diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-02 13:09:23 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-02 13:09:23 -0400 |
commit | 48dd1fbece66d6e13a099da24e651d57c3491028 (patch) | |
tree | b1a4f2ab1a407a8226b5fc93850a924f2c0d55be /src/man | |
parent | apparmor (diff) | |
download | firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.gz firejail-48dd1fbece66d6e13a099da24e651d57c3491028.tar.zst firejail-48dd1fbece66d6e13a099da24e651d57c3491028.zip |
apparmor
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 41 |
2 files changed, 44 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b6908dd00..637519902 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -211,6 +211,9 @@ Mount /var directory read-write. | |||
211 | The following security filters are currently implemented: | 211 | The following security filters are currently implemented: |
212 | 212 | ||
213 | .TP | 213 | .TP |
214 | \fBapparmor | ||
215 | Enable AppArmor confinement. | ||
216 | .TP | ||
214 | \fBcaps | 217 | \fBcaps |
215 | Enable default Linux capabilities filter. | 218 | Enable default Linux capabilities filter. |
216 | .TP | 219 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d34cfdb20..9e6916534 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox | |||
75 | \fB\-\- | 75 | \fB\-\- |
76 | Signal the end of options and disables further option processing. | 76 | Signal the end of options and disables further option processing. |
77 | .TP | 77 | .TP |
78 | \fB\-\-apparmor | ||
79 | Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. | ||
80 | .TP | ||
78 | \fB\-\-appimage | 81 | \fB\-\-appimage |
79 | Sandbox an AppImage (http://appimage.org/) application. | 82 | Sandbox an AppImage (http://appimage.org/) application. |
80 | .br | 83 | .br |
@@ -1672,6 +1675,44 @@ $ firejail --tree | |||
1672 | 1221:netblue:/usr/lib/firefox/firefox | 1675 | 1221:netblue:/usr/lib/firefox/firefox |
1673 | .RE | 1676 | .RE |
1674 | 1677 | ||
1678 | .SH APPARMOR | ||
1679 | .TP | ||
1680 | AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: | ||
1681 | .br | ||
1682 | |||
1683 | .br | ||
1684 | $ ./configure --prefix=/usr --enable-apparmor | ||
1685 | .TP | ||
1686 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: | ||
1687 | .br | ||
1688 | |||
1689 | .br | ||
1690 | # aa-enforce firejail-default | ||
1691 | .TP | ||
1692 | The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: | ||
1693 | .br | ||
1694 | |||
1695 | .br | ||
1696 | - Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running | ||
1697 | commands such as "top" and "ps aux". | ||
1698 | .br | ||
1699 | |||
1700 | .br | ||
1701 | - Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running | ||
1702 | programs and scripts from user home or other directories writable by the user is not allowed. | ||
1703 | .br | ||
1704 | |||
1705 | .br | ||
1706 | - Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. | ||
1707 | You should have no problems running Chromium or Firefox. | ||
1708 | |||
1709 | .TP | ||
1710 | To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: | ||
1711 | .br | ||
1712 | |||
1713 | .br | ||
1714 | $ firejail --apparmor firefox | ||
1715 | |||
1675 | .SH FILE TRANSFER | 1716 | .SH FILE TRANSFER |
1676 | These features allow the user to inspect the filesystem container of an existing sandbox | 1717 | These features allow the user to inspect the filesystem container of an existing sandbox |
1677 | and transfer files from the container to the host filesystem. | 1718 | and transfer files from the container to the host filesystem. |