apparmor

RELNOTES

@@ -3,6 +3,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
   * --read-write option rework
   * allow symlinks in home directory for --whitelist option
   * AppImage support (--appimage)
+  * AppArmor support (--apparmor)
   * Sandbox auditing support (--audit)
   * remove environment variable (--rmenv)
   * noexec support (--noexec)

src/firejail/checkcfg.c

@@ -239,3 +239,84 @@ errout:
 	exit(1);
 }
 
+
+void print_compiletime_support(void) {
+	printf("Compile time support:\n");
+	printf("\t- AppArmor support is %s\n",
+#ifdef HAVE_APPARMOR
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+
+	printf("\t- bind support is %s\n",
+#ifdef HAVE_BIND
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+	printf("\t- chroot support is %s\n",
+#ifdef HAVE_CHROOT
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+	printf("\t- file and directory whitelisting support is %s\n",
+#ifdef HAVE_WHITELIST
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+	printf("\t- file transfer support is %s\n",
+#ifdef HAVE_FILE_TRANSFER
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+	printf("\t- networking support is %s\n",
+#ifdef HAVE_NETWORK
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+
+#ifdef HAVE_NETWORK_RESTRICTED
+	printf("\t- networking features are available only to root user\n");
+#endif
+
+	printf("\t- seccomp-bpf support is %s\n",
+#ifdef HAVE_SECCOMP
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+	printf("\t- user namespace support is %s\n",
+#ifdef HAVE_USERNS
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+
+	printf("\t- X11 snadboxing support is %s\n",
+#ifdef HAVE_X11
+		"enabled"
+#else
+		"disabled"
+#endif
+		);
+}

src/firejail/firejail.h

@@ -263,6 +263,7 @@ extern int arg_writable_var;	// writable var
 extern int arg_appimage;	// appimage
 extern int arg_audit;		// audit
 extern char *arg_audit_prog;	// audit
+extern int arg_apparmor;	// apparmor
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -584,6 +585,7 @@ extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;
 int checkcfg(int val);
+void print_compiletime_support(void);
 
 // appimage.c
 void appimage_set(const char *appimage_path);

src/firejail/main.c

@@ -102,6 +102,7 @@ int arg_writable_var = 0;			// writable var
 int arg_appimage = 0;				// appimage
 int arg_audit = 0;				// audit
 char *arg_audit_prog;				// audit
+int arg_apparmor;				// apparmor
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -241,6 +242,7 @@ void check_user_namespace(void) {
 }
 #endif
 
+
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
 	EUID_ASSERT();
@@ -255,33 +257,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 	}
 	else if (strcmp(argv[i], "--version") == 0) {
 		printf("firejail version %s\n", VERSION);
-#ifndef HAVE_NETWORK
-		printf("Networking support is disabled.\n");
-#endif
-#ifdef HAVE_NETWORK_RESTRICTED
-		printf("Networking support is allowed only to root user.\n");
-#endif
-#ifndef HAVE_USERNS
-		printf("User namespace support is disabled.\n");
-#endif
-#ifndef HAVE_SECCOMP
-		printf("Seccomp-bpf support is disabled.\n");
-#endif
-#ifndef HAVE_BIND
-		printf("Bind support is disabled.\n");
-#endif
-#ifndef HAVE_CHROOT
-		printf("Chroot support is disabled.\n");
-#endif
-#ifndef HAVE_X11
-		printf("X11 support is disabled.\n");
-#endif
-#ifndef HAVE_FILE_TRANSFER
-		printf("File transfer support is disabled.\n");
-#endif
-#ifndef HAVE_WHITELIST
-		printf("whitelisting support is disabled.\n");
-#endif
+		printf("\n");
+		print_compiletime_support();
+		printf("\n");
 		exit(0);
 	}
 #ifdef HAVE_X11
@@ -905,6 +883,10 @@ int main(int argc, char **argv) {
 		//*************************************
 		// filtering
 		//*************************************
+#ifdef HAVE_APPARMOR
+		else if (strcmp(argv[i], "--apparmor") == 0)
+			arg_apparmor = 1;
+#endif	
 #ifdef HAVE_SECCOMP
 		else if (strncmp(argv[i], "--protocol=", 11) == 0) {
 			if (checkcfg(CFG_SECCOMP)) {

src/firejail/profile.c

@@ -446,6 +446,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 
+	if (strcmp(ptr, "apparmor") == 0) {
+#ifdef HAVE_APPARMOR		
+		arg_apparmor = 1;
+#endif
+		return 0;
+	}
+
 	if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
 		if (checkcfg(CFG_SECCOMP))

src/firejail/sandbox.c

@@ -804,9 +804,17 @@ int sandbox(void* sandbox_arg) {
 
 	if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-		errno = 0;
-		if (aa_change_onexec("firejail-default")) 
-			fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno);
+		if (arg_apparmor) {
+			errno = 0;
+			if (aa_change_onexec("firejail-default")) {
+				fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
+				fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
+				fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
+				exit(1);
+			}
+			else if (arg_debug)
+				printf("AppArmor enabled\n");
+		}
 #endif		
 		prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
 		start_application();	// start app

src/firejail/usage.c

@@ -34,6 +34,7 @@ void usage(void) {
 	printf("\n");
 	printf("Options:\n\n");
 	printf("    -- - signal the end of options and disables further option processing.\n\n");
+	printf("    --apparmor - enable AppArmor confinement\n\n");
 	printf("    --appimage - sandbox an AppImage application\n\n");
 	printf("    --audit - audit the sandbox, see Audit section for more details\n\n");
 	printf("    --audit=test-program - audit the sandbox, see Audit section for more details\n\n");

src/man/firejail-profile.txt

@@ -210,6 +210,9 @@ Mount /var directory read-write.
 .SH Security filters
 The following security filters are currently implemented:
 
+.TP
+\fBapparmor
+Enable AppArmor confinement.
 .TP
 \fBcaps
 Enable default Linux capabilities filter.

src/man/firejail.txt

@@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-apparmor
+Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below.
+.TP
 \fB\-\-appimage
 Sandbox an AppImage (http://appimage.org/) application.
 .br
@@ -1672,6 +1675,44 @@ $ firejail --tree
       1221:netblue:/usr/lib/firefox/firefox
 .RE
 
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
+
+.br
+$ ./configure --prefix=/usr --enable-apparmor
+.TP
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+.br
+
+.br
+# aa-enforce firejail-default
+.TP
+The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+.br
+
+.br
+- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+commands such as "top" and "ps aux".
+.br
+
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+
+.br
+- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+You should have no problems running Chromium or Firefox.
+
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+
+.br
+$ firejail --apparmor firefox
+
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files from the container to the host filesystem.