Apparmor , firejail and the kernel

Hey there,

I haven't been able to find a satisfactory answer by searching so I'm hoping someone can illuminate.

I've been running a few programs via firejail since I'm unfortunately required to run stuff like zoom and discord.

Running anything with firejail throws the warning that:

Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.

Attempting to run the command results in:

ERROR: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

So my questions are:

  1. Is the apparmor module in the manjaro kernels? (I'm running 5.6.16-1-MANJARO) if not why is apparmor in the repos?
  2. Will I likely run into problems installing apparmor-profiles? (I can't actually see one for firejail)
  3. What's the best solution here?

Cheers very much,
(Hopefully I'm in the etiquette here and posting in the right place.)

For Apparmor to be enabled the following kernel boot parameters must be present:
apparmor=1 security=apparmor

To verify run:
inxi -Sa

Additionally the service must be enabled:
systemctl status apparmor.service

Read here further: https://wiki.archlinux.org/index.php/AppArmor#Usage

For usage within Firejail, read here: https://wiki.archlinux.org/index.php/Firejail#Enable_AppArmor_support

2 Likes

Thank you for that.

I'm not sure why I didn't think to check the wiki on this one...

Do you have experience using apparmor? I'm in territory now I'm not comfortable with and don't want to make a mess.

Edit: I should be clear, I only want to use apparmor for things in a firejail and not absolutely everything.

The purpose of AppArmor is sandboxing. In order for that to work properly a profile for your application must be present. With a quick search I could not find any that have been already created, so you would need to spend some time creating one.

A second approach to sandboxing such applications is to use the Flatpak versions. Flatpak has out of the box sandboxing using Bubblewrap. Additionally you can use Flatseal to configure the permissions.

Finally do not worry about conflicts between the two. There isn't any.

1 Like

Thanks again for the help here.

Ideally I'd be using software that respects ones privacy and security...

Failing that, I'm still feeling my way to best run shady prop software, limiting its ability to spy on me and potential for damage.

I'll look into both of these.

1 Like

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by