github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3585] Firejail 0.9.62.2 apparmor profile parser error #2248

New issue
Closed
opened 2026-05-05 08:56:29 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 08:56:29 -06:00
Owner
Copy link

Originally created by @adgross on GitHub (Aug 12, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3585

The /etc/apparmor.d/firejail-default file in the 0.9.62.2 release don't follow master and old releases for the /etc/apparmor.d/local/firejail-local filename, it try to #include <local/firejail-default> instead -local. Possible to check line 155 in the file etc/firejail-default given in the release.

Also the Makefile.in from the same release don't have the install line to copy the firejail-local to /etc/apparmor.d/local/. Check lines 135-140.

Bug and expected behavior

  • AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 155: Could not open 'local/firejail-default'
  • /etc/apparmor.d/local don't have any firejail related files, caused by missing install on Makefile.in, so even changing the firejail-default include to #include <local/firejail-local> (like in older releases) will not fix it.

Environment

  • All tests were done in archlinux.
  • The archlinux firejail package is affected by the apparmor parser error.

Workaround

  1. Copy firejail-local from master into /etc/apparmor.d/local/ and change the /etc/apparmor.d/firejail-default include (line 155) to:
    #include <local/firejail-local>
    or
  2. Create a blank /etc/apparmor.d/local/firejail-default
Originally created by @adgross on GitHub (Aug 12, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3585 The /etc/apparmor.d/firejail-default file in the [0.9.62.2 release](https://github.com/netblue30/firejail/releases/download/0.9.62.2/firejail-0.9.62.2.tar.xz) don't follow [master](https://github.com/netblue30/firejail/blob/master/etc/apparmor/firejail-default#L160) and old releases for the /etc/apparmor.d/local/firejail-local filename, it try to #include <local/firejail-**default**> instead **-local**. Possible to check line 155 in the file etc/firejail-default given in the release. Also the Makefile.in from the same release don't have [the install line](https://github.com/netblue30/firejail/blob/master/Makefile.in#L133) to copy the firejail-local to /etc/apparmor.d/local/. Check lines 135-140. **Bug and expected behavior** - AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 155: Could not open 'local/firejail-default' - /etc/apparmor.d/local don't have any firejail related files, caused by missing install on Makefile.in, so even changing the firejail-default include to #include <local/firejail-*local*> (like in older releases) will not fix it. **Environment** - All tests were done in archlinux. - The archlinux firejail package is affected by the [apparmor parser error](https://bugs.archlinux.org/task/67558). **Workaround** 1) Copy [firejail-local from master](https://github.com/netblue30/firejail/blob/master/etc/apparmor/firejail-local) into /etc/apparmor.d/local/ and change the /etc/apparmor.d/firejail-default include (line 155) to: #include <local/firejail-**local**> or 2) Create a blank /etc/apparmor.d/local/firejail-default
gitea-mirror 2026-05-05 08:56:29 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:56:32 -06:00
Author
Owner
Copy link

@adgross commented on GitHub (Aug 12, 2020):

For some reason the man pages for this release also say /etc/apparmor.d/local/firejail-default, instead of firejail-local as in master:

       During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations
       must be placed in /etc/apparmor.d/local/firejail-default. The profile needs to be loaded into the kernel by reloading apparmor.service,  re‐
       booting the system or running the following command as root:

This is a workaround patch I made to be able to create a package without later manual intervention (1 or 2 from first post), ignoring the filename change from the man page.

diff -ruN firejail-0.9.62.2/etc/firejail-default firejail-0.9.62.2-fix/etc/firejail-default
--- firejail-0.9.62.2/etc/firejail-default	2020-08-08 10:28:20.000000000 -0300
+++ firejail-0.9.62.2-fix/etc/firejail-default	2020-08-12 16:15:19.592375000 -0300
@@ -152,5 +152,5 @@
 #capability mac_admin,
 
