Firejail-Apparmor help

Mystic · November 3, 2020, 10:52am

I am trying to enable firejail on top of apparmor but I don’t understand what to do.

The arch wiki says " Enable Apparmor globally in /etc/firejail/globals.local "

How do I enable it? What’s the command here?

keybreak · November 3, 2020, 11:13am

Please read more carefully
https://wiki.archlinux.org/index.php/Firejail#Persistent_local_customisation

To globally enable Apparmor and disable Internet connectivity, one could simply create/edit
```
/etc/firejail/globals.local
```
to include the lines
```
# enable Apparmor and disable Internet globally
net none
apparmor
```
Then, to allow, for example, “curl” to connect to the internet, yet still maintain its apparmor confinement, one would create/edit
```
/etc/firejail/curl.local
```
to include the lines.
```
# enable internet for curl
ignore net
```
Since curl.local is read before globals.local, ignore net overrides net none, and, as a bonus, the above changes would be persistent across future updates.

Mystic · November 3, 2020, 11:21am

Thank you, I didn’t know I had to create a custom profile. I assumed the profile already existed.

Mystic · November 3, 2020, 11:47am

@keybreak

It seems my internet still gets disabled even after it says “ignore net”

keybreak · November 3, 2020, 12:01pm

Yeah but that makes sense, since that is exactly what it suppose to do from that example…

Let’s start from asking what exactly you want to achieve with firejail?

Mystic · November 3, 2020, 12:05pm

I thought it would have ignored it.

browser confinement mainly.

keybreak · November 3, 2020, 12:10pm

Oh, that should be as simple as just:

firejail firefox -no-remote

Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:

But there are more options you can see from help or man:

My answer above was kinda about it’s functionality similar to normal firewall…
Also keep in mind that i’ve never used it too

pebcak · November 3, 2020, 12:20pm

Just a question, do you need to disable net globally in /etc/firejail/globals.local ?

Mystic · November 3, 2020, 12:21pm

@pebcak

I thought the above command would work but it doesn’t seem to override “net none” as described.

keybreak · November 3, 2020, 12:24pm

Those are kinda firewall functions of Firejail, i thought at first that’s what you need, coz you’ve asked about them in OP.

Just kill those two files

Try launch Firefox directly

firejail --apparmor firefox -no-remote

I think that should work, if your aim is just browser

pebcak · November 3, 2020, 12:24pm

Yeah, that is odd. According the Wiki it should do just that.

I think you could achieve that by:

firejail --apparmor firefox

Barqu · November 3, 2020, 12:25pm

I never got firefox running together with firejail, therefore decided to remove firejail and use apparmor only. Setting up rules in apparmor is easy (as long as you don’t want to have it perfect). Maybe that’s also an alternative for you.