github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4114] Apparmor and Firejail - Sandboxing not working properly #2539

New issue
Closed
opened 2026-05-05 09:12:49 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 09:12:49 -06:00
Owner
Copy link

Originally created by @g4njawizard on GitHub (Mar 18, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4114

In the past I started every firefox session via an alias. Now I wanted to test it with default settings and apparmor activated.
I've run the following:

sudo firecfg
...created

Adding user to Firejail access database in /etc/firejail/firejail.users
User already in the database

Loading AppArmor profile

Configuring symlinks in /usr/local/bin based on local firejail config directory

Fixing desktop files in /home/user/.local/share/applications
   chromium.desktop skipped: file exists
   code.desktop skipped: file exists
   org.xfce.Catfish.desktop skipped: file exists
   firefox-esr.desktop skipped: file exists

To enable apparmor:

sudo apparmor_parser -r /etc/apparmor.d/firejail-default

When I start Firefox from inside my terminal, I see:

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3629, child pid 3632
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 147.47 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features

But if I check all active sandboxes, I only see:

user@mjolnir:~|⇒  sudo aa-status
apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
   docker-default
   firejail-default
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
   /usr/lib/firefox-esr/firefox-esr (3186) firejail-default
   /usr/lib/firefox-esr/firefox-esr (3236) firejail-default
   /usr/lib/firefox-esr/firefox-esr (3305) firejail-default
   /usr/lib/firefox-esr/firefox-esr (3341) firejail-default
   /usr/lib/firefox-esr/firefox-esr (3374) firejail-default
   /usr/lib/firefox-esr/firefox-esr (3457) firejail-default
0 processes are in complain mode.
0 processes are unconfined but have a profile defined
----
user@mjolnir:~|⇒  firejail --list                                         
3629:user::firejail firefox 
-----
which firefox
/usr/bin/firefox

What also is strange, that after a system reboot the apparmor firejail profile is gone, so I have to rerun apparmor_parser -r. How can I safe this setting?

After a reboot, I see this message, when starting firefox:

Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.

When I do firecfg --clean, the sandbox warning disappears, but I have no more profiles.
Am I missing a step?

I am using Debian

Originally created by @g4njawizard on GitHub (Mar 18, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4114 In the past I started every firefox session via an alias. Now I wanted to test it with default settings and apparmor activated. I've run the following: ``` sudo firecfg ...created Adding user to Firejail access database in /etc/firejail/firejail.users User already in the database Loading AppArmor profile Configuring symlinks in /usr/local/bin based on local firejail config directory Fixing desktop files in /home/user/.local/share/applications chromium.desktop skipped: file exists code.desktop skipped: file exists org.xfce.Catfish.desktop skipped: file exists firefox-esr.desktop skipped: file exists ``` To enable apparmor: `sudo apparmor_parser -r /etc/apparmor.d/firejail-default` When I start Firefox from inside my terminal, I see: ``` Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3629, child pid 3632 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 147.47 ms Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features ``` But if I check all active sandboxes, I only see: ``` user@mjolnir:~|⇒ sudo aa-status apparmor module is loaded. 2 profiles are loaded. 2 profiles are in enforce mode. docker-default firejail-default 0 profiles are in complain mode. 6 processes have profiles defined. 6 processes are in enforce mode. /usr/lib/firefox-esr/firefox-esr (3186) firejail-default /usr/lib/firefox-esr/firefox-esr (3236) firejail-default /usr/lib/firefox-esr/firefox-esr (3305) firejail-default /usr/lib/firefox-esr/firefox-esr (3341) firejail-default /usr/lib/firefox-esr/firefox-esr (3374) firejail-default /usr/lib/firefox-esr/firefox-esr (3457) firejail-default 0 processes are in complain mode. 0 processes are unconfined but have a profile defined ---- user@mjolnir:~|⇒ firejail --list 3629:user::firejail firefox ----- which firefox /usr/bin/firefox ``` What also is strange, that after a system reboot the apparmor firejail profile is gone, so I have to rerun apparmor_parser -r. How can I safe this setting? After a reboot, I see this message, when starting firefox: ``` Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. ``` When I do firecfg --clean, the sandbox warning disappears, but I have no more profiles. Am I missing a step? I am using Debian
gitea-mirror commented 2026-05-05 09:12:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

/usr/bin/firefox is a shell-script that starts /usr/lib/firefox-esr/firefox-esr.

