 +0100
commit	e575a2cd66a751cd20ac3ff9f67d667f630294b9 (patch)
tree	11c7f79e8b41231199ab796d4224e578eaf901d0
parent	Add profile for spectre-meltdown-checker (diff)
download	firejail-e575a2cd66a751cd20ac3ff9f67d667f630294b9.tar.gz firejail-e575a2cd66a751cd20ac3ff9f67d667f630294b9.tar.zst firejail-e575a2cd66a751cd20ac3ff9f67d667f630294b9.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4d24bdd7e..d34725dc5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -2494,33 +2494,41 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c
2494	.br	2494	.br
2495	$ ./configure --prefix=/usr --enable-apparmor	2495	$ ./configure --prefix=/usr --enable-apparmor
2496	.TP	2496	.TP
2497	During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:	2497	During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be
		2498	placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading
		2499	apparmor.service or rebooting the system:
2498	.br	2500	.br
2499		2501
2500	.br	2502	.br
2501	# aa-enforce firejail-default	2503	# apparmor_parser -r firejail-default
2502	.TP	2504	.TP
2503	The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:	2505	The installed profile is supplemental for main firejail functions and among other things does the following:
2504	.br	2506	.br
2505		2507
2506	.br	2508	.br
2507	- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running	2509	- Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging.
2508	commands such as "top" and "ps aux".	2510	You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
		2511	.br
		2512
		2513	.br
		2514	- Whitelist write access to several files under /run, /proc and /sys.
2509	.br	2515	.br
2510		2516
2511	.br	2517	.br
2512	- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running	2518	- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running
2513	programs and scripts from user home or other directories writable by the user is not allowed.	2519	programs and scripts from user home or other directories writable by the user is not allowed.
2514	.br	2520	.br
2515		2521
2516	.br	2522	.br
2517	- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt,	2523	- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
2518	/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var
2519	.br	2524	.br
2520		2525
2521	.br	2526	.br
2522	- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.	2527	- Deny access to known sensitive paths like .snapshots.
2523	You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.	2528	.br
		2529
		2530	.br
		2531	- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
2524		2532
2525	.TP	2533	.TP
2526	To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:	2534	To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: