From 48dd1fbece66d6e13a099da24e651d57c3491028 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 2 Aug 2016 13:09:23 -0400 Subject: apparmor --- src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) (limited to 'src/man') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b6908dd00..637519902 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -210,6 +210,9 @@ Mount /var directory read-write. .SH Security filters The following security filters are currently implemented: +.TP +\fBapparmor +Enable AppArmor confinement. .TP \fBcaps Enable default Linux capabilities filter. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d34cfdb20..9e6916534 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox \fB\-\- Signal the end of options and disables further option processing. .TP +\fB\-\-apparmor +Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. +.TP \fB\-\-appimage Sandbox an AppImage (http://appimage.org/) application. .br @@ -1672,6 +1675,44 @@ $ firejail --tree 1221:netblue:/usr/lib/firefox/firefox .RE +.SH APPARMOR +.TP +AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: +.br + +.br +$ ./configure --prefix=/usr --enable-apparmor +.TP +During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: +.br + +.br +# aa-enforce firejail-default +.TP +The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: +.br + +.br +- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running +commands such as "top" and "ps aux". +.br + +.br +- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running +programs and scripts from user home or other directories writable by the user is not allowed. +.br + +.br +- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. +You should have no problems running Chromium or Firefox. + +.TP +To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: +.br + +.br +$ firejail --apparmor firefox + .SH FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files from the container to the host filesystem. -- cgit v1.2.3-70-g09d2