<!-- gh-comment-id:802022399 --> @rusty-snake commented on GitHub (Mar 18, 2021): `/usr/bin/firefox` is a shell-script that starts `/usr/lib/firefox-esr/firefox-esr`.
gitea-mirror commented 2026-05-05 09:12:53 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 18, 2021):

This is just informative, but not helping. Or what do you want to tell me?

<!-- gh-comment-id:802037905 --> @g4njawizard commented on GitHub (Mar 18, 2021): This is just informative, but not helping. Or what do you want to tell me?
gitea-mirror commented 2026-05-05 09:12:54 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Mar 18, 2021):

No matter if firejail is used or not, you will never find /usr/bin/firefox in your process tree on a Debian system.

Just try it out using top or pgrep -a firefox or whatever tool you prefer.

As @rusty-snake said, the reason is that when you type /usr/bin/firefox, at first you run a shell, and /usr/lib/firefox-esr/firefox-esr a.k.a. Firefox is executed only in a second step.

In other words, your aa-status output looks good.

What also is strange, that after a system reboot the apparmor firejail profile is gone, so I have to rerun apparmor_parser -r. How can I safe this setting?

Did you already try what firejail suggested you to do?

As root, run "aa-enforce firejail-default" to load it.

<!-- gh-comment-id:802166777 --> @smitsohu commented on GitHub (Mar 18, 2021): No matter if firejail is used or not, you will never find `/usr/bin/firefox` in your process tree on a Debian system. Just try it out using `top` or `pgrep -a firefox` or whatever tool you prefer. As @rusty-snake said, the reason is that when you type `/usr/bin/firefox`, at first you run a shell, and `/usr/lib/firefox-esr/firefox-esr` a.k.a. Firefox is executed only in a second step. In other words, your `aa-status` output looks good. > What also is strange, that after a system reboot the apparmor firejail profile is gone, so I have to rerun apparmor_parser -r. How can I safe this setting? Did you already try what firejail suggested you to do? > As root, run "aa-enforce firejail-default" to load it.
gitea-mirror commented 2026-05-05 09:12:55 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 18, 2021):

Thanks for explaining.

But I still don't understand why it matters if I start using "firefox" or "firefox-esr" Both lead to the same issue.

⇒  firejail firefox-esr
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 7171, child pid 7174
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 149.34 ms
Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features

regarding aa-enforce, I had to additionally install apparmor-utils to enforce it. I think it will persist now. Haven't rebooted yet.

<!-- gh-comment-id:802206457 --> @g4njawizard commented on GitHub (Mar 18, 2021): Thanks for explaining. But I still don't understand why it matters if I start using "firefox" or "firefox-esr" Both lead to the same issue. ``` ⇒ firejail firefox-esr Reading profile /etc/firejail/firefox-esr.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 7171, child pid 7174 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 149.34 ms Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features ``` regarding aa-enforce, I had to additionally install apparmor-utils to enforce it. I think it will persist now. Haven't rebooted yet.
gitea-mirror commented 2026-05-05 09:12:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

Both lead to the same issue.

Firefox is started in firejail and AA is enforced you said, anything missing?

The "Warning: an existing sandbox was detected. /usr/bin/frog will run without any additional sandboxing features" is because you run firejail frog and which frog is the firecfg symlink. You should always use firejail /usr/bin/frog if there is a firecfg symlink for frog.

<!-- gh-comment-id:802207661 --> @rusty-snake commented on GitHub (Mar 18, 2021): > Both lead to the same issue. Firefox is started in firejail and AA is enforced you said, anything missing? The "Warning: an existing sandbox was detected. /usr/bin/frog will run without any additional sandboxing features" is because you run `firejail frog` and `which frog` is the firecfg symlink. You should always use `firejail /usr/bin/frog` if there is a firecfg symlink for frog.
gitea-mirror commented 2026-05-05 09:12:58 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 18, 2021):

Ok, now I got it.

I wasn't sure, if I always have to define the path.
It looks better now.

If I might ask, do you always type firejail <path/app>, or do you use aliases, or is there another trick to make things easier? ^^

firejail /usr/bin/firefox-esr
...
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 8154, child pid 8157
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 149.14 ms

And thank you guys for your quick feedback! Well appreciated.

