diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 98d74bcf8..9eab3d0a9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1987,33 +1987,37 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c | |||
1987 | .br | 1987 | .br |
1988 | $ ./configure --prefix=/usr --enable-apparmor | 1988 | $ ./configure --prefix=/usr --enable-apparmor |
1989 | .TP | 1989 | .TP |
1990 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: | 1990 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be |
1991 | placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading | ||
1992 | apparmor.service or rebooting the system: | ||
1991 | .br | 1993 | .br |
1992 | 1994 | ||
1993 | .br | 1995 | .br |
1994 | # aa-enforce firejail-default | 1996 | # apparmor_parser -r firejail-default |
1995 | .TP | 1997 | .TP |
1996 | The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: | 1998 | The installed profile is supplemental for main firejail functions and among other things does the following: |
1997 | .br | 1999 | .br |
1998 | 2000 | ||
1999 | .br | 2001 | .br |
2000 | - Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running | 2002 | - Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging. |
2001 | commands such as "top" and "ps aux". | 2003 | You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels. |
2002 | .br | 2004 | .br |
2003 | 2005 | ||
2004 | .br | 2006 | .br |
2005 | - Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running | 2007 | - Whitelist write access to several files under /run, /proc and /sys. |
2008 | .br | ||
2009 | |||
2010 | .br | ||
2011 | - Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running | ||
2006 | programs and scripts from user home or other directories writable by the user is not allowed. | 2012 | programs and scripts from user home or other directories writable by the user is not allowed. |
2007 | .br | 2013 | .br |
2008 | 2014 | ||
2009 | .br | 2015 | .br |
2010 | - Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt, | 2016 | - Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed. |
2011 | /proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var | ||
2012 | .br | 2017 | .br |
2013 | 2018 | ||
2014 | .br | 2019 | .br |
2015 | - Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. | 2020 | - Deny access to known sensitive paths like .snapshots. |
2016 | You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels. | ||
2017 | 2021 | ||
2018 | .TP | 2022 | .TP |
2019 | To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: | 2023 | To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: |