[GH-ISSUE #3629] Problem Apparmor with Brave

gitea-mirror commented

2026-05-05 08:58:17 -06:00

Owner

Originally created by @Bundy01 on GitHub (Sep 11, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3629

Write clear, concise and in textual form.

Bug and expected behavior
I have an Apparmor warning popup when launching Brave Browser.

No profile or disabling firejail
It's OK.

Environment

Linux distribution: Arch
Firejail version: 0.9.62.4
What other programs interact with the affected program for the functionality? no
Are these listed in the profile? yes

Checklist

The upstream profile (and redirect profile if exists) have no changes fixing it.
The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
Programs needed for interaction are listed.
Error was checked in search engine and on issue list without success.

audit.log

debug output

type=AVC msg=audit(1599667022.015:665): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/87/clear_refs" pid=124712 comm="MemoryInfra" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

I disabled apparmor in the chromium-common profile and the bug stopped.
It's not really the best thing to do. Isn't the problem coming from the Firejail profile for Apparmor?

Regards.

Originally created by @Bundy01 on GitHub (Sep 11, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3629 Write clear, concise and in textual form. **Bug and expected behavior** I have an Apparmor warning popup when launching Brave Browser. **No profile or disabling firejail** It's OK. **Environment** - Linux distribution: Arch - Firejail version: 0.9.62.4 - What other programs interact with the affected program for the functionality? no - Are these listed in the profile? yes **Checklist** - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. - [x] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) - [ ] Programs needed for interaction are listed. - [x] Error was checked in search engine and on issue list without success. audit.log <details><summary> debug output </summary> ` type=AVC msg=audit(1599667022.015:665): apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/87/clear_refs" pid=124712 comm="MemoryInfra" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 ` </details> I disabled apparmor in the chromium-common profile and the bug stopped. It's not really the best thing to do. Isn't the problem coming from the Firejail profile for Apparmor? Regards.

gitea-mirror closed this issue

2026-05-05 08:58:18 -06:00

gitea-mirror commented

2026-05-05 08:58:20 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 1, 2020):

@Vincent43 your the apparmor expert here.

@rusty-snake commented on GitHub (Oct 1, 2020): @Vincent43 your the apparmor expert here.

gitea-mirror commented

2026-05-05 08:58:21 -06:00

Author

Owner

@Vincent43 commented on GitHub (Oct 2, 2020):

This should be fixed by this commit which is only in master branch atm.

@Vincent43 commented on GitHub (Oct 2, 2020): This should be fixed by this [commit](https://github.com/netblue30/firejail/commit/873a97a9b3442976a618333c1063da13d2a38025) which is only in master branch atm.

gitea-mirror commented

2026-05-05 08:58:22 -06:00

Author

Owner

@Bundy01 commented on GitHub (Oct 2, 2020):

@Vincent43: Your patch seems to work after a reboot and reload of the apparmor service.

Thanks.

edit: It's secondary but an apparmor error comes back when I run Brave with Tor:

type=AVC msg=audit(1601649692.686:239): apparmor="DENIED" operation="exec" profile="firejail-default" name="~/.config/BraveSoftware/Brave-Browser/**********************/1.0.12/tor-0.3.5.11-linux-brave-0" pid=7946 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

I tried to add 'x' to the profile without success.

@Bundy01 commented on GitHub (Oct 2, 2020): @Vincent43: Your patch seems to work after a reboot and reload of the apparmor service. Thanks. edit: It's secondary but an apparmor error comes back when I run Brave with Tor: ``` type=AVC msg=audit(1601649692.686:239): apparmor="DENIED" operation="exec" profile="firejail-default" name="~/.config/BraveSoftware/Brave-Browser/**********************/1.0.12/tor-0.3.5.11-linux-brave-0" pid=7946 comm="brave" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 ``` I tried to add 'x' to the profile without success.

gitea-mirror commented

2026-05-05 08:58:22 -06:00

Author

Owner

@Vincent43 commented on GitHub (Oct 2, 2020):

try adding:
owner /home/**/.config/BraveSoftware/Brave-Browser/** ix,

in /etc/apparmor.d/local/firejail-local then restart apparmor or reboot.

@Vincent43 commented on GitHub (Oct 2, 2020): try adding: `owner /home/**/.config/BraveSoftware/Brave-Browser/** ix,` in `/etc/apparmor.d/local/firejail-local` then restart apparmor or reboot.

gitea-mirror commented

2026-05-05 08:58:23 -06:00

Author

Owner

@Bundy01 commented on GitHub (Oct 2, 2020):

I copied your instruction in the file but the error comes back.

edit: I just copied the line into ~~firejail-default~~ /etc/apparmor.d/local/firejail-default and it works.

