BUG// apparmor protection failed

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

https://firejail.wordpress.com

GNU General Public License v2.0

5.59k stars 556 forks source link

BUG// apparmor protection failed #4393

Closed osevan closed 2 years ago

osevan commented 3 years ago

Running firejail 0.65 in kernel 5.11 rt

Buster and bullseye box

With Apparmor support enabled at compile time with configure flag.

I can detect with sudo aa-status ,if firejail-default profile running for Apparmor , when apparmor flag is inside profile . Example chrome and Firefox .

But I figured out with mupdf, evince and qpdfview with apparmor flag inside, sudo aa-status cant detect firejail-default for these sandboxes.

Maybe Apparmor library not works inside firejail?

I tested on bullseye and buster.

rusty-snake commented 3 years ago

Running firejail 0.65

There is no 0.65 firejail release. Guess you mean 0.9.65, but this is out of date. Latest release: 0.9.66 Latest git: 0.9.67 If you compile firejail from source, you need to regularly do this.

I can detect with sudo aa-status ,if firejail-default profile running for Apparmor , when apparmor flag is inside profile . Example chrome and Firefox .

But I figured out with mupdf, evince and qpdfview with apparmor flag inside, sudo aa-status cant detect firejail-default for these sandboxes.

So running firejail --apparmor firefox & firejail --apparmor evince and then sudo aa-status shows only firefox, right?

osevan commented 3 years ago

Running firejail 0.65

There is no 0.65 firejail release. Guess you mean 0.9.65, but this is out of date. Latest release: 0.9.66 Latest git: 0.9.67 If you compile firejail from source, you need to regularly do this.

I can detect with sudo aa-status ,if firejail-default profile running for Apparmor , when apparmor flag is inside profile . Example chrome and Firefox . But I figured out with mupdf, evince and qpdfview with apparmor flag inside, sudo aa-status cant detect firejail-default for these sandboxes.

So running firejail --apparmor firefox & firejail --apparmor evince and then sudo aa-status shows only firefox, right?

With apparmor in evince.profile not direct flag --apparmor

aa-status cant recognize firejail-default for evince

rusty-snake commented 3 years ago

With apparmor in evince.profile not direct flag --apparmor

So apparmor in evince.profile does not work but --apparmor works?

osevan commented 3 years ago

I have not tested --apparmor.

I can test at night.

But yes,apparmor inside profile placed, but, not triggered by aa-status

rusty-snake commented 3 years ago

Buster and bullseye box

This happen in Debian Buster and Debian Bullseye? Or do you mean a FrankenDebian?

Maybe Apparmor library not works inside firejail?

If it works for firefox ...

I have not tested --apparmor. I can test at night.

Probably best to post the output of aa-status.

sudo aa-status cant detect firejail-default for these sandboxes.

Are they really running inside firejail (firejail --list)?

osevan commented 3 years ago

Buster and bullseye box

This happen in Debian Buster and Debian Bullseye? Or do you mean a FrankenDebian?

Maybe Apparmor library not works inside firejail?

If it works for firefox ...

I have not tested --apparmor. I can test at night.

Probably best to post the output of aa-status.

sudo aa-status cant detect firejail-default for these sandboxes.

Are they really running inside firejail (firejail --list)?

Of course they run

rusty-snake commented 3 years ago

Of course they run

The thing is that I can not explain what can cause apparmor to apply to firefox but not to evince except for evince not running in firejail.

osevan commented 3 years ago

Today i did git pull and compiled firejail again.

Updated kernel to 5.13 rt

Even with firejail --apparmor dnscrypt-proxy ,apparmor cannot trigger firejail-default in aa-status, but, firejail --list shows everything running well

rusty-snake commented 3 years ago

Are chrome and firefox the only sandboxes where firejail-default is shown by aa-status?

osevan commented 3 years ago

Are chrome and firefox the only sandboxes where firejail-default is shown by aa-status?

Plus libreoffice works well and aa-status trigger firejail-default with libreoffice inside.

I dont tested many apps only libreoffice browser Firefox and chrome and pdf apps.

osevan commented 2 years ago

I figured out what was wrong.

I have symbolic link in usr/local/bin, what points to /usr/bin/firejail <-- this is old firejail place 9.0.64.

New binary place is in /usr/local/bin/firejail.

Now my shell tried wrong firejail execution and apparmor couldn't start.

I deleted symbolic links and corrected path.

Now everything works like expected.