There was a thread that was recently opened for firewall. In that a conversation came up regarding firejail.
There are two well known means of getting an application running within a sandbox. One is firejail and the other is AppArmour. What is better among these? What advantages does one have over another?
Arch Wiki does not give any indications nor any recommendations.
EOS does not come with firejail installed by default.
I used apparmor on Ubuntu on a system at work, there it’s basically good to go out of the box. I’ve used it on Arch Linux and I found all the profiles are Ubuntu specific so not much use to them on Arch as it seems there are no Arch specific profiles so you will have to write them yourself unless I missed something?
I’ve also used Firejail. I found that to actively use it for all your used applications you would have to debug and figure out for every single application that broke and then adjust it an include custom profile. I found it too much effort to be worth the trouble at the time, at that time I chose applications that I wanted to run sandboxed as Flatpaks because it’s just a ready to go solution without me having to configure every application myself.
If you are wanting to go that route I would go for Flatpaks or Firejail as I don’t see much to Apparmor on Arch Linux since it seems to be Ubuntu specific, same as why I wouldn’t recommend trying to get selinux working on Arch because I’ve tried and it broke the boot of the system as you you have to write selinux policies yourself from scratch from the information I found about in on Arch.
Another one I haven’t tried but you could try is Bubblejail, but from what I can remember it has less profiles that come with it than Firejail.
Thanks @Cphusion.
How about a use case that a file has been sent across as an attachment or has been downloaded. It can be a tar/compressed file. So we have to launch Ark and then the corresponding application (LibreOffice or Okular or Gwenview) to view it. In this case we either use firejail to open Ark, and then firejail to then open the respective application too, i.e. LibreOffice or Okular or Gwenview.
Or we try to use AppArmor.
Let us take another usecase. We are browsing say using a public internet or an internet which is not off our house or office. Then we use firejail and or AppArmor to run the browser, such that it prevents any unauthorized MITM attacks or other forms of attack on the machine.
Finally let us assume that we have cloned a public git. Then to examine and execute the code we run PyCharm or Eclipse or KDevelop or Visual Studio under firejail or AppArmor. It is assumed that no ptrace is sought to be used. And also minimal DBus interactions are required by the code.
What would be preferred for any or multiple of these cases?
Is firejail or AppArmor better than the other? Does one of them approach sandboxing in a much better way than the other? For example AppArmor is inbuilt inside each Linux Kernel, it just has to be enabled by passing the appropriate kernel parameter during boot. While firejail is a third party solution that has to be installed.
I get it that enabling firejail or AppArmor on the whole system or for all the applications might not be worthwhile. But using firejail or AppArmor might be worthwhile occasionally or using them for some applications might be good.
Running Flatpaks has a risk on its own. In case of Flatpaks it is upto the developer to include all shared libraries which are patched and upto date. That does not always happens. Many a times a Flatpak has old libraries being used. One of the advantages on a rolling distro like Arch or its derivatives is that most of the known packages/libraries are patched pretty quickly. Heavy emphasis on the known. There might be zero day exploits or other exploits which have not seen the light of the day. Also the size of a Flatpak application is way higher than the non-Flatpak application. I am not saying that Flatpaks are not good or should not be used.
I’ve used a lot of Flatpaks and all the ones I’ve used were update regularly. People around here tend to be afraid of them for some reason. I don’t want to get into a flatpak discussion here. But I prefer them when I want to sandbox an application because with them I don’t have to to debug if something breaks when I use something like Firejail for an application. I’ve had to more things breaking with Firejail than I have had with flatpaks and then you have to figure out what you need to add to your included profile to make that application work again. It’s doable but takes a lot of time, time I prefer spending doing something else.
Since you don’t like flatpaks, then go with Firejail since there are already enough existing profiles which work on different distributions and Apparmor is Ubuntu specific.
I’m by no means any knowledgeable user of firejail or apparmor but it seems to be possible to combine them both.
You can enable apparmor support for firejail:
https://wiki.archlinux.org/title/Firejail#Enable_AppArmor_support
firejail --apparmor firefox seems to be working fine. Can anyone explain what it does?
So why not benefit from the security that is offered by each combined?
$ firejail --list
11963:cactux::firejail --apparmor mpv https://youtu.be/iBsHmjznQuk
Yes, they work well together! I guess the general idea is they work in different ways, so when used together you benefit from the hardening characteristics of each. AppArmor enforces strict access controls at the kernel level, while Firejail creates isolated sandboxes for limiting the resource access of the running application.
