Merge pull request #5475 from KOLANICH-tools/aa_fix

A temporary fix to the bug caused by apparmor profiles stacking.
2026-05-21 06:45:29 -06:00 · 2023-01-04 12:13:26 -05:00 · 2023-01-04 12:13:26 -05:00 · 286c8a1374
commit 286c8a1374
parent 069ad9d30e 900db66204
5 changed files with 32 additions and 1 deletions
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@ -35,6 +35,8 @@ include whitelist-runuser-common.inc
 include whitelist-var-common.inc

 apparmor
+# Fixme!
+apparmor-replace
 caps.drop all
 # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
 #machine-id
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;	// appimage
 extern int arg_apparmor;	// apparmor
 extern char *apparmor_profile;	// apparmor profile
+extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior)
 extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;	// block X11
 extern int arg_x11_xorg;	// use X11 security extension
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -134,6 +134,7 @@ int arg_writable_var_log = 0;		// writable /var/log
 int arg_appimage = 0;				// appimage
 int arg_apparmor = 0;				// apparmor
 char *apparmor_profile = NULL;	// apparmor profile
+bool apparmor_replace = false;	// apparmor profile
 int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;				// use X11 security extension
@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) {
 			arg_apparmor = 1;
 			apparmor_profile = argv[i] + 11;
 		}
+		else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) {
+			arg_apparmor = 1;
+			apparmor_replace = true;
+		}
 #endif
 		else if (strncmp(argv[i], "--protocol=", 11) == 0) {
 			if (checkcfg(CFG_SECCOMP)) {
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -966,6 +966,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}

+	if (strcmp(ptr, "apparmor-replace") == 0) {
+#ifdef HAVE_APPARMOR
+		arg_apparmor = 1;
+		apparmor_replace = true;
+#endif
+		return 0;
+	}
+
+	if (strcmp(ptr, "apparmor-stack") == 0) {
+#ifdef HAVE_APPARMOR
+		arg_apparmor = 1;
+		apparmor_replace = false;
+#endif
+		return 0;
+	}
+
 	if (strncmp(ptr, "protocol ", 9) == 0) {
 		if (checkcfg(CFG_SECCOMP)) {
 			const char *add = ptr + 9;
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@ -130,7 +130,14 @@ static void set_caps(void) {
 static void set_apparmor(void) {
 	EUID_ASSERT();
 	if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-		if (aa_stack_onexec(apparmor_profile)) {
+		int res = 0;
+		if(apparmor_replace){
+			fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n");
+			res = aa_change_onexec(apparmor_profile);
+		} else {
+			res = aa_stack_onexec(apparmor_profile);
+		}
+		if (res) {
 			fwarning("Cannot confine the application using AppArmor.\n"
 				"Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
 				"As root, run \"aa-enforce firejail-default\" to load it.\n");