I tried setting up AppArmor and by following the Arch Wiki the installation and activation went well. I also downloaded the extra profiles provided by apparmor.d-git in the AUR. However the profiles don’t seem to work well as AppArmor wouldn’t let Discord launch at all and wg-quick up would be denied permission to files it needed and thus fail to start the VPN. Since I found things broke so early I didn’t bother with further testing.
Now it’s not that I need AppArmor, it’s just that I like tinkering. Did I miss something? Is there anything I can do to make this work without spending days learning how to create my own profiles and observing their behaviors?
Or rather, actually how important are these security features that on other distros come out of the box? Is it even worth it or should I call this experiment a failure and move on?
The profiles from apparmor.d-git are likely too restrictive for your setup. For example, Discord may be denied access to specific files, directories, or network capabilities it needs to function. Similarly, wg-quick (part of WireGuard) requires access to configuration files, network interfaces, and possibly elevated privileges, which the profile might be blocking.
Run sudo aa-status to confirm which profiles are loaded and in what mode (enforce or complain). If Discord and wg-quick have profiles in enforce mode, they’re likely causing the blocks. Check AppArmor logs for specific denials:
Look for lines mentioning “DENIED” operations for Discord (/usr/bin/discord or similar) or wg-quick (/usr/bin/wg-quick). These logs will show which files, directories, or capabilities are being blocked.
Hello and thanks for replying. Discord is in Unconfined mode and there is no profile for Wireguard.
This is Wireguard’s error:
[#] ip link add wg-proton type wireguard
[#] wg setconf wg-proton /dev/fd/63
/usr/bin/wg-quick: line 32: /usr/bin/wg: Permission denied
/usr/bin/wg-quick: line 183: /usr/bin/wg: Permission denied
[#] ip link delete dev wg-proton
Also this is what I see if I type “Discord” in the terminal:
01:35:31.266 › DiscordSplash.signalReady
splashScreen: SPLASH_SCREEN_READY
splashScreen.webContentsSend: SPLASH_SCREEN_QUOTE SPLASH_SCREEN_QUOTE [ 'Hold Tight — Loading Discord' ]
4/26/2025, 1:35:31 AM GMT+3 [Modules] No updates to install
splashScreen: no-pending-updates
4/26/2025, 1:35:31 AM GMT+3 [Modules] Checking for host updates.
splashScreen: checking-for-updates
splashScreen.updateSplashState checking-for-updates checking-for-updates {}
splashScreen.webContentsSend: SPLASH_UPDATE_STATE SPLASH_UPDATE_STATE [ { status: 'checking-for-updates' } ]
[10980:0426/013531.285888:ERROR:mime_util_xdg.cc(137)] Invalid mime.cache file does not contain null prior to ALIAS_LIST_OFFSET=44
01:35:31.312 › DiscordSplash.onStateUpdate: {"status":"checking-for-updates"}
01:35:31.313 › Splash.onStateUpdate: {"status":"checking-for-updates"}
blackbox: 4/26/2025, 1:35:31 AM GMT+3 6 ✅ webContents.did-finish-load web1
4/26/2025, 1:35:31 AM GMT+3 [Modules] Host is up to date.
4/26/2025, 1:35:31 AM GMT+3 [Modules] Checking for module updates at https://discord.com/api/modules/stable/versions.json
4/26/2025, 1:35:31 AM GMT+3 [Modules] No module updates available.
splashScreen: update-check-finished true 0 false
splashScreen.launchMainWindow: false
Optional module ./ElectronTestRpc was not included.
splashScreen.updateSplashState launching launching {}
splashScreen.webContentsSend: SPLASH_UPDATE_STATE SPLASH_UPDATE_STATE [ { status: 'launching' } ]
blackbox: 4/26/2025, 1:35:31 AM GMT+3 7 ✅ webContents.created web2 ""
01:35:31.681 › DiscordSplash.onStateUpdate: {"status":"launching"}
01:35:31.682 › Splash.onStateUpdate: {"status":"launching"}
blackbox: 4/26/2025, 1:35:31 AM GMT+3 8 ✅ window.created win2 "Discord"
[10980:0426/013531.689940:FATAL:bus.cc(1246)] D-Bus connection was disconnected. Aborting.
Trace/breakpoint trap (core dumped)
~~
Furthermore, I see that all but 2 processes are either unconfined or in complain mode so not much is being done anyway. Also according to the setup steps in https://apparmor.pujol.io/install/
I would need to monitor the logs and if all is good then turn on enforced mode. If things are breaking in this state, I’m not so sure I want to play with it that much… we’ll see
The apparmor-utils package includes aa-logprof, a tool to semi-automatically update profiles based on logged violations. After running Discord and wg-quick in complain mode for a while (e.g., perform typical actions like joining a server in Discord or connecting the VPN), run:
sudo aa-logprof
This tool scans logs for denied operations and prompts you to allow or deny them, updating the profile accordingly.
aaa-logprof makes things interesting and I’ll play around with it. However I still have a question. Shouldn’t Discord and WG not be blocked by default due to the former being in unconfined mode and the latter not even having a profile?
Also one more thing if you guys don’t mind, since I’m already inside the rabbit hole.
I see that by using sbctl, it’s not that hard to enable Secure Boot. My question is since in order to do this you have to go into Setup Mode and then create new keys, does this affect anything if I say reinstall the OS or even change distro down the line?
I probably won’t bother since I (currently) don’t use encryption anyways but just wondering for potential future reference. Thanks.
And aa-log does not print anything. It says it can’t find the log file but manually opening the audit log file, I see it has reported everything properly.
Hopefully when this project matures some more it will make Apparmor a breeze to use.
