add chroot and firejail docs
This commit is contained in:
ducoterra
59
arch.md
59
arch.md
@@ -12,6 +12,7 @@
|
||||
- [Firewall](#firewall)
|
||||
- [AppArmor](#apparmor)
|
||||
- [Firejail](#firejail)
|
||||
- [Chroots](#chroots)
|
||||
- [Fingerprint Reader Support](#fingerprint-reader-support)
|
||||
- [Setup](#setup)
|
||||
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
|
||||
@@ -265,6 +266,9 @@ sudo ufw enable
|
||||
|
||||
#### AppArmor
|
||||
|
||||
I would recommend running apparmor with the default profiles. You could load the profiles
|
||||
in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of that.
|
||||
|
||||
1. `sudo pacman -S apparmor`
|
||||
2. `sudo systemctl enable --now apparmor`
|
||||
3. `sudo systemctl enable --now auditd`
|
||||
@@ -291,10 +295,11 @@ For example:
|
||||
- VSCode will not be able to acces ~/.config/autostart.
|
||||
|
||||
1. `sudo pacman -S firejail`
|
||||
2. `sudo firecfg`
|
||||
3. `firecfg --fix`
|
||||
4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
|
||||
5. Add a pacman hook to apply firejail on install
|
||||
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
|
||||
3. `sudo firecfg`
|
||||
4. `firecfg --fix`
|
||||
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
|
||||
6. Add a pacman hook to apply firejail on install
|
||||
|
||||
/etc/pacman.d/hooks/firejail.hook
|
||||
|
||||
@@ -314,6 +319,44 @@ For example:
|
||||
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
|
||||
```
|
||||
|
||||
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
|
||||
|
||||
```bash
|
||||
firejail --noprofile firefox
|
||||
```
|
||||
|
||||
You'll probably want to enable the following
|
||||
|
||||
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
|
||||
|
||||
/etc/firejail/firejail.config
|
||||
|
||||
```conf
|
||||
browser-disable-u2f no
|
||||
chroot yes
|
||||
firejail-prompt yes
|
||||
force-nonewprivs yes
|
||||
tracelog yes
|
||||
```
|
||||
|
||||
#### Chroots
|
||||
|
||||
You can create chroot environments to run firejails or just use for testing purposes.
|
||||
|
||||
1. `mkdir /chroots`
|
||||
2. `mkdir /testing`
|
||||
3. `pacman -S arch-install-scripts`
|
||||
4. `pacstrap -K /chroots/testing/ base base-devel`
|
||||
5. `arch-chroot /chroots/testing`
|
||||
|
||||
With firejail
|
||||
|
||||
1. `sudo firejail --noprofile --chroot=/chroots/testing`
|
||||
2. `adduser ducoterra`
|
||||
3. `pacman -S firefox`
|
||||
4. `exit`
|
||||
5. `firejail --chroot=/chroots/testing`
|
||||
|
||||
#### Fingerprint Reader Support
|
||||
|
||||
##### Setup
|
||||
@@ -628,6 +671,14 @@ When prompted, use vulkan-radeon
|
||||
|
||||
`steam-native` allows vaapi hardware encoding for steam remote play.
|
||||
|
||||
You may have to edit your firejail config to get steam to launch:
|
||||
|
||||
~/.config/firejail/steam.local
|
||||
|
||||
```conf
|
||||
ignore apparmor
|
||||
```
|
||||
|
||||
### XWayland
|
||||
|
||||
Provides compatibility with X server applications (like wine)
|
||||
|
||||
Reference in New Issue
Block a user