I just installed Firetools and understand from watching some videos that all I need to do is click one of the shortcuts it created in it’s menu to launch the app sandboxed… and looking at one of those entries I can see it’s really just using firejail to run the application (i.e. firejail firefox
).
So the first application I ran was firefox and it did launch, but was not being tracked inside firetools Sandbox List.
I flipped to KSystemLog and found the following message around the time I clicked the link… AVC apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="firejail-default" pid=817628 comm="firejail"
I take some comfort in the fact that some layer (will need to learn more about apparmour) has tried to provide some protection (although, the app ran outside the sandbox so not sure that’s good or bad) and DENIED the firejail execution.
I went one step further and executed firejail firefox in the terminal to see what more it would tell me…
$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 820801, child pid 820804
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 72.54 ms
(firefox:9): Gtk-WARNING **: 15:30:57.036: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version
Parent is shutting down, bye...
So it looks like the terminal is providing a possible solution with the aa-enforce firejail-default
command… but I don’t know enough about apparmour and what that command will do, and how much of an issue all the other Warnings
are.
Any/All advice is welcome! I’m just over 1 week into my Linux experience; trying to break away from Windows.