apparmor

author: netblue30 <netblue30@yahoo.com> 2016-08-02 13:09:23 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-08-02 13:09:23 -0400
commit: 48dd1fbece66d6e13a099da24e651d57c3491028 (patch)
tree: b1a4f2ab1a407a8226b5fc93850a924f2c0d55be /src/man/firejail.txt
parent: apparmor (diff)
download: firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.gz
firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.zst
firejail-48dd1fbece66d6e13a099da24e651d57c3491028.zip
1 files changed, 41 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d34cfdb20..9e6916534 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-apparmor
+Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
+.TP
 \fB\-\-appimage
 Sandbox an AppImage (http://appimage.org/) application.
 .br
@@ -1672,6 +1675,44 @@ $ firejail --tree
      1221:netblue:/usr/lib/firefox/firefox
 .RE
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
+.br
+$ ./configure --prefix=/usr --enable-apparmor
+.TP
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+.br
+.br
+# aa-enforce firejail-default
+.TP
+The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+.br
+.br
+- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+commands such as "top" and "ps aux".
+.br
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+.br
+- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+You should have no problems running Chromium or Firefox.
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+.br
+$ firejail --apparmor firefox
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files from the container to the host filesystem.
author	netblue30 <netblue30@yahoo.com>	2016-08-02 13:09:23 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-08-02 13:09:23 -0400
commit	48dd1fbece66d6e13a099da24e651d57c3491028 (patch)
tree	b1a4f2ab1a407a8226b5fc93850a924f2c0d55be /src/man/firejail.txt
parent	apparmor (diff)
download	firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.gz firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.zst firejail-48dd1fbece66d6e13a099da24e651d57c3491028.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d34cfdb20..9e6916534 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox
75	\fB\-\-	75	\fB\-\-
76	Signal the end of options and disables further option processing.	76	Signal the end of options and disables further option processing.
77	.TP	77	.TP
		78	\fB\-\-apparmor
		79	Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
		80	.TP
78	\fB\-\-appimage	81	\fB\-\-appimage
79	Sandbox an AppImage (http://appimage.org/) application.	82	Sandbox an AppImage (http://appimage.org/) application.
80	.br	83	.br
@@ -1672,6 +1675,44 @@ $ firejail --tree
1672	1221:netblue:/usr/lib/firefox/firefox	1675	1221:netblue:/usr/lib/firefox/firefox
1673	.RE	1676	.RE
1674		1677
		1678	.SH APPARMOR
		1679	.TP
		1680	AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
		1681	.br
		1682
		1683	.br
		1684	$ ./configure --prefix=/usr --enable-apparmor
		1685	.TP
		1686	During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
		1687	.br
		1688
		1689	.br
		1690	# aa-enforce firejail-default
		1691	.TP
		1692	The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
		1693	.br
		1694
		1695	.br
		1696	- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
		1697	commands such as "top" and "ps aux".
		1698	.br
		1699
		1700	.br
		1701	- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
		1702	programs and scripts from user home or other directories writable by the user is not allowed.
		1703	.br
		1704
		1705	.br
		1706	- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
		1707	You should have no problems running Chromium or Firefox.
		1708
		1709	.TP
		1710	To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
		1711	.br
		1712
		1713	.br
		1714	$ firejail --apparmor firefox
		1715
1675	.SH FILE TRANSFER	1716	.SH FILE TRANSFER
1676	These features allow the user to inspect the filesystem container of an existing sandbox	1717	These features allow the user to inspect the filesystem container of an existing sandbox
1677	and transfer files from the container to the host filesystem.	1718	and transfer files from the container to the host filesystem.