Apparmor: always trouble with pre-installed profiles or components

I’ve always had trouble with the pre-installed apparmor profiles, even today.

I would prefer if the software packages were separated into a minimal package and various optional packages. When I update with pacman, files are installed in /etc/apparmor.d that I don’t actually want.

On my laptop, I only want to use profiles created with aa-genprof/aa-logprof for the browsers I use.

Today’s example, after watching a music video in the browser (actually, I had hoped that my profile was already fully trained):


# aa-logprof

Profile:  /usr/lib/firefox/firefox
Path:     /dev/video0
New Mode: r
Severity: unknown

 [1 - include <abstractions/ubuntu-browsers.d/multimedia>]
  2 - include <abstractions/video> 
  3 - /dev/video0 r, 
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
Adding include <abstractions/ubuntu-browsers.d/multimedia> to profile.

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/lib/firefox/firefox]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for /usr/lib/firefox/firefox.
profile /usr/lib/firefox/firefox: has merged rule /usr/bin/pulseaudio with conflicting x modifiers
ERROR merging rules for profile /usr/lib/firefox/firefox, failed to load

My response to the problem was to follow the advice in the header of abstractions/ubuntu-browsers.d/multimedia and also added

include <abstractions/ubuntu-helpers>

to my Firefox profile, but that didn’t make it better.

So, I went back to my backed up version of my firefox profile and started aa-logprof again. Instead of including the suggested files from the abstractions folder, I used the suggested alternative 3, allowing /dev/video0 and subsequently /dev/video1. I think this is simpler but sufficient.

Hello @Acor :wink:

It may not directly apply to your problem, but I think if you’re just looking to isolate the browsers, Flatpak with its sandbox would be a replacement. Firefox flatpak gets updates directly from Mozilla.

Apparmor was always too complicated and time-consuming for me.

May I ask what your main reason is for using Apparmor for the desktop? Only reason for Apparmor in my view are for example network services like Samba or Apache.

Anyway… you can add this to /etc/pacman.conf

NoExtract = /etc/apparmor.d/* !*apparmor.d/firefox

Now, there will be nothing extracted into that folder by pacman/pamac except firefox in the future.

Thank you for the good tips, megavolt!

According to man pacman.conf(5), not to include the leading slash (the RootDir) when specifying, I made this entry in /etc/pacman.conf:

NoExtract = etc/apparmor.d/*

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.