Firejail-Apparmor help

I am trying to enable firejail on top of apparmor but I don’t understand what to do.

The arch wiki says " Enable Apparmor globally in /etc/firejail/globals.local "

How do I enable it? What’s the command here?

Please read more carefully :slight_smile:

  1. To globally enable Apparmor and disable Internet connectivity, one could simply create/edit

    /etc/firejail/globals.local
    

    to include the lines

    # enable Apparmor and disable Internet globally
    net none
    apparmor
    
  2. Then, to allow, for example, “curl” to connect to the internet, yet still maintain its apparmor confinement, one would create/edit

    /etc/firejail/curl.local
    

    to include the lines.

    # enable internet for curl
    ignore net
    
  3. Since curl.local is read before globals.local, ignore net overrides net none, and, as a bonus, the above changes would be persistent across future updates.

2 Likes

Thank you, I didn’t know I had to create a custom profile. I assumed the profile already existed. :slightly_smiling_face:

1 Like

@keybreak

It seems my internet still gets disabled even after it says “ignore net”

Yeah but that makes sense, since that is exactly what it suppose to do from that example…

Let’s start from asking what exactly you want to achieve with firejail?

I thought it would have ignored it.

browser confinement mainly.

Oh, that should be as simple as just:

firejail firefox -no-remote 

Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:

But there are more options you can see from help or man:

My answer above was kinda about it’s functionality similar to normal firewall…
Also keep in mind that i’ve never used it too :laughing:

1 Like

Just a question, do you need to disable net globally in /etc/firejail/globals.local ?

@pebcak

I thought the above command would work but it doesn’t seem to override “net none” as described.

Those are kinda firewall functions of Firejail, i thought at first that’s what you need, coz you’ve asked about them in OP.

  1. Just kill those two files
  2. Try launch Firefox directly
    firejail --apparmor firefox -no-remote 
    

I think that should work, if your aim is just browser

1 Like

Yeah, that is odd. According the Wiki it should do just that.

I think you could achieve that by:

firejail --apparmor firefox

2 Likes

I never got firefox running together with firejail, therefore decided to remove firejail and use apparmor only. Setting up rules in apparmor is easy (as long as you don’t want to have it perfect). Maybe that’s also an alternative for you.

1 Like