I have a few applications I started running this way, just to test it out. In some cases there is a little bit of tweaking needed, but oftentimes everything Just WorksTM.
❯ firejail --list
2035:jeremy::firejail --apparmor --appimage /usr/local/bin/librewolf
4247:jeremy::firejail signal-desktop
4692:jeremy::firejail --appimage --apparmor --noprofile /usr/local/bin/onlyoffice
4903:jeremy::firejail --appimage --apparmor --noprofile /usr/local/bin/joplin --ozone-platform=wayland
5543:jeremy::firejail --appimage --apparmor /usr/local/bin/krita
The “--noprofile” ones I haven’t figured out how to get working properly with a more restrictive Firejail profile yet. 
The Firejail profile for Firefox-based browsers is pretty good out of the box. The only “gotcha” I ran into is by default the browser can only interact with user files that are stored in ~/Downloads. That’s fine for downloading things of course, but if you want to upload a file you need to either remember to move it to ~/Downloads first, or whitelist another directory using a local Firejail config.
Oh, also sometimes links from other applications do not open directly in the browser. I’ve found in some cases I need to copy the URL from the other application and paste it into the browser’s address bar (instead of just clicking the link in the other application).
Thanks @BluishHumility for the explanation! Despite my rather shallow understanding of both these tools, I had some thoughts in that direction reading a little bit more in The Wiki.
I have always installed firejail, almost mechanically, in all my installs and also getting the message to run the command to integrate it with apparmor, I have done so too. Also I have used it mostly with browsers like Firefox and Chromium.
I am getting more interested in the theme of hardening the system and seeing the output from your usage of these tools inspires me even more.
I have tried to use firejail with an appimage once (FreeTube) but I couldn’t get it to work. I wasn’t that insistent either.
And yes, I have noticed too the restriction of the access to other locations but the ~/Downloads directory when using Firefox with the firejail. I guess that it is doing its job rather well. I have been also moving back and forth files to ~/Downloads.
I’ll try reading up on the subject and I hope I can integrate theses tools more and more in the setting up and configuring my systems.
Thanks to @Archie1 for bringing up the subject. I hope that this thread will get some traction and more users with experience of these tools will chime in to share their experience and knowledge just like the recent thread about swap where a lot of great information was shared.
Thanks to all!
The non-appimage FreeTube (eg: freetube-git) works problem free with firejail, no tweaks necesarry (at least not in my case).
I too have appreciated @Archie1’s investigation into these questions. I’ve found his questions, and the responses given interesting, informative and inspiring.
Great to know! I should perhaps be trying that.
I find that this is a very interesting and important subject. Contrary to the swap thread where many just hooked up to share their experience and knowledge, this one seems to be rather quite.
I start suspecting that perhaps not that many users are familiar with these tools and perhaps even less using them. I do hope that I am wrong because I think information and knowledge shared here could be beneficial to all users who are interested of securing their system against different threats.
Thanks @Bink,
Thanks @BluishHumility and @cactux for your inputs.
@BluishHumility I did not realize that firejail can be run with AppArmor. I thought that they were two exclusive tools. Can we do the reverse, i.e. use AppArmor with firejail?
From my readings it appears that firejail primarily uses SUID/SETUID along with Linux Namespaces. While AppArmor tends to heavily uses Kernel provided Linux Capabilities. Am I missing something over here? Both of these approaches can complement each other. Or should they be kept separate? I have often heard Gurus and experts mention that the way Linux Kernel has implemented is less than optimal. Maybe using namespaces lulls end users in feeling a false sense of security. For example most of the distros by default disable user namespaces. And some like Debian, have Kernel flags which disables namespaces specifically for their kernel images.
Finally I looked at the EOS Quick Start Installer. It seems that firejail and other such tools are not listed in any categories like “Personal Security” or “Misc System Tools” or in some other category. Any idea on how to get this added?
I can forsee a group which has firejail, firejaitools, fireurl , firewarden , firejail-handler-extra and others being part of a single meta package/package group. And this meta package being made available as a part of EOS Quick Start Installer.
EOS Quick Start Installer can be run by using the command eos-quickstart.
Since they implement their profiles in different ways, I think using AppArmor with Firejail is technically the same as using Firejail with AppArmor.
Probably a pull request against that repo you linked would be the most direct way to help get it added. Or if that is a bit outside your wheelhouse, you could just raise an issue on GitHub so the developers could look over the request.
Nice one, this looks pretty cool! It seems you can stand up a temporary home directory (for example, for opening a browser with a brand new profile), then when you are done 
poof! It’s gone. 