diff options
-rw-r--r-- | README.md | 43 |
1 files changed, 42 insertions, 1 deletions
@@ -59,8 +59,49 @@ Symlinks outside user home directories are allowed: | |||
59 | $ firejail "--whitelist=/home/username/My Virtual Machines" | 59 | $ firejail "--whitelist=/home/username/My Virtual Machines" |
60 | ````` | 60 | ````` |
61 | 61 | ||
62 | ## AppArmor support | ||
62 | 63 | ||
63 | ## AppImage | 64 | So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and |
65 | Chromium running. There is more testing to come. | ||
66 | |||
67 | ````` | ||
68 | APPARMOR | ||
69 | AppArmor support is disabled by default at compile time. Use --enable- | ||
70 | apparmor configuration option to enable it: | ||
71 | |||
72 | $ ./configure --prefix=/usr --enable-apparmor | ||
73 | |||
74 | During software install, a generic AppArmor profile file, firejail- | ||
75 | default, is placed in /etc/apparmor.d directory. The profile needs to | ||
76 | be loaded into the kernel by running the following command as root: | ||
77 | |||
78 | # aa-enforce firejail-default | ||
79 | |||
80 | The installed profile tries to replicate some advanced security fea‐ | ||
81 | tures inspired by kernel-based Grsecurity: | ||
82 | |||
83 | - Prevent information leakage in /proc and /sys directories. The | ||
84 | resulting file system is barely enough for running commands such | ||
85 | as "top" and "ps aux". | ||
86 | |||
87 | - Allow running programs only from well-known system paths, such | ||
88 | as /bin, /sbin, /usr/bin etc. Running programs and scripts from | ||
89 | user home or other directories writable by the user is not | ||
90 | allowed. | ||
91 | |||
92 | - Disable D-Bus. D-Bus has long been a huge security hole, and | ||
93 | most programs don't use it anyway. You should have no problems | ||
94 | running Chromium or Firefox. | ||
95 | |||
96 | To enable AppArmor confinement on top of your current Firejail security | ||
97 | features, pass --apparmor flag to Firejail command line. You can also | ||
98 | include apparmor command in a Fireajail profile file. Example: | ||
99 | |||
100 | $ firejail --apparmor firefox | ||
101 | |||
102 | ````` | ||
103 | |||
104 | ## AppImage support | ||
64 | 105 | ||
65 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. | 106 | AppImage (http://appimage.org/) is a distribution-agnostic packaging format. |
66 | The package is a regular ISO file containing all binaries, libraries and resources | 107 | The package is a regular ISO file containing all binaries, libraries and resources |