@Bundy01 commented on GitHub (Oct 2, 2020): I copied your instruction in the file but the error comes back. edit: I just copied the line into ~~firejail-default~~ /etc/apparmor.d/local/firejail-default and it works.

gitea-mirror commented

2026-05-05 08:58:24 -06:00

Author

Owner

@Bundy01 commented on GitHub (Oct 25, 2020):

I'm coming back to this issue because Tor in Brave doesn't work anymore (no internet connection). This time it's not a problem with Apparmor. This one appeared on Arch with version 0.9.64rc1-2. With version 0.9.64-1, it's identical.

@Bundy01 commented on GitHub (Oct 25, 2020): I'm coming back to this issue because Tor in Brave doesn't work anymore (no internet connection). This time it's not a problem with Apparmor. This one appeared on Arch with version 0.9.64rc1-2. With version 0.9.64-1, it's identical.

gitea-mirror commented

2026-05-05 08:58:24 -06:00

Author

Owner

@Vincent43 commented on GitHub (Oct 30, 2020):

Are you sure it's not Apparmor? I heard that Arch Linux package update wiped local /etc/apparmor.d/local/firejail-default changes so your owner /home/**/.config/BraveSoftware/Brave-Browser/** ix, rule may be lost. If it's not apparmor problem then feel free to open new issue with more details and this one should be closed.

@Vincent43 commented on GitHub (Oct 30, 2020): Are you sure it's not Apparmor? I heard that Arch Linux package update wiped local `/etc/apparmor.d/local/firejail-default` changes so your `owner /home/**/.config/BraveSoftware/Brave-Browser/** ix,` rule may be lost. If it's not apparmor problem then feel free to open new issue with more details and this one should be closed.

gitea-mirror commented

2026-05-05 08:58:25 -06:00

Author

Owner

@Bundy01 commented on GitHub (Oct 30, 2020):

The problem doesn't come from apparmor this time (I commented the apparmor line in chromium-common.profile).
Indeed, /etc/apparmor.d/local/firejail-default was overwritten during updates, but it has been fixed with the latest version (.pacnew).
For /home/**/.config/BraveSoftware/Brave-Browser/** ix, are you thinking of doing a PR?

I can make another issue for the new problem, but I don't have much information because it appeared with the firejail-0.9.64rc1-2 package. I also have an 'execvp' error when running the Tor profile.

@Bundy01 commented on GitHub (Oct 30, 2020): The problem doesn't come from apparmor this time (I commented the apparmor line in chromium-common.profile). Indeed, /etc/apparmor.d/local/firejail-default was overwritten during updates, but it has been fixed with the latest version (.pacnew). For `/home/**/.config/BraveSoftware/Brave-Browser/** ix,` are you thinking of doing a PR? I can make another issue for the new problem, but I don't have much information because it appeared with the firejail-0.9.64rc1-2 package. I also have an 'execvp' error when running the Tor profile.

gitea-mirror commented

2026-05-05 08:58:26 -06:00

Author

Owner

@Vincent43 commented on GitHub (Oct 30, 2020):

For /home//.config/BraveSoftware/Brave-Browser/ ix, are you thinking of doing a PR?

As a general policy we don't allow executing code from user home in global firejail appamor profile so changes like this belong to user own overrides.

I can make another issue for the new problem, but I don't have much information because it appeared with the firejail-0.9.64rc1-2 package. I also have an 'execvp' error when running the Tor profile.

Please do and show all errors from console. As this issue is about apparmor I don't want to convolute it with unrelated problems.

@Vincent43 commented on GitHub (Oct 30, 2020): > For /home/**/.config/BraveSoftware/Brave-Browser/** ix, are you thinking of doing a PR? As a general policy we don't allow executing code from user home in global firejail appamor profile so changes like this belong to user own overrides. > I can make another issue for the new problem, but I don't have much information because it appeared with the firejail-0.9.64rc1-2 package. I also have an 'execvp' error when running the Tor profile. Please do and show all errors from console. As this issue is about apparmor I don't want to convolute it with unrelated problems.

gitea-mirror commented

2026-05-05 08:58:27 -06:00

Author

Owner

@Bundy01 commented on GitHub (Oct 30, 2020):

Ok, no problem.
I ceate an hover issue for that.

This issue can be close.

@Bundy01 commented on GitHub (Oct 30, 2020): Ok, no problem. I ceate an hover issue for that. This issue can be close.

gitea-mirror referenced this issue

2026-05-05 10:16:39 -06:00

[PR #2281] [MERGED] restricting more, HOME and tmp in mpsyt.profile #4254

Rows
Columns

[GH-ISSUE #3629] Problem Apparmor with Brave #2281