diff options
-rw-r--r-- | src/man/firejail.txt | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4d24bdd7e..d34725dc5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2494,33 +2494,41 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c | |||
2494 | .br | 2494 | .br |
2495 | $ ./configure --prefix=/usr --enable-apparmor | 2495 | $ ./configure --prefix=/usr --enable-apparmor |
2496 | .TP | 2496 | .TP |
2497 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: | 2497 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be |
2498 | placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading | ||
2499 | apparmor.service or rebooting the system: | ||
2498 | .br | 2500 | .br |
2499 | 2501 | ||
2500 | .br | 2502 | .br |
2501 | # aa-enforce firejail-default | 2503 | # apparmor_parser -r firejail-default |
2502 | .TP | 2504 | .TP |
2503 | The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: | 2505 | The installed profile is supplemental for main firejail functions and among other things does the following: |
2504 | .br | 2506 | .br |
2505 | 2507 | ||
2506 | .br | 2508 | .br |
2507 | - Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running | 2509 | - Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging. |
2508 | commands such as "top" and "ps aux". | 2510 | You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels. |
2511 | .br | ||
2512 | |||
2513 | .br | ||
2514 | - Whitelist write access to several files under /run, /proc and /sys. | ||
2509 | .br | 2515 | .br |
2510 | 2516 | ||
2511 | .br | 2517 | .br |
2512 | - Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running | 2518 | - Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running |
2513 | programs and scripts from user home or other directories writable by the user is not allowed. | 2519 | programs and scripts from user home or other directories writable by the user is not allowed. |
2514 | .br | 2520 | .br |
2515 | 2521 | ||
2516 | .br | 2522 | .br |
2517 | - Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt, | 2523 | - Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed. |
2518 | /proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var | ||
2519 | .br | 2524 | .br |
2520 | 2525 | ||
2521 | .br | 2526 | .br |
2522 | - Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. | 2527 | - Deny access to known sensitive paths like .snapshots. |
2523 | You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels. | 2528 | .br |
2529 | |||
2530 | .br | ||
2531 | - Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed. | ||
2524 | 2532 | ||
2525 | .TP | 2533 | .TP |
2526 | To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: | 2534 | To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: |