[GH-ISSUE #1015] Firejail prevents printing in AppArmored applications #693

New issue

Closed

opened 2026-05-05 06:27:21 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 06:27:21 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Dec 30, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1015

In Ubuntu 16.04 I'm using the Firefox AppArmor profile and I created own ones for, e.g., Thunderbird, Okular and Gwenview. They work well with one exception: If I start them firejailed I'm unable to print. The printers are simply not visible in the print dialogue, the only offered option is printing to a file. This happens regardless if the respective AppArmor profile is in enforce- or complain-mode. aa-logprof strangely enough doesn't show anything, but I'm getting errors from the journal like:

Dez 28 13:18:39 UBUNTU audit[23315]: AVC apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/okular" name="run/cups/cups.sock" pid=23315 comm="okular" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Dez 28 13:18:39 UBUNTU kernel: audit: type=1400 audit(1482927519.467:3006): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/okular" name="run/cups/cups.sock" pid=23315 comm="okular" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

This problem can be "fixed" by using flags=(attach_disconnected) like in

# Last Modified: Wed Dec 28 19:32:00 2016
#include <tunables/global>

/usr/bin/okular flags=(attach_disconnected,complain) {
  #include <abstractions/base>
  ....

However, this "solution" does not work anymore if I start those application with the --apparmor switch (I compiled Firejail with --enable-apparmor). Besides, using above flag is not recommended:

attach_disconnect and no_attach_disconnected are mutually exclusive and determine if pathnames resolved to be outside of the namespace are attached to the root. ie. have the / character prepended. This is generally not considered a good idea as it allows disconnected paths to alias to other files that exist in the file name. It is only provided to work around problems that can arise if delegation is not being used.

This is an unfortunate situation. The problem seems to be related to the one mentioned here. (Note: I haven't tried delegation - mentioned in above quote - yet. I don't know if it's helpful here.)

@netblue30 : Do you think there is a chance for a work-around in Firejail? Right now it seems that using Firejail and AppArmor side-by-side is questionable at least for applications where printing is required.

Originally created by @curiosity-seeker on GitHub (Dec 30, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/1015 In Ubuntu 16.04 I'm using the Firefox AppArmor profile and I created own ones for, e.g., Thunderbird, Okular and Gwenview. They work well with one exception: If I start them firejailed I'm unable to print. The printers are simply not visible in the print dialogue, the only offered option is printing to a file. This happens regardless if the respective AppArmor profile is in enforce- or complain-mode. `aa-logprof` strangely enough doesn't show anything, but I'm getting errors from the journal like: ``` Dez 28 13:18:39 UBUNTU audit[23315]: AVC apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/okular" name="run/cups/cups.sock" pid=23315 comm="okular" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 Dez 28 13:18:39 UBUNTU kernel: audit: type=1400 audit(1482927519.467:3006): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/okular" name="run/cups/cups.sock" pid=23315 comm="okular" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0 ``` This problem can be "fixed" by using `flags=(attach_disconnected)` like in ``` # Last Modified: Wed Dec 28 19:32:00 2016 #include <tunables/global> /usr/bin/okular flags=(attach_disconnected,complain) { #include <abstractions/base> .... ``` However, this "solution" does **not** work anymore if I start those application with the `--apparmor` switch (I compiled Firejail with --enable-apparmor). Besides, using above flag is [not recommended](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#profile_flags): > attach_disconnect and no_attach_disconnected are mutually exclusive and determine if pathnames resolved to be outside of the namespace are attached to the root. ie. have the / character prepended. This is generally not considered a good idea as it allows disconnected paths to alias to other files that exist in the file name. It is only provided to work around problems that can arise if delegation is not being used. This is an unfortunate situation. The problem seems to be related to the one mentioned [here](https://firejail.wordpress.com/support/known-problems/#apparmor). (Note: I haven't tried [delegation](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Delegation) - mentioned in above quote - yet. I don't know if it's helpful here.) @netblue30 : Do you think there is a chance for a work-around in Firejail? Right now it seems that using Firejail and AppArmor side-by-side is questionable at least for applications where printing is required.

gitea-mirror

2026-05-05 06:27:21 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:27:27 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 2, 2018):

Thanks for the report, the issue should be fixed in bade3d03e0.

@smitsohu commented on GitHub (Mar 2, 2018): Thanks for the report, the issue should be fixed in bade3d03e0234685e1e9b52ea155392c153950f1.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#693

No description provided.

Rows
Columns