[PR #5274] [MERGED] Add support for custom AppArmor profiles (--apparmor=) #5423

New issue

Closed

opened 2026-05-05 10:38:10 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:38:10 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/5274
Author: @ChrysoliteAzalea
Created: 7/25/2022
Status: ✅ Merged
Merged: 8/14/2022
Merged by: @netblue30

Base: master ← Head: master

📝 Commits (1)

7f3b6c1 Add support for custom AppArmor profiles (--apparmor=)

📊 Changes

9 files changed (+39 additions, -7 deletions)

View changed files

📝 contrib/vim/syntax/firejail.vim (+1 -1)
📝 src/firejail/firejail.h (+1 -0)
📝 src/firejail/main.c (+8 -1)
📝 src/firejail/profile.c (+11 -0)
📝 src/firejail/sandbox.c (+1 -1)
📝 src/firejail/usage.c (+3 -1)
📝 src/man/firejail-profile.txt (+5 -1)
📝 src/man/firejail.txt (+7 -1)
📝 src/zsh_completion/_firejail.in (+2 -1)

📄 Description

New command checklist:

Update manpages: firejail(1) and firejail-profile(5)
Update shell completions
Update vim syntax files
Update --help

Hello everyone!

Firejail currently supports AppArmor confinement with "one-size-fits-all" profile only. However, I think this approach isn't the best when it comes to sandboxing applications. I propose adding a new option that allows a user to choose another (but already loaded) AppArmor profile that can restrict application access better.

Also, in this pull request, aa_change_onexec is replaced by aa_stack_onexec that prevents transition from more-restricted domain to less-restricted domain, and also allows transition with "No New Privileges" restriction enabled.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/5274 **Author:** [@ChrysoliteAzalea](https://github.com/ChrysoliteAzalea) **Created:** 7/25/2022 **Status:** ✅ Merged **Merged:** 8/14/2022 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (1) - [`7f3b6c1`](https://github.com/netblue30/firejail/commit/7f3b6c19a0a87bfd240af7c0c9d61ae907668ce6) Add support for custom AppArmor profiles (--apparmor=) ### 📊 Changes **9 files changed** (+39 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `contrib/vim/syntax/firejail.vim` (+1 -1) 📝 `src/firejail/firejail.h` (+1 -0) 📝 `src/firejail/main.c` (+8 -1) 📝 `src/firejail/profile.c` (+11 -0) 📝 `src/firejail/sandbox.c` (+1 -1) 📝 `src/firejail/usage.c` (+3 -1) 📝 `src/man/firejail-profile.txt` (+5 -1) 📝 `src/man/firejail.txt` (+7 -1) 📝 `src/zsh_completion/_firejail.in` (+2 -1) </details> ### 📄 Description New command checklist: - [x] Update manpages: firejail(1) and firejail-profile(5) - [x] Update shell completions - [x] Update vim syntax files - [x] Update --help --- Hello everyone! Firejail currently supports AppArmor confinement with "one-size-fits-all" profile only. However, I think this approach isn't the best when it comes to sandboxing applications. I propose adding a new option that allows a user to choose another (but already loaded) AppArmor profile that can restrict application access better. Also, in this pull request, **aa_change_onexec** is replaced by **aa_stack_onexec** that prevents transition from more-restricted domain to less-restricted domain, and also allows transition with "No New Privileges" restriction enabled. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:38:10 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5423

No description provided.

Rows
Columns