<!-- gh-comment-id:802216893 --> @g4njawizard commented on GitHub (Mar 18, 2021): Ok, now I got it. I wasn't sure, if I always have to define the path. It looks better now. If I might ask, do you always type firejail <path/app>, or do you use aliases, or is there another trick to make things easier? ^^ ``` firejail /usr/bin/firefox-esr ... Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 8154, child pid 8157 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 149.14 ms ``` And thank you guys for your quick feedback! Well appreciated.
gitea-mirror commented 2026-05-05 09:12:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 18, 2021):

If I might ask, do you always type firejail <path/app>, or do you use aliases, or is there another trick to make things easier?

as you sudo firecfg, you can simply type firefox. (I myself use firecfg.py instead).

<!-- gh-comment-id:802218003 --> @rusty-snake commented on GitHub (Mar 18, 2021): > If I might ask, do you always type firejail <path/app>, or do you use aliases, or is there another trick to make things easier? as you `sudo firecfg`, you can simply type `firefox`. (I myself use firecfg.py instead).
gitea-mirror commented 2026-05-05 09:13:01 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 18, 2021):

Oh, thats good to know! THX :)

<!-- gh-comment-id:802220430 --> @g4njawizard commented on GitHub (Mar 18, 2021): Oh, thats good to know! THX :)
gitea-mirror commented 2026-05-05 09:13:01 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 19, 2021):

I have to sorry for reopening this issue.
But it seems like apparmor is not able to safe the firejail profile.
After every boot I have to manually set "aa-enforce firejail-default"

And just like @rusty-snake mentioned with using firecfg, I could simply type firefox to open it sandboxed.
But today after starting It didn't work again.

~|⇒  firefox
Reading profile /etc/firejail/firefox.profile
...
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 3076, child pid 3079
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 151.15 ms
Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features

I had to go this way again:

aa-enforce firejail-default
firejail /usr/bin/firefox-esr

This seems to me like either my system is not running well, or is this a bug?

<!-- gh-comment-id:802591964 --> @g4njawizard commented on GitHub (Mar 19, 2021): I have to sorry for reopening this issue. But it seems like apparmor is not able to safe the firejail profile. After every boot I have to manually set "aa-enforce firejail-default" And just like @rusty-snake mentioned with using firecfg, I could simply type firefox to open it sandboxed. But today after starting It didn't work again. ``` ~|⇒ firefox Reading profile /etc/firejail/firefox.profile ... Warning: networking feature is disabled in Firejail configuration file Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 3076, child pid 3079 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 151.15 ms Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features ``` I had to go this way again: ``` aa-enforce firejail-default firejail /usr/bin/firefox-esr ``` This seems to me like either my system is not running well, or is this a bug?
gitea-mirror commented 2026-05-05 09:13:02 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 19, 2021):

And just like @rusty-snake mentioned with using firecfg, I could simply type firefox to open it sandboxed.
But today after starting It didn't work again.

~|⇒ firefox
Reading profile /etc/firejail/firefox.profile

This shows firefox is running in firejail, so this works.

So AA is the thing that does not seem to work (after a reboot). However I can help here, I'm on a SELinux system for years.

<!-- gh-comment-id:802616048 --> @rusty-snake commented on GitHub (Mar 19, 2021): > And just like @rusty-snake mentioned with using firecfg, I could simply type firefox to open it sandboxed. > But today after starting It didn't work again. > > ~|⇒ firefox > Reading profile /etc/firejail/firefox.profile This shows firefox is running in firejail, so this works. So AA is the thing that does not seem to work (after a reboot). However I can help here, I'm on a SELinux system for years.
gitea-mirror commented 2026-05-05 09:13:03 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 19, 2021):

And just like @rusty-snake mentioned with using firecfg, I could simply type firefox to open it sandboxed.
But today after starting It didn't work again.
~|⇒ firefox
Reading profile /etc/firejail/firefox.profile

This shows firefox is running in firejail, so this works.

but as you see, when I only type firefox

Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features

So AA is the thing that does not seem to work (after a reboot). However I can help here, I'm on a SELinux system for years.

I dont have SELinux enabled on my private notebook. So this can't be the cause for this problem. Yesterday I saw a message in dmesg, but I forgot to copy it. There stood something like, "unconfined".. "error=2" "firejail-default"
And yes, apparmor is just unable to load all profiles after boot. It only loads docker-profile by default. Everything else I have to pass manually
Long story short, I am back to where I was yesterday. :D

