Skip to main content
Topic: Maybe firejail-default AppArmor profile is not loaded into the kernel (Read 1806 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Maybe firejail-default AppArmor profile is not loaded into the kernel

I am running
Code: [Select]
Linux artik 5.4.74-1-lts
. I trying to setup firejail following link. However, after following all the instructions, when I run firefox, I get the following warning:

Code: [Select]
~~> firejail firefox
...
...
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 153.12 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

I have ran
Code: [Select]
aa-enforce firejail-default
as root. It went without any error.
I am not able to understand why there was another sandboxing detected. If there is one, how could I solve this issue?

Could someone guide me how to go about troubleshoot and solve this?
Andromedan

Re: Maybe firejail-default AppArmor profile is not loaded into the kernel

Reply #1
Just did a fresh install of Artix with runit and firejail is working as usual.



Code: [Select]
Maybe firejail-default AppArmor profile is not loaded into the kernel.

Seems like the AppArmor profile of firejail hasnt been loaded correctly.

If you run "aa-status", does it show the firejail-default profile loaded in enforcemode?

If not, you can load it by running "apparmor_parser -r /etc/apparmor.d/firejail-default"

I think "aa-enforce" just enables the profile to be loaded at the next boot ( correct me if I'm wrong ).

Therefore, you could also just try rebooting and check if the firejail-default profile is loaded in enforcemode by running "aa-status" again.

Re: Maybe firejail-default AppArmor profile is not loaded into the kernel

Reply #2
Thanks folk.

I think firejail is in force: Would this affirm that?
Code: [Select]
~~> firejail --list
2664:xxxxxxx::/usr/bin/firejail /usr/bin/firefox

I did run
Code: [Select]
sudo aa-status
and my output is the following:

Code: [Select]
~~> sudo aa-status 
[sudo] password for xxxxxxx:
apparmor module is loaded.
apparmor filesystem is not mounted.

What does it mean by apparmor filesystem is not mounted?
Andromedan