 # Site-specific additions and overrides. See local/README for details.
-#include <local/firejail-default>
+#include <local/firejail-local>
 }
diff -ruN firejail-0.9.62.2/Makefile.in firejail-0.9.62.2-fix/Makefile.in
--- firejail-0.9.62.2/Makefile.in	2020-08-08 10:28:20.000000000 -0300
+++ firejail-0.9.62.2-fix/Makefile.in	2020-08-12 16:15:19.615708000 -0300
@@ -137,6 +137,7 @@
 	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
 	install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
 	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
+	install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.
 endif
 	# man pages
 	install -m 0755 -d $(DESTDIR)/$(mandir)/man1
<!-- gh-comment-id:673084877 --> @adgross commented on GitHub (Aug 12, 2020): For some reason the man pages for this release also say /etc/apparmor.d/local/firejail-*default*, instead of firejail-*local* as in [master](https://github.com/netblue30/firejail/blob/master/src/man/firejail.txt#L2849): ``` During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations must be placed in /etc/apparmor.d/local/firejail-default. The profile needs to be loaded into the kernel by reloading apparmor.service, re‐ booting the system or running the following command as root: ``` This is a workaround patch I made to be able to create a package without later manual intervention (1 or 2 from first post), ignoring the filename change from the man page. ```patch diff -ruN firejail-0.9.62.2/etc/firejail-default firejail-0.9.62.2-fix/etc/firejail-default --- firejail-0.9.62.2/etc/firejail-default 2020-08-08 10:28:20.000000000 -0300 +++ firejail-0.9.62.2-fix/etc/firejail-default 2020-08-12 16:15:19.592375000 -0300 @@ -152,5 +152,5 @@ #capability mac_admin, # Site-specific additions and overrides. See local/README for details. -#include <local/firejail-default> +#include <local/firejail-local> } diff -ruN firejail-0.9.62.2/Makefile.in firejail-0.9.62.2-fix/Makefile.in --- firejail-0.9.62.2/Makefile.in 2020-08-08 10:28:20.000000000 -0300 +++ firejail-0.9.62.2-fix/Makefile.in 2020-08-12 16:15:19.615708000 -0300 @@ -137,6 +137,7 @@ sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" + install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/. endif # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 ```
gitea-mirror commented 2026-05-05 08:56:33 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 13, 2020):

The correct path is actually "local/firejail-default" (not firejail-local). It's convention to have the same name for the local override as for the profile name.

<!-- gh-comment-id:673478749 --> @reinerh commented on GitHub (Aug 13, 2020): The correct path is actually "local/firejail-default" (not firejail-local). It's convention to have the same name for the local override as for the profile name.
gitea-mirror commented 2026-05-05 08:56:35 -06:00
Author
Owner
Copy link

@darmon77 commented on GitHub (Aug 13, 2020):

This for me was the porvisor solution. (rename firejail-local to firejail-default)
mv /etc/apparmor.d/local/firejail-local /etc/apparmor.d/local/firejail-default

<!-- gh-comment-id:673504842 --> @darmon77 commented on GitHub (Aug 13, 2020): This for me was the porvisor solution. (rename firejail-local to firejail-default) **mv /etc/apparmor.d/local/firejail-local /etc/apparmor.d/local/firejail-default**
gitea-mirror commented 2026-05-05 08:56:35 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 13, 2020):

OK, I'll go with firejail-default - @reinerh, I think this is what you have in Debian sid?

@darmon77 - I'll have the fixes in release-0.9.62 branch by the end of the day, and a new release (0.9.62.4) at the end of the week. Thank you for the bug! It is probably broken all over, not only in Arch.

<!-- gh-comment-id:673606327 --> @netblue30 commented on GitHub (Aug 13, 2020): OK, I'll go with firejail-default - @reinerh, I think this is what you have in Debian sid? @darmon77 - I'll have the fixes in release-0.9.62 branch by the end of the day, and a new release (0.9.62.4) at the end of the week. Thank you for the bug! It is probably broken all over, not only in Arch.
gitea-mirror commented 2026-05-05 08:56:36 -06:00
Author
Owner
Copy link

@reinerh commented on GitHub (Aug 13, 2020):

Yes, in Debian I'm using local/firejail-default.
The installation of the profile is handled by a packaging helper tool, that's why I had it removed from the Makefile in the Debian packaging.

<!-- gh-comment-id:673609485 --> @reinerh commented on GitHub (Aug 13, 2020): Yes, in Debian I'm using local/firejail-default. The installation of the profile is handled by a packaging helper tool, that's why I had it removed from the Makefile in the Debian packaging.
gitea-mirror commented 2026-05-05 08:56:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 14, 2020):

Fix in ed26a0fa7b based on the patch from @adgross

Release Sunday (Aug 16) if nothing else comes up.

<!-- gh-comment-id:674015359 --> @netblue30 commented on GitHub (Aug 14, 2020): Fix in https://github.com/netblue30/firejail/commit/ed26a0fa7bfcbafee8eba01fa77a3ff8130e2af6 based on the patch from @adgross Release Sunday (Aug 16) if nothing else comes up.
gitea-mirror commented 2026-05-05 08:56:39 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 18, 2020):

All set, 0.9.62.4 is out.

<!-- gh-comment-id:675540592 --> @netblue30 commented on GitHub (Aug 18, 2020): All set, 0.9.62.4 is out.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2248
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?