<!-- gh-comment-id:802627865 --> @g4njawizard commented on GitHub (Mar 19, 2021): > > And just like @rusty-snake mentioned with using firecfg, I could simply type firefox to open it sandboxed. > > But today after starting It didn't work again. > > ~|⇒ firefox > > Reading profile /etc/firejail/firefox.profile > > This shows firefox is running in firejail, so this works. but as you see, when I only type firefox > > Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features > So AA is the thing that does not seem to work (after a reboot). However I can help here, I'm on a SELinux system for years. I dont have SELinux enabled on my private notebook. So this can't be the cause for this problem. Yesterday I saw a message in dmesg, but I forgot to copy it. There stood something like, "unconfined".. "error=2" "firejail-default" And yes, apparmor is just unable to load all profiles after boot. It only loads docker-profile by default. Everything else I have to pass manually Long story short, I am back to where I was yesterday. :D
gitea-mirror commented 2026-05-05 09:13:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 19, 2021):

but as you see, when I only type firefox

Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features

firefox and firefox-esr are the same on debian. Both are shell-script or one is a symlink to the other (maybe through alternatives). There's nothing wrong, everything works.

There stood something like, "unconfined".. "error=2" "firejail-default"

firejail (from debian) has AA and SE support enabled. If neither of them is enabled no is used, if AA is enabled it is used and if SE is enabled it is used.

<!-- gh-comment-id:802631727 --> @rusty-snake commented on GitHub (Mar 19, 2021): > but as you see, when I only type firefox > > > Warning: an existing sandbox was detected. /usr/bin/firefox-esr will run without any additional sandboxing features firefox and firefox-esr are the same on debian. Both are shell-script or one is a symlink to the other (maybe through alternatives). There's nothing wrong, everything works. > There stood something like, "unconfined".. "error=2" "firejail-default" firejail (from debian) has AA and SE support enabled. If neither of them is enabled no is used, if AA is enabled it is used and if SE is enabled it is used.
gitea-mirror commented 2026-05-05 09:13:04 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 19, 2021):

I saw my mistake regarding firejail firefox. I have to run "firefox-esr" to make the warning disappear.

SELinux is not enabled on my system.
getenforce is an unknown command.

aa-enabled
yes

So how do I deal with this?

I forgot to mention, that under /etc/apparmor.d/ lies the unused firejail-default profile.
Is there a apparmor cfg, where I can set this profile on autoload?

<!-- gh-comment-id:802639324 --> @g4njawizard commented on GitHub (Mar 19, 2021): I saw my mistake regarding firejail firefox. I have to run "firefox-esr" to make the warning disappear. SELinux is not enabled on my system. getenforce is an unknown command. aa-enabled yes So how do I deal with this? I forgot to mention, that under /etc/apparmor.d/ lies the unused firejail-default profile. Is there a apparmor cfg, where I can set this profile on autoload?
gitea-mirror commented 2026-05-05 09:13:05 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 19, 2021):

It's just an informative warning.

You can not use AA and SE. There nothing that you need to do about SE. The only thing you we need to focus is the loading of the AA profile. (and as I said I have no much knowledge about AA usage).

<!-- gh-comment-id:802642887 --> @rusty-snake commented on GitHub (Mar 19, 2021): It's just an informative warning. You can not use AA and SE. There nothing that you need to do about SE. The only thing you we need to focus is the loading of the AA profile. (and as I said I have no much knowledge about AA usage).
gitea-mirror commented 2026-05-05 09:13:06 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 19, 2021):

oh, than you had a typo:

However I (can) help here ^^

Well then, thank you anyway for your time and help. :)

<!-- gh-comment-id:802643987 --> @g4njawizard commented on GitHub (Mar 19, 2021): oh, than you had a typo: > However I (can) help here ^^ Well then, thank you anyway for your time and help. :)
gitea-mirror commented 2026-05-05 09:13:07 -06:00
Author
Owner
Copy link

@g4njawizard commented on GitHub (Mar 19, 2021):

Problem solved.
having aa-enabled (yes) alone is not working, when you dont have the (apparmor.service) enabled.
I've added my /apparmor.d/ profiles via /etc/apparmor/parser.conf
systemctl enable apparmor.service

But... it should have worked without enabling the service, since there was 1 docker-profile which was always loaded after boot.
If someone has an idea how to approach enabling a profile without enabling the service, that would be great!

<!-- gh-comment-id:802663349 --> @g4njawizard commented on GitHub (Mar 19, 2021): Problem solved. having aa-enabled (yes) alone is not working, when you dont have the (apparmor.service) enabled. I've added my /apparmor.d/ profiles via /etc/apparmor/parser.conf systemctl enable apparmor.service But... it should have worked without enabling the service, since there was 1 docker-profile which was always loaded after boot. If someone has an idea how to approach enabling a profile without enabling the service, that would be great!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2539
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?