mainline merge: manpages: update AppArmor info

author: netblue30 <netblue30@yahoo.com> 2018-09-26 10:15:23 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-09-26 10:15:23 -0400
commit: f1169af07b80adcd32d6541557d949f22e8b8b62 (patch)
tree: 1abbe532cb3ae04d285762f22e731d9648987a9b /src/man
parent: mainline merge: tests: skip more tests if capabilities/seccomp of host differs (diff)
download: firejail-f1169af07b80adcd32d6541557d949f22e8b8b62.tar.gz
firejail-f1169af07b80adcd32d6541557d949f22e8b8b62.tar.zst
firejail-f1169af07b80adcd32d6541557d949f22e8b8b62.zip
1 files changed, 14 insertions, 10 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 98d74bcf8..9eab3d0a9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1987,33 +1987,37 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c
 .br
 $ ./configure --prefix=/usr --enable-apparmor
 .TP
-During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be
+placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading
+apparmor.service or rebooting the system:
 .br
 .br
-# aa-enforce firejail-default
+# apparmor_parser -r firejail-default
 .TP
-The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+The installed profile is supplemental for main firejail functions and among other things does the following:
 .br
 .br
- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+- Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging.
-commands such as "top" and "ps aux".
+You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
 .br
 .br
- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+- Whitelist write access to several files under /run, /proc and /sys.
+.br
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running
 programs and scripts from user home or other directories writable by the user is not allowed.
 .br
 .br
- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt,
+- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
-/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var
 .br
 .br
- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+- Deny access to known sensitive paths like .snapshots.
-You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
 .TP
 To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
author	netblue30 <netblue30@yahoo.com>	2018-09-26 10:15:23 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-09-26 10:15:23 -0400
commit	f1169af07b80adcd32d6541557d949f22e8b8b62 (patch)
tree	1abbe532cb3ae04d285762f22e731d9648987a9b /src/man
parent	mainline merge: tests: skip more tests if capabilities/seccomp of host differs (diff)
download	firejail-f1169af07b80adcd32d6541557d949f22e8b8b62.tar.gz firejail-f1169af07b80adcd32d6541557d949f22e8b8b62.tar.zst firejail-f1169af07b80adcd32d6541557d949f22e8b8b62.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 98d74bcf8..9eab3d0a9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1987,33 +1987,37 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c
1987	.br	1987	.br
1988	$ ./configure --prefix=/usr --enable-apparmor	1988	$ ./configure --prefix=/usr --enable-apparmor
1989	.TP	1989	.TP
1990	During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:	1990	During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be
		1991	placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading
		1992	apparmor.service or rebooting the system:
1991	.br	1993	.br
1992		1994
1993	.br	1995	.br
1994	# aa-enforce firejail-default	1996	# apparmor_parser -r firejail-default
1995	.TP	1997	.TP
1996	The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:	1998	The installed profile is supplemental for main firejail functions and among other things does the following:
1997	.br	1999	.br
1998		2000
1999	.br	2001	.br
2000	- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running	2002	- Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging.
2001	commands such as "top" and "ps aux".	2003	You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
2002	.br	2004	.br
2003		2005
2004	.br	2006	.br
2005	- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running	2007	- Whitelist write access to several files under /run, /proc and /sys.
		2008	.br
		2009
		2010	.br
		2011	- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running
2006	programs and scripts from user home or other directories writable by the user is not allowed.	2012	programs and scripts from user home or other directories writable by the user is not allowed.
2007	.br	2013	.br
2008		2014
2009	.br	2015	.br
2010	- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt,	2016	- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
2011	/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var
2012	.br	2017	.br
2013		2018
2014	.br	2019	.br
2015	- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.	2020	- Deny access to known sensitive paths like .snapshots.
2016	You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
2017		2021
2018	.TP	2022	.TP
2019	To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:	2023	To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: