server/Workstation
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add chroot and firejail docs

Browse Source
This commit is contained in:
ducoterra
2023-08-19 00:47:19 -04:00
parent 5b2caa74f1
commit 2b5c660af5
1 changed files with 55 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
arch.md
View File

@@ -12,6 +12,7 @@
- [Firewall](#firewall) - [Firewall](#firewall)
- [AppArmor](#apparmor) - [AppArmor](#apparmor)
- [Firejail](#firejail) - [Firejail](#firejail)
- [Chroots](#chroots)
- [Fingerprint Reader Support](#fingerprint-reader-support) - [Fingerprint Reader Support](#fingerprint-reader-support)
- [Setup](#setup) - [Setup](#setup)
- [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
@@ -265,6 +266,9 @@ sudo ufw enable
#### AppArmor #### AppArmor
I would recommend running apparmor with the default profiles. You could load the profiles
in `/usr/share/apparmor/extra-profiles` but firejail will take care of most of that.
1. `sudo pacman -S apparmor` 1. `sudo pacman -S apparmor`
2. `sudo systemctl enable --now apparmor` 2. `sudo systemctl enable --now apparmor`
3. `sudo systemctl enable --now auditd` 3. `sudo systemctl enable --now auditd`
@@ -291,10 +295,11 @@ For example:
- VSCode will not be able to acces ~/.config/autostart. - VSCode will not be able to acces ~/.config/autostart.
1. `sudo pacman -S firejail` 1. `sudo pacman -S firejail`
2. `sudo firecfg` 2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
3. `firecfg --fix` 3. `sudo firecfg`
4. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start) 4. `firecfg --fix`
5. Add a pacman hook to apply firejail on install 5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
6. Add a pacman hook to apply firejail on install
/etc/pacman.d/hooks/firejail.hook /etc/pacman.d/hooks/firejail.hook
@@ -314,6 +319,44 @@ For example:
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1' Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
``` ```
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
```bash
firejail --noprofile firefox
```
You'll probably want to enable the following
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
/etc/firejail/firejail.config
```conf
browser-disable-u2f no
chroot yes
firejail-prompt yes
force-nonewprivs yes
tracelog yes
```
#### Chroots
You can create chroot environments to run firejails or just use for testing purposes.
1. `mkdir /chroots`
2. `mkdir /testing`
3. `pacman -S arch-install-scripts`
4. `pacstrap -K /chroots/testing/ base base-devel`
5. `arch-chroot /chroots/testing`
With firejail
1. `sudo firejail --noprofile --chroot=/chroots/testing`
2. `adduser ducoterra`
3. `pacman -S firefox`
4. `exit`
5. `firejail --chroot=/chroots/testing`
#### Fingerprint Reader Support #### Fingerprint Reader Support
##### Setup ##### Setup
@@ -628,6 +671,14 @@ When prompted, use vulkan-radeon
`steam-native` allows vaapi hardware encoding for steam remote play. `steam-native` allows vaapi hardware encoding for steam remote play.
You may have to edit your firejail config to get steam to launch:
~/.config/firejail/steam.local
```conf
ignore apparmor
```
### XWayland ### XWayland
Provides compatibility with X server applications (like wine) Provides compatibility with X server applications (like wine)