add firejail and apparmor

arch.md

@@ -14,6 +14,8 @@
     - [Fingerprint Reader Support](#fingerprint-reader-support)
       - [Setup](#setup)
       - [Turn Off Fingerprint When Laptop Lid Closed](#turn-off-fingerprint-when-laptop-lid-closed)
+    - [AppArmor](#apparmor)
+    - [Firejail](#firejail)
     - [AppImage Support](#appimage-support)
     - [Bluetooth](#bluetooth)
     - [Audio](#audio)
@@ -256,8 +258,10 @@ sudo ufw enable
 
 ### TPM2 LUKS Decryption
 
+Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
+
 1. `pacman -S tpm2-tss`
-2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=""`
+2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
 
 ### Don't sleep while plugged in
 
@@ -365,6 +369,35 @@ runs our script on wake.
 
 Now the status should be correct even after connecting/disconnecting when the computer is off.
 
+### AppArmor
+
+1. `sudo pacman -S apparmor`
+2. `sudo systemctl enable --now apparmor`
+3. `sudo systemctl enable --now auditd`
+4. Add the correct kernel parameters
+
+    /boot/loaders/entries/arch.conf
+
+    ```conf
+    title Arch Linux
+    ...
+    options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
+    ```
+
+### Firejail
+
+Firejail launches supported applications in a sandboxed environment where it limits access
+to system files and resources.
+
+For example:
+
+- Firefox will not be able to access more than a small subset of your home directory.
+- VSCode will not be able to acces ~/.config/autostart.
+
+1. `sudo pacman -S firejail`
+2. `sudo firecfg`
+3. `firecfg --fix`
+
 ### AppImage Support
 
 fuse is required to run most appimages.