aa-status doesn't prints already running apps as enforced even when they are activated .

[osevan]

Hey roddhjav,

I figured out next bug with profile firejail-default.

On systems without your profiles, applications started with firejail and apparmor enabled at compile level plus applications started with apparmor flag inside firejails buildin profile , i can see in aa-status my enforced application as firejail-default active.

The same not working on systems with your profiles in complain mode.

Im running in my test lab everything in complain mode and allow only firejail-default in enforce mode, but even app started inside firejail successfully , aa-status doesnt prints functionality.

No sandboxed applications listing inside enforced list of aa-status output.

:-(

Thanks and Best regards

[curiosityseeker]

I'm not quite sure that I fully understand what you're saying - but:

1. If you think there is a problem with aa-status it's not a problem with this project but a problem which you should report to upstream.
2. You're obviously sandboxing your apps with Firejail (with the apparmor flag). Note that in this case the firejail-default profile is always and exclusively (!!!) used. E.g., if you sandbox Firefox with Firejail, it only uses the firejail-default profile and not the firefox AppArmor profile. This is why it doesn't appear in the aa-status output. If you really want to use the firefox AppArmor profile instead you should add ignore apparmor to your firefox.local profile in ~/.config/firejail. This makes sure that Firefox is both sandboxed by Firejail and confined by the application-specific AppArmor profile. I suggest that you also add

include <abstractions/base.d/firejail-base>

to /etc/apparmor.d/local/firefox as this improves the compatibility of Firejail with AppArmor. This is what I've been doing for a long time.

[osevan]

No, when i enforce on other machine firejail-default - prefered Apparmor profile by me for fj sandboxing - and starting with apparmor flag, everything is great inside aa-status.

But when i activate everything in complain mode on this machine with this project, and enforce firejail-default and make sure Apparmor flag inside profile, than nothing about firejail-default spits out inside aa-status.

This is the reason why im asking which version of apparmor pkg i should install for arch?

Maybe i should remove firefox profile to not interference with firejail-default helps?

[curiosityseeker]

I think you're misunderstanding several aspects here:

1. On Arch Linux there is the apparmor package which contains the apparmor userspace tools and about 50 profiles provided by upstream - which means that you're using those profiles anyway once you install the apparmor package. (If I remember correctly, it's different on Debian or Ubuntu where specific apparmor-profiles and apparmor-profiles-extra packages are available.)
2. The profiles from upstream do not overlap with the many profiles from the apparmor.d project which cover the core applications on your system. These profiles confine most services, your desktop environment and many other core applications like browsers (although many profiles are still in complain mode as this project is still a WIP). Hence, your question "which version of apparmor pkg i should install for arch?" makes no sense: Again, you have the profiles from upstream installed on your system anyhow by installing the apparmor package - so the only relevant question is if you should install the profiles from the apparmor.d project in addition to the profiles from upstream. That's something you have to decide. I would say you should.
3. If it comes to Firejail, it sandboxes a lot of applications (way more than this project) but hardly any services or your desktop environment. As already mentioned in my previous reply: even those applications which are sandboxed by Firejail and have an apparmor.d profile only use /etc/apparmor.d/firejail-default. That's what you're seeing in the aa-status output. If you don't want that you have to follow the steps outlined earlier.

EDIT: If you want to stick with firejail-default you don't need to remove the firefox profile as they don't interfere because the firefox profile is not used by default if you sandbox Firefox with Firejail. And if you do use the firefox profile by adding ignore apparmor to ~/.config/firejail/firefox.local , /etc/apparmor.d/firejail-default will not be used.

[osevan]

I love firejail project like i do this for your project and want use both.

My complaining is, why aa-status doesn't spit out application usage of firejail-default profile.

BUT i will show some logs too

[osevan]

Here one picture.

Even i did sudo aa-enforce firejail-default

[osevan]

https://paste.cachyos.org/p/a1b7cb6/

[curiosityseeker]

Even i did sudo aa-enforce firejail-default !

This only works if you're in the /etc/apparmor.d directory. If you're not you have to execute:

sudo aa-enforce /etc/apparmor.d/firejail-default

But as mentioned earlier, this is not a problem related to this project.

[roddhjav]

You need to update your profiles, we have made update to the profiles since last time you pulled them, most of this issue should be fixed already.

[osevan]

Ok, my last updates was 2 month ago.

[osevan]

After update i can see apparmor is working

But not inside aa-status. Anyway for me is fixed.

If i have something wrong i will open again