apparmor

author: netblue30 <netblue30@yahoo.com> 2016-08-02 13:10:40 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-02 13:10:40 -0400
commit: c963e7364359353bd7734dd79e81cdfbc3df568b (patch)
tree: bdd6da329c7cb233e8082154b310715b5e9c929c /README.md
parent: apparmor (diff)
download: firejail-c963e7364359353bd7734dd79e81cdfbc3df568b.tar.gz
firejail-c963e7364359353bd7734dd79e81cdfbc3df568b.tar.zst
firejail-c963e7364359353bd7734dd79e81cdfbc3df568b.zip
1 files changed, 42 insertions, 1 deletions
diff --git a/README.md b/README.md
index 17c7a89de..4eea1aafc 100644
--- a/README.md
+++ b/README.md
@@ -59,8 +59,49 @@ Symlinks outside user home directories are allowed:
              $ firejail "--whitelist=/home/username/My Virtual Machines"
 `````
+## AppArmor support
-## AppImage
+So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and
+Chromium running. There is more testing to come.
+`````
+APPARMOR
+       AppArmor  support is disabled by default at compile time. Use --enable-
+       apparmor configuration option to enable it:
+              $ ./configure --prefix=/usr --enable-apparmor
+       During software install, a generic  AppArmor  profile  file,  firejail-
+       default,  is  placed in /etc/apparmor.d directory. The profile needs to
+       be loaded into the kernel by running the following command as root:
+              # aa-enforce firejail-default
+       The installed profile tries to replicate some  advanced  security  fea‐
+       tures inspired by kernel-based Grsecurity:
+              - Prevent information leakage in /proc and /sys directories. The
+              resulting file system is barely enough for running commands such
+              as "top" and "ps aux".
+              - Allow running programs only from well-known system paths, such
+              as /bin, /sbin, /usr/bin etc. Running programs and scripts  from
+              user  home  or  other  directories  writable  by the user is not
+              allowed.
+              - Disable D-Bus. D-Bus has long been a huge security  hole,  and
+              most  programs don't use it anyway.  You should have no problems
+              running Chromium or Firefox.
+       To enable AppArmor confinement on top of your current Firejail security
+       features,  pass  --apparmor flag to Firejail command line. You can also
+       include apparmor command in a Fireajail profile file. Example:
+              $ firejail --apparmor firefox
+`````
+## AppImage support
 AppImage (http://appimage.org/) is a distribution-agnostic packaging format.
 The package is a regular ISO file containing all binaries, libraries and resources
author	netblue30 <netblue30@yahoo.com>	2016-08-02 13:10:40 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-02 13:10:40 -0400
commit	c963e7364359353bd7734dd79e81cdfbc3df568b (patch)
tree	bdd6da329c7cb233e8082154b310715b5e9c929c /README.md
parent	apparmor (diff)
download	firejail-c963e7364359353bd7734dd79e81cdfbc3df568b.tar.gz firejail-c963e7364359353bd7734dd79e81cdfbc3df568b.tar.zst firejail-c963e7364359353bd7734dd79e81cdfbc3df568b.zip

diff --git a/README.md b/README.md index 17c7a89de..4eea1aafc 100644 --- a/README.md +++ b/README.md
@@ -59,8 +59,49 @@ Symlinks outside user home directories are allowed:
59	$ firejail "--whitelist=/home/username/My Virtual Machines"	59	$ firejail "--whitelist=/home/username/My Virtual Machines"
60	`````	60	`````
61		61
		62	## AppArmor support
62		63
63	## AppImage	64	So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and
		65	Chromium running. There is more testing to come.
		66
		67	`````
		68	APPARMOR
		69	AppArmor support is disabled by default at compile time. Use --enable-
		70	apparmor configuration option to enable it:
		71
		72	$ ./configure --prefix=/usr --enable-apparmor
		73
		74	During software install, a generic AppArmor profile file, firejail-
		75	default, is placed in /etc/apparmor.d directory. The profile needs to
		76	be loaded into the kernel by running the following command as root:
		77
		78	# aa-enforce firejail-default
		79
		80	The installed profile tries to replicate some advanced security fea‐
		81	tures inspired by kernel-based Grsecurity:
		82
		83	- Prevent information leakage in /proc and /sys directories. The
		84	resulting file system is barely enough for running commands such
		85	as "top" and "ps aux".
		86
		87	- Allow running programs only from well-known system paths, such
		88	as /bin, /sbin, /usr/bin etc. Running programs and scripts from
		89	user home or other directories writable by the user is not
		90	allowed.
		91
		92	- Disable D-Bus. D-Bus has long been a huge security hole, and
		93	most programs don't use it anyway. You should have no problems
		94	running Chromium or Firefox.
		95
		96	To enable AppArmor confinement on top of your current Firejail security
		97	features, pass --apparmor flag to Firejail command line. You can also
		98	include apparmor command in a Fireajail profile file. Example:
		99
		100	$ firejail --apparmor firefox
		101
		102	`````
		103
		104	## AppImage support
64		105
65	AppImage (http://appimage.org/) is a distribution-agnostic packaging format.	106	AppImage (http://appimage.org/) is a distribution-agnostic packaging format.
66	The package is a regular ISO file containing all binaries, libraries and resources	107	The package is a regular ISO file containing all binaries, libraries and resources