github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2291] Firejail Apparmor Support Not Working (Even Though it's Been Enable During BUILD) #1528

New issue

Closed

opened 2026-05-05 08:11:27 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 08:11:27 -06:00

Owner

Originally created by @thebunnyrules on GitHub (Dec 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2291

Hello,

I'm trying to run firejail with apparmor support. I've tried with both the ubuntu build which comes from the cosmic repo and the latest source from git (0.9.57, libappormor-dev is already install) built with:

./configure --prefix=/usr --enable-apparmor

Entering:

firejail --version

on both gives:


Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

but when I try to run:

firejail --apparmor firefox

my apparmor profile is still being ignored. I have aa-enforce running on firefox and it's working perfectly without firejail, so I know it's not the profile or apparmor.

Any ideas on how I can trouble shoot this? THANKS!!!!

Originally created by @thebunnyrules on GitHub (Dec 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2291 Hello, I'm trying to run firejail with apparmor support. I've tried with both the ubuntu build which comes from the cosmic repo and the latest source from git (0.9.57, libappormor-dev is already install) built with: `./configure --prefix=/usr --enable-apparmor` Entering: `firejail --version ` on both gives: ``` Compile time support: - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` but when I try to run: `firejail --apparmor firefox` my apparmor profile is still being ignored. I have aa-enforce running on firefox and it's working perfectly without firejail, so I know it's not the profile or apparmor. Any ideas on how I can trouble shoot this? THANKS!!!!

gitea-mirror

2026-05-05 08:11:27 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:11:30 -06:00

Author

Owner

@Vincent43 commented on GitHub (Dec 5, 2018):

Which profile is ignored? Generic one from firejail under /etc/apparmor.d/firejail-default or firefox specific one from /etc/apparmor.d/usr.bin.firefox ?

EDIT: When --apparmor option is used, then /etc/apparmor.d/firejail-default profile should be used for any given app. Without --apparmor app may be confined by its own apparmor profile but it may cause conflicts with firejail thus it's not recommended to use both firejail and specific apparmor profile at the same time.

@Vincent43 commented on GitHub (Dec 5, 2018): Which profile is ignored? Generic one from firejail under `/etc/apparmor.d/firejail-default` or firefox specific one from` /etc/apparmor.d/usr.bin.firefox` ? EDIT: When `--apparmor` option is used, then `/etc/apparmor.d/firejail-default` profile should be used for any given app. Without `--apparmor` app may be confined by its own apparmor profile but it may cause conflicts with firejail thus it's not recommended to use both firejail and specific apparmor profile at the same time.

gitea-mirror commented

2026-05-05 08:11:31 -06:00

Author

Owner

@thebunnyrules commented on GitHub (Dec 6, 2018):

Hi Vincent, thanks for getting back to me so quickly. I'll play around with /etc/apparmor.d/firejail-default, see what happens and post a follow up. Thanks!

@thebunnyrules commented on GitHub (Dec 6, 2018): Hi Vincent, thanks for getting back to me so quickly. I'll play around with `/etc/apparmor.d/firejail-default`, see what happens and post a follow up. Thanks!

gitea-mirror commented

2026-05-05 08:11:32 -06:00

Author

Owner

@Vincent43 commented on GitHub (Dec 6, 2018):

You may add your own customizations to /etc/apparmor.d/local/firejail-local so they will be persistent after firejail update.

@Vincent43 commented on GitHub (Dec 6, 2018): You may add your own customizations to `/etc/apparmor.d/local/firejail-local` so they will be persistent after firejail update.

gitea-mirror commented

2026-05-05 08:11:33 -06:00

Author

Owner

@thebunnyrules commented on GitHub (Dec 7, 2018):

So, is it possible to do per-application apparmor customization via firejail-default or firejail-local?

Does firejail-default support hat change or sub profiles?

I tried to do a change hat inside firejail-default for firefox but it's being ignored. For example

....

##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,

# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-local>

^firefox {

	deny /home/lapinot/.bash_history rwk,
}
}

I also tried ^/opt/firefox.wayland/firefox {... and also tried profile firefox {... but no dice either. I restarted apparmor each time I tried to apply a new change and restarted successfully so there is no syntax error as far as I can tell...

@thebunnyrules commented on GitHub (Dec 7, 2018): So, is it possible to do per-application apparmor customization via firejail-default or firejail-local? Does firejail-default support hat change or sub profiles? I tried to do a change hat inside firejail-default for firefox but it's being ignored. For example ``` .... ########## # We let Firejail deal with mount/umount functionality. ########## mount, remount, umount, pivot_root, # Site-specific additions and overrides. See local/README for details. #include <local/firejail-local> ^firefox { deny /home/lapinot/.bash_history rwk, } } ``` I also tried `^/opt/firefox.wayland/firefox {...` and also tried `profile firefox {...` but no dice either. I restarted apparmor each time I tried to apply a new change and restarted successfully so there is no syntax error as far as I can tell...

gitea-mirror commented

2026-05-05 08:11:34 -06:00

Author

Owner

@Vincent43 commented on GitHub (Dec 7, 2018):

It's not possible to do per-application modifications. It's one-size-fits-all.

@Vincent43 commented on GitHub (Dec 7, 2018): It's not possible to do per-application modifications. It's one-size-fits-all.

gitea-mirror commented

2026-05-05 08:11:35 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 22, 2019):

Seems like this was answered, so I'll go ahead and close this. @thebunnyrules, pleas feel free to re-open if you have further questions.

@chiraag-nataraj commented on GitHub (May 22, 2019): Seems like this was answered, so I'll go ahead and close this. @thebunnyrules, pleas feel free to re-open if you have further questions.

gitea-mirror referenced this issue

2026-05-05 10:12:05 -06:00

[PR #1528] [MERGED] syscalls blacklisted twice #4009

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1528

No description provided.

Rows
Columns