[PR #5317] [MERGED] Fix an AppArmor profile denial issue with ptrace reading and signals #5442

New issue

Closed

opened 2026-05-05 10:38:31 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:38:31 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/5317
Author: @ChrysoliteAzalea
Created: 8/15/2022
Status: ✅ Merged
Merged: 8/18/2022
Merged by: @undefined

Base: master ← Head: apparmor_profile_correction

📝 Commits (1)

44e8b02 Fixed an AppArmor profile denial issue with ptrace and signals

📊 Changes

1 file changed (+2 additions, -0 deletions)

View changed files

📝 etc/apparmor/firejail-default (+2 -0)

📄 Description

Hello everyone!

Recently, a pull request was merged that added support for custom AppArmor profiles. However, there was a use-case I haven't tested -- a case where an application confined by a default profile uses ptrace or sends signals. In the original profile, it was allowed only for apps with the same security label. However, I've missed that, while firejail-default//&unconfined and firejail-default have equal AppArmor permissions, ptrace reading and sending signals were previously allowed for peers only with the latter security label. I've fixed it in this PR by allowing both.

Fixes #5316

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/5317 **Author:** [@ChrysoliteAzalea](https://github.com/ChrysoliteAzalea) **Created:** 8/15/2022 **Status:** ✅ Merged **Merged:** 8/18/2022 **Merged by:** [@undefined](undefined) **Base:** `master` ← **Head:** `apparmor_profile_correction` --- ### 📝 Commits (1) - [`44e8b02`](https://github.com/netblue30/firejail/commit/44e8b026eafc50a5ab7ed67191c76d336a944fdf) Fixed an AppArmor profile denial issue with ptrace and signals ### 📊 Changes **1 file changed** (+2 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `etc/apparmor/firejail-default` (+2 -0) </details> ### 📄 Description Hello everyone! Recently, a [pull request](https://github.com/netblue30/firejail/pull/5274) was merged that added support for custom AppArmor profiles. However, there was a use-case I haven't tested -- a case where an application confined by a default profile uses ptrace or sends signals. In the original profile, it was allowed only for apps with the same security label. However, I've missed that, while **firejail-default//&unconfined** and **firejail-default** have equal AppArmor permissions, ptrace reading and sending signals were previously allowed for peers only with the latter security label. I've fixed it in this PR by allowing both. Fixes #5316 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:38:31 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:39:21 -06:00

[PR #5442] [MERGED] profiles: fixes for brave/evince/whalebird #5490

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5442

No description provided.

Rows
Columns