Advice please, looks like apparmor is blocking Firetools (firejail)

Support Software & Applications
1

I just installed Firetools and understand from watching some videos that all I need to do is click one of the shortcuts it created in it’s menu to launch the app sandboxed… and looking at one of those entries I can see it’s really just using firejail to run the application (i.e. firejail firefox).

So the first application I ran was firefox and it did launch, but was not being tracked inside firetools Sandbox List.

I flipped to KSystemLog and found the following message around the time I clicked the link… AVC apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="firejail-default" pid=817628 comm="firejail"

I take some comfort in the fact that some layer (will need to learn more about apparmour) has tried to provide some protection (although, the app ran outside the sandbox so not sure that’s good or bad) and DENIED the firejail execution.

I went one step further and executed firejail firefox in the terminal to see what more it would tell me…

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 820801, child pid 820804
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 72.54 ms

(firefox:9): Gtk-WARNING **: 15:30:57.036: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version

Parent is shutting down, bye...

So it looks like the terminal is providing a possible solution with the aa-enforce firejail-default command… but I don’t know enough about apparmour and what that command will do, and how much of an issue all the other Warnings are.

Any/All advice is welcome! I’m just over 1 week into my Linux experience; trying to break away from Windows.

2

I did a bit of digging and found a non-Manjaro (uses apt for install) set of instructions for getting apparmor and firetools running together… and identified some missing pieces in my setup which I believe are either absent from the official and AUR repositories or described as “experimental”:

  • firejail-profiles is not listed in the official repositories nor AUR
  • apparmor-profiles is listed in the official repositories (extra), and is described as “experimental”
  • apparmor-utils is not listed in the official repositories nor AUR

Hopefully someone else here has had to work through this and can shed some light on what the correct steps are to set this up under Manjaro; and whether the pieces I cannot find are required and where to find them.

3

I also found a page in the Arch Wiki for firejail that listed an “integration step” # sudo apparmor_parser -r /etc/apparmor.d/firejail-default (which I have now executed) and then in the following Configuration section stated that Most users will not require any custom configuration and can proceed to #Usage.

so I executed firejail firefox again in the terminal, didn’t see an entry in firetools list of sandboxed applications, but noticed the previous aa-enforce firejail-default suggestion was removed from the terminal execution list/log,…

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 209266, child pid 209269
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 73.91 ms

(firefox:9): Gtk-WARNING **: 20:44:59.387: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version

However, I do think I am making some progress… somewhere along the line I had also launched the Firejail Config Wizard from the firetools app list… and noticed it did generate an entry in the Firetools sandboxed apps list! And I’m fairly confident (but not 100% certain) that this was not the case before when I had the firetools app list, firetools sandboxed app list, and the firejail config wizard all up the same time.

So I kept clicking the other firetools app list icons and found that every single one of them (except firefox, thunder bird, and the firetools sanboxed app list) now creates an entry in the firetools sandboxed apps list! qTorrent, Okular, Gwenview, VLC, Gimp, Libre Office Writer, Filezilla, and KeyPassXC all add to the sanboxed apps list!

Hmm, is this a mozilla app issue… or is it because I already have executed unsandboxed sessions of those apps? Hmm, will need to test that theory and post back!

EDIT: Bingo! That was it. If you have another session of the app running that is not sandboxed, firejail loads the next sessions of firefox the exact same way… but close all the firefox sessions and launch it again… voila!

So to recap my solution…

  • complete the apparmor/firejail “integration step” with # sudo apparmor_parser -r /etc/apparmor.d/firejail-default
  • make sure you don’t have a non-sandboxed session of the application already running
  • execute the application via Firetools app list or command line firejail <application>
4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.