I am trying to enable firejail on top of apparmor but I don’t understand what to do.
The arch wiki says " Enable Apparmor globally in /etc/firejail/globals.local
"
How do I enable it? What’s the command here?
I am trying to enable firejail on top of apparmor but I don’t understand what to do.
The arch wiki says " Enable Apparmor globally in /etc/firejail/globals.local
"
How do I enable it? What’s the command here?
Please read more carefully
https://wiki.archlinux.org/index.php/Firejail#Persistent_local_customisation
To globally enable Apparmor and disable Internet connectivity, one could simply create/edit
/etc/firejail/globals.local
to include the lines
# enable Apparmor and disable Internet globally
net none
apparmor
Then, to allow, for example, “curl” to connect to the internet, yet still maintain its apparmor confinement, one would create/edit
/etc/firejail/curl.local
to include the lines.
# enable internet for curl
ignore net
Since curl.local
is read before globals.local
, ignore net overrides net none, and, as a bonus, the above changes would be persistent across future updates.
Thank you, I didn’t know I had to create a custom profile. I assumed the profile already existed.
Yeah but that makes sense, since that is exactly what it suppose to do from that example…
Let’s start from asking what exactly you want to achieve with firejail?
I thought it would have ignored it.
browser confinement mainly.
Oh, that should be as simple as just:
firejail firefox -no-remote
Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:
But there are more options you can see from help or man:
My answer above was kinda about it’s functionality similar to normal firewall…
Also keep in mind that i’ve never used it too
Just a question, do you need to disable net globally in /etc/firejail/globals.local ?
I thought the above command would work but it doesn’t seem to override “net none” as described.
Those are kinda firewall functions of Firejail, i thought at first that’s what you need, coz you’ve asked about them in OP.
firejail --apparmor firefox -no-remote
I think that should work, if your aim is just browser
Yeah, that is odd. According the Wiki it should do just that.
I think you could achieve that by:
firejail --apparmor firefox
I never got firefox running together with firejail, therefore decided to remove firejail and use apparmor only. Setting up rules in apparmor is easy (as long as you don’t want to have it perfect). Maybe that’s also an alternative for you.