Text only | Text with Images

Artix Linux Forum

Artix Linux => Applications & Software => Topic started by: artik on 11 November 2020, 08:57:44

Title: Maybe firejail-default AppArmor profile is not loaded into the kernel
Post by: artik on 11 November 2020, 08:57:44
I am running
Code: [Select]
Linux artik 5.4.74-1-lts
. I trying to setup firejail following link (https://wiki.archlinux.org/index.php/Firejail). However, after following all the instructions, when I run firefox, I get the following warning:

Code: [Select]
~~> firejail firefox
...
...
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 153.12 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

I have ran
Code: [Select]
aa-enforce firejail-default
as root. It went without any error.
I am not able to understand why there was another sandboxing detected. If there is one, how could I solve this issue?

Could someone guide me how to go about troubleshoot and solve this?
Title: Re: Maybe firejail-default AppArmor profile is not loaded into the kernel
Post by: businessRasta on 11 November 2020, 16:25:35
Just did a fresh install of Artix with runit and firejail is working as usual.

(https://i.imgur.com/YBYdJMj.png)

Quote from: artik – on
Code: [Select]
Maybe firejail-default AppArmor profile is not loaded into the kernel.

Seems like the AppArmor profile of firejail hasnt been loaded correctly.

If you run "aa-status", does it show the firejail-default profile loaded in enforcemode?

If not, you can load it by running "apparmor_parser -r /etc/apparmor.d/firejail-default"

I think "aa-enforce" just enables the profile to be loaded at the next boot ( correct me if I'm wrong ).

Therefore, you could also just try rebooting and check if the firejail-default profile is loaded in enforcemode by running "aa-status" again.
Title: Re: Maybe firejail-default AppArmor profile is not loaded into the kernel
Post by: artik on 22 November 2020, 12:38:52
Thanks folk.

I think firejail is in force: Would this affirm that?
Code: [Select]
~~> firejail --list
2664:xxxxxxx::/usr/bin/firejail /usr/bin/firefox

I did run
Code: [Select]
sudo aa-status
and my output is the following:

Code: [Select]
~~> sudo aa-status 
[sudo] password for xxxxxxx: 
apparmor module is loaded.
apparmor filesystem is not mounted.

What does it mean by apparmor filesystem is not mounted?
Text only | Text with Images