From a8d75961cdb6be212a0ff07a0c2f76248ee4ec4e Mon Sep 17 00:00:00 2001 From: ducoterra Date: Mon, 14 Aug 2023 12:48:19 -0400 Subject: [PATCH] add firejail and apparmor --- arch.md | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/arch.md b/arch.md index 86549d3..1a20eff 100644 --- a/arch.md +++ b/arch.md @@ -14,6 +14,8 @@ - [Fingerprint Reader Support](#fingerprint-reader-support) - [Setup](#setup) - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed) + - [AppArmor](#apparmor) + - [Firejail](#firejail) - [AppImage Support](#appimage-support) - [Bluetooth](#bluetooth) - [Audio](#audio) @@ -256,8 +258,10 @@ sudo ufw enable ### TPM2 LUKS Decryption +Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled. + 1. `pacman -S tpm2-tss` -2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""` +2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7` ### Don't sleep while plugged in @@ -365,6 +369,35 @@ runs our script on wake. Now the status should be correct even after connecting/disconnecting when the computer is off. +### AppArmor + +1. `sudo pacman -S apparmor` +2. `sudo systemctl enable --now apparmor` +3. `sudo systemctl enable --now auditd` +4. Add the correct kernel parameters + + /boot/loaders/entries/arch.conf + + ```conf + title Arch Linux + ... + options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1... + ``` + +### Firejail + +Firejail launches supported applications in a sandboxed environment where it limits access +to system files and resources. + +For example: + +- Firefox will not be able to access more than a small subset of your home directory. +- VSCode will not be able to acces ~/.config/autostart. + +1. `sudo pacman -S firejail` +2. `sudo firecfg` +3. `firecfg --fix` + ### AppImage Support fuse is required to run most appimages.