ducoterra
ef9104c796
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 14s
62 lines
1.6 KiB
Markdown
62 lines
1.6 KiB
Markdown
# Deprecated
|
|
|
|
## Firejail
|
|
|
|
Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
|
|
almost exactly the same thing but runs in the kernel at boot and protects you more
|
|
completely. I'm leaving this here in case you're interested but realistically you
|
|
should just learn apparmor.
|
|
|
|
Firejail launches supported applications in a sandboxed environment where it limits access
|
|
to system files and resources.
|
|
|
|
For example:
|
|
|
|
- Firefox will not be able to access more than a small subset of your home directory.
|
|
- VSCode will not be able to acces ~/.config/autostart.
|
|
|
|
1. `sudo pacman -S firejail`
|
|
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
|
|
3. `sudo firecfg`
|
|
4. `firecfg --fix`
|
|
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
|
|
6. Add a pacman hook to apply firejail on install
|
|
|
|
/etc/pacman.d/hooks/firejail.hook
|
|
|
|
```conf
|
|
[Trigger]
|
|
Type = Path
|
|
Operation = Install
|
|
Operation = Upgrade
|
|
Operation = Remove
|
|
Target = usr/bin/*
|
|
Target = usr/share/applications/*.desktop
|
|
|
|
[Action]
|
|
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
|
|
When = PostTransaction
|
|
Depends = firejail
|
|
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
|
|
```
|
|
|
|
You can run firejail with noprofile to fix access issues (like firefox gnome connector)
|
|
|
|
```bash
|
|
firejail --noprofile firefox
|
|
```
|
|
|
|
You'll probably want to enable the following
|
|
|
|
`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`
|
|
|
|
/etc/firejail/firejail.config
|
|
|
|
```conf
|
|
browser-disable-u2f no
|
|
chroot yes
|
|
firejail-prompt yes
|
|
force-nonewprivs yes
|
|
tracelog yes
|
|
```
|