From e575a2cd66a751cd20ac3ff9f67d667f630294b9 Mon Sep 17 00:00:00 2001 From: Vincent43 <31109921+Vincent43@users.noreply.github.com> Date: Sat, 22 Sep 2018 16:34:45 +0100 Subject: manpages: update AppArmor info --- src/man/firejail.txt | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4d24bdd7e..d34725dc5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2494,33 +2494,41 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c .br $ ./configure --prefix=/usr --enable-apparmor .TP -During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: +During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be +placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by running the following command as root, reloading +apparmor.service or rebooting the system: .br .br -# aa-enforce firejail-default +# apparmor_parser -r firejail-default .TP -The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: +The installed profile is supplemental for main firejail functions and among other things does the following: .br .br -- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running -commands such as "top" and "ps aux". +- Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging. +You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels. +.br + +.br +- Whitelist write access to several files under /run, /proc and /sys. .br .br -- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running +- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running programs and scripts from user home or other directories writable by the user is not allowed. .br .br -- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt, -/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var +- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed. .br .br -- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. -You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels. +- Deny access to known sensitive paths like .snapshots. +.br + +.br +- Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed. .TP To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: -- cgit v1.2.3-54-g00ecf