Closed osevan closed 2 years ago
Running firejail 0.65
There is no 0.65 firejail release. Guess you mean 0.9.65, but this is out of date. Latest release: 0.9.66 Latest git: 0.9.67 If you compile firejail from source, you need to regularly do this.
I can detect with sudo aa-status ,if firejail-default profile running for Apparmor , when apparmor flag is inside profile . Example chrome and Firefox .
But I figured out with mupdf, evince and qpdfview with apparmor flag inside, sudo aa-status cant detect firejail-default for these sandboxes.
So running firejail --apparmor firefox & firejail --apparmor evince
and then sudo aa-status
shows only firefox, right?
Running firejail 0.65
There is no 0.65 firejail release. Guess you mean 0.9.65, but this is out of date. Latest release: 0.9.66 Latest git: 0.9.67 If you compile firejail from source, you need to regularly do this.
I can detect with sudo aa-status ,if firejail-default profile running for Apparmor , when apparmor flag is inside profile . Example chrome and Firefox . But I figured out with mupdf, evince and qpdfview with apparmor flag inside, sudo aa-status cant detect firejail-default for these sandboxes.
So running
firejail --apparmor firefox & firejail --apparmor evince
and thensudo aa-status
shows only firefox, right?
With apparmor in evince.profile not direct flag --apparmor
aa-status cant recognize firejail-default for evince
With apparmor in evince.profile not direct flag --apparmor
So apparmor
in evince.profile does not work but --apparmor
works?
I have not tested --apparmor.
I can test at night.
But yes,apparmor inside profile placed, but, not triggered by aa-status
Buster and bullseye box
This happen in Debian Buster and Debian Bullseye? Or do you mean a FrankenDebian?
Maybe Apparmor library not works inside firejail?
If it works for firefox ...
I have not tested --apparmor. I can test at night.
Probably best to post the output of aa-status
.
sudo aa-status cant detect firejail-default for these sandboxes.
Are they really running inside firejail (firejail --list
)?
Buster and bullseye box
This happen in Debian Buster and Debian Bullseye? Or do you mean a FrankenDebian?
Maybe Apparmor library not works inside firejail?
If it works for firefox ...
I have not tested --apparmor. I can test at night.
Probably best to post the output of
aa-status
.sudo aa-status cant detect firejail-default for these sandboxes.
Are they really running inside firejail (
firejail --list
)?
Of course they run
Of course they run
The thing is that I can not explain what can cause apparmor
to apply to firefox but not to evince except for evince not running in firejail.
Today i did git pull and compiled firejail again.
Updated kernel to 5.13 rt
Even with firejail --apparmor dnscrypt-proxy ,apparmor cannot trigger firejail-default in aa-status, but, firejail --list shows everything running well
Are chrome and firefox the only sandboxes where firejail-default is shown by aa-status?
Are chrome and firefox the only sandboxes where firejail-default is shown by aa-status?
Plus libreoffice works well and aa-status trigger firejail-default with libreoffice inside.
I dont tested many apps only libreoffice browser Firefox and chrome and pdf apps.
I figured out what was wrong.
I have symbolic link in usr/local/bin, what points to /usr/bin/firejail <-- this is old firejail place 9.0.64.
New binary place is in /usr/local/bin/firejail.
Now my shell tried wrong firejail execution and apparmor couldn't start.
I deleted symbolic links and corrected path.
Now everything works like expected.
Running firejail 0.65 in kernel 5.11 rt
Buster and bullseye box
With Apparmor support enabled at compile time with configure flag.
I can detect with sudo aa-status ,if firejail-default profile running for Apparmor , when apparmor flag is inside profile . Example chrome and Firefox .
But I figured out with mupdf, evince and qpdfview with apparmor flag inside, sudo aa-status cant detect firejail-default for these sandboxes.
Maybe Apparmor library not works inside firejail?
I tested on bullseye and buster.