firejail, apparmor needs kernel patch?

Thought I'd give firejail a try... When I do

firejail firefox

I get (among other strange messages)

Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.

OK, so I run

sudo aa-enforce firejail-default

which results in

ERROR: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)

What do I do now? My kernel is 4.19.62-1-MANJARO x86_64. How do I do the kernel patch? Maybe I should switch to testing? Any help would be greatly appreciated!

Am writing this in my FF-Dev.Ed running per my standard customised launcher of several years, firejail --blacklist=/Seagate -- /usr/lib/firefox-developer-edition/firefox.

I encountered your error messages in a different context a few days ago. Just now i did your firejail firefox in Konsole & saw [amongst all the other warnings & errors --- i've used FJ for years & most applications run "dirtily" in FJ coz by design FJ is blocking native functions they "expect" to do] your error message. However IMO the more important point is that the launched application still runs correctly in FJ, if you simply focus your attention on the UI rather than the Konsole messages. Eg, when i run your firejail firefox & test FF's access to my /home contents, it is still being blocked from the majority of directories & files therein, just like FJ is designed to do.

Maybe add these kernel parameters as per the arch wiki
apparmor=1 security=apparmor
https://wiki.archlinux.org/index.php/AppArmor

2 Likes

Not only this, the topic-starter needs also to switch to linux52 because AppArmor patches are not applied to 4.19.
Some think that those patches are needed for Snap and blame Manjaro for "distro ubuntification", but actually not all of them are related to snapd (see description):
https://gitlab.com/apparmor/apparmor-kernel/commit/6408dbde30855bb9a2af44c9053ba2329db57c7f.patch

Are you sure, it seems 419 is compiled with apparmor support

That's just a config option which makes it possible to enable AppArmor support via those kernel options you've posted before (security=apparmor apparmor=1).

What I was talking about is this:

There's no such patch for linux419:

I remembered it because I saw this in OP:

EDIT:
So I enabled Apparmor, installed Firejail and saw this during installation:

In order to use the apparmor integration with firejail, install the apparmor package and run as root: 'apparmor_parser -r /etc/apparmor.d/firejail-default'

I did that and then checked sudo aa-status:

$ sudo aa-status
apparmor module is loaded.
52 profiles are loaded.
52 profiles are in enforce mode.
   /usr/bin/lxc-start
...
   dovecot
   firejail-default
   identd
...
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
...

I started a joke firefox inside firejail and it had no access to home files except for Downloads - seems like it worked as it was supposed to do.

Tested on linux53 (my own build with AppArmor patches). Should be the same on linux52/51/50, but will not work on linux419 as far as I understand.

3 Likes

This intrigued me, so, following on from the brilliant info provided publicly by @openminded above, & privately by a certain little downside-up guardian angel [who shall herewith remain unnamed, teehee], i had a dabble myself, in my Testing-branch VM, after first making a snapshot. Notes, fwiw:

Summary
6/8/19: 
**My AppArmor Experiment**.

BEFORE:
[kdemeoz@ManjaroTestingKDEVM ~]$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.2-x86_64 root=UUID=57a0d4a6-a099-4e13-a7a0-20d5415482f8 rw quiet udev.log_priority=3 audit=0 

sudo nano /etc/default/grub

Add this `apparmor=1 security=apparmor` to line:
GRUB_CMDLINE_LINUX=""

Thus:
GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"

sudo update-grub

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
sudo systemctl status apparmor.service

Reboot.

AFTER:
[kdemeoz@ManjaroTestingKDEVM ~]$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.2-x86_64 root=UUID=57a0d4a6-a099-4e13-a7a0-20d5415482f8 rw apparmor=1 security=apparmor quiet udev.log_priority=3 audit=0 


[kdemeoz@ManjaroTestingKDEVM ~]$ sudo systemctl status apparmor.service
[sudo] password for kdemeoz: 
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2019-08-05 17:25:20 AEST; 22h ago
  Process: 255 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
 Main PID: 255 (code=exited, status=0/SUCCESS)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

[kdemeoz@ManjaroTestingKDEVM ~]$ aa-enabled
Yes


[kdemeoz@ManjaroTestingKDEVM ~]$ sudo apparmor_parser -r /etc/apparmor.d/firejail-default
[sudo] password for kdemeoz: 
[kdemeoz@ManjaroTestingKDEVM ~]$

[kdemeoz@ManjaroTestingKDEVM ~]$ sudo aa-status
apparmor module is loaded.
4 profiles are loaded.
4 profiles are in enforce mode.
   firejail-default
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
[kdemeoz@ManjaroTestingKDEVM ~]$ 

I then launched Firefox in Firejail from within Konsole, & observed that no more warnings / errors arose wrt either FJ or AppArmor problems. On the other hand, i saw simply no added benefit from the fact that FF was now running in FJ and AA, compared to my standard long-term arrangement of running my browsers in FJ but with no active AA. Ergo, this was an interesting experiment to perform in my VM, but i see no reason at all to bother enabling AA in my real Lappy & Tower's Manjaros.

1 Like

You just need to enable AppArmor with the GRUB parameters above.

It will.
You do not (or should not?) need the Ubuntu AppArmor patches for Firejail to work with AA support.

1 Like

Well, there you are, checked myself and yes, no need to use another kernel. Interesting, I was tricked with a patch description. :laughing:

2 Likes

You guys are awesome! The kernel patch worked. Thanks to all for the educational followup posts.

Yes, lovely, but... why? You & I both have learned herein from the wise others how to make it work, but i am now interested to learn from you why you want this?

Though i do not know how to use either AppArmor or SELinux [which is exactly why i instead use & like Firejail], philosophically i can appreciate that other Nixers might prefer to run AA, or SEL. What i do not yet understand however, is motivation for & benefits of running more than one of these... in your case, that's FJ + AA. What advantages to you perceive from the duopoly rather than only FJ? Btw i am asking this not to snark, but to learn.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by