Update Firejail

Firejail.md

@@ -3,9 +3,13 @@
 - [Containers overview](containers)
 
 # Introduction
+
+Firejail is an application sandboxing tool
+
 [Firejail](https://firejail.wordpress.com/features-3/)
 [Firejail source code](https://github.com/netblue30/firejail/tree/master/src/firejail)
 
+
 # AppArmor Integration
 
 Firejail has integrated basic support for AppArmor policy.
@@ -24,17 +28,47 @@ transitions to ```firejail-default``` at exec (aa_change_onexec)
 
 [simple overview](https://pvera.net/posts/apparmor-firejail-sandboxing/)
 
-# Modifying the firejail-default profile
+## Modifying the firejail-default profile
 
 ???
 
-# Check if firejail is built with AppArmor support
+## Check if firejail is built with AppArmor support
 
 ???
 
-# Configure and Build firejail
+## Configure and Build firejail
 
 To configure and build firejail with AppArmor support
 
 ...
 
+
+# Interactions with AppArmor
+
+While the firejail sandboxing tool provides basic AppArmor integration it actually weakens AppArmor protections for application.
+
+## single profile
+
+All applications run under filejail when using the integrated AppArmor support use the same profile, regardless of whether an AppArmor profile for the applications exists. This means AppArmor restrictions can not be tailored to each application. It also means any communication mediation based on the confinement label have to treat all firejailed applications the same.
+
+## mount namespaces
+
+## seccomp
+
+## nonewprivs
+
+# Alternate way to use firejail with AppArmor
+
+Because of the ways that the firejail sandbox interacts with AppArmor policy using ```--apparmor``` is not recommended.
+
+AppArmor's profile attachment can be used instead.
+
+## How to use AppArmor profile attachment
+
+create a firejail profile - to block firejail from using apparmor
+
+Because of mount namespaces
+- alternate profiles
+
+setup profile transitions
+