[SOLVED] Apparmor not confining firejail-default profile "&unconfined"

WaitAndSee · 2025-12-21 03:38:44

I dont think apparmor is working for some on my firejailed apps
eg. (sudo aa-status)
" /usr/lib/electron38/electron (71746) firejail-default//&unconfined "
Pay attention to " &unconfined "
I have done this with librewolf to have it confined
" /usr/lib/librewolf/librewolf (62376) firejail-default "
But i dont think i did enything other than adding "apparmor" to the corresponding .local file so i dont know why no other app i have has this. What am i missing?

Last edited by WaitAndSee (Yesterday 03:31:48)

seth · 2025-12-21 09:35:54

Do you https://wiki.archlinux.org/title/Fireja … or_support ?

WaitAndSee · 2025-12-21 18:35:25

seth wrote:

Do you https://wiki.archlinux.org/title/Fireja … or_support ?

I dont think globals.local is the issue here since from my understanding thats just global variables for the sandbox and not apparmor related
( Other than inserting " apparmor " i dont think it touches apparmor )
Ive read the page a couple times now so i might just be missing something in my brain if the awnser is there
apologies if thats the case

Also im not sure if you mean "do you" like if i have installed apparmor and set it up. Yes i have and i installed both through pacman. I did not build from source and from what ive gathered its enabled

Last edited by WaitAndSee (2025-12-21 18:41:10)

seth · 2025-12-21 20:16:47

im not sure if you mean "do you"

"Do you" have enabled apparmor support, esp.

apparmor_parser -r /etc/apparmor.d/firejail-default

and seen https://man.archlinux.org/man/firejail.1#APPARMOR

WaitAndSee · 2025-12-21 22:04:51

seth wrote:

im not sure if you mean "do you"
"Do you" have enabled apparmor support, esp.
apparmor_parser -r /etc/apparmor.d/firejail-default
and seen https://man.archlinux.org/man/firejail.1#APPARMOR

I have ran both the profile reload and fully restarting apparmor through systemctl multiple times

I have read that page and arch wiki and i have installed apparmor and firejail through pacman. I did not build from source

The link you supplied did not provide eny new info as it again supplies the command to restart the apparmor profile for firejail and the fact that it must be configured to support apparmor at compile time in case youre compiling from source

A new issue apheared which i fixed. Apparmor did not read the " firejail-local " profile which it read just yestorday. Im 100% sure i have not removed eny includes for either " firejail-default " file
Edit here to be more clear on the fact of 2 "firejail-default" files. Located in
/etc/apparmor.d
/etc/apparmor.d/local

Regardless after the fix this the aa-status for tor
/home/theman/.local/opt/tor-browser/app/Browser/TorBrowser/Tor/tor (53912) firejail-default//&unconfined
/home/theman/.local/opt/tor-browser/app/Browser/firefox.real (53914) firejail-default//&unconfined

This leads me to believe apparmor is doing something clearly but according to AI the "&unconfined" means its doing nothing for the specific application

Please advice

Last edited by WaitAndSee (2025-12-21 22:37:25)

seth · 2025-12-22 16:28:48

Is this and the problem limited to https://aur.archlinux.org/packages/tor-browser-bin ?

WaitAndSee · 2025-12-22 19:21:02

seth wrote:

Is this and the problem limited to https://aur.archlinux.org/packages/tor-browser-bin ?

Nope. From my right now active apps the problem is on discord and element aswell

/opt/discord/Discord (19371) firejail-default//&unconfined

/usr/lib/electron38/electron (20479) firejail-default//&unconfined

Last edited by WaitAndSee (2025-12-22 19:21:32)

seth · 2025-12-22 19:23:38

Or, rephrasing: Is anything that's not a precompiled binary from the AUR affected?
Any software from the repos?

WaitAndSee · 2025-12-22 19:30:14

I installed librewolf from the yay (i think thats what you mean apologies if thats not the case)

But Thats precompiled and so was tor also from yay

Everything else is from pacman

Last edited by WaitAndSee (2025-12-22 19:33:32)

WaitAndSee · 2025-12-25 02:27:41

For enybody with the same issue the AI awnser has changed

"
Actually, they are still confined. This is the most confusing part of how AppArmor displays stacked profiles, but here is the breakdown of why you are still protected.
Understanding the Stacking Syntax

The string firejail-default//&unconfined is an intersection, not an escape.

In AppArmor stacking, for an action to be allowed, it must be permitted by EVERY profile in the stack.

Layer 1 (firejail-default): This is the primary sandbox profile. It has strict rules about where the app can read/write and what it can execute.

Layer 2 (&unconfined): This effectively means "this specific slot has no additional restrictions."

Because it is an intersection (Layer 1 AND Layer 2), the final result is that the process is still restricted by everything in firejail-default.
"

so we are good. Daam learns fast

Last edited by WaitAndSee (2025-12-25 02:28:34)

seth · 2025-12-25 15:41:40

\o/
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

You maybe also want to put a note, stressing that, into the wiki.

WaitAndSee · Yesterday 03:27:07

seth wrote:

\o/
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
You maybe also want to put a note, stressing that, into the wiki.

This brings a issue i had with the wiki in to my short term memory which i have solved

The wiki post for apparmor only tells you to add the log_groud line. It does not tell you to remove a line but in line 11 IIRC it has "log_group = root" which gets used due to being last. I would like to report that aswell

I just looked at editing the wiki and to be honest i would prefer if you did it. If you dont want the blame for a incorrect edit you can point to this forum post? (My info is not incorrect but just in case i have done something wrong which i by the way have not). The issue is that it looks more like HTML than just text

I have sent you a DM just incase you already unsubscribed from this post

Please reply here incase a reply is needed which in the most likely case it is not since i do not know how to open my DMs

Last edited by WaitAndSee (Yesterday 03:52:52)

seth · Yesterday 09:26:40

https://wiki.archlinux.org/title/AppArm … ED_actions should™ be

Change the log_group to audit

and then the example?
https://wiki.archlinux.org/title/Fireja … or_support should™ have the tail

An artifact of this condition is that the inner status of the jailed binary will typically be "&unconfined" and the entire status shows as "firejail-default//&unconfined" what just means that the jailed process has no additional restrictions beyond those applying to firejail globally.

?

Arch Linux

#1 2025-12-21 03:38:44

[SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#2 2025-12-21 09:35:54

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#3 2025-12-21 18:35:25

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#4 2025-12-21 20:16:47

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#5 2025-12-21 22:04:51

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#6 2025-12-22 16:28:48

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#7 2025-12-22 19:21:02

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#8 2025-12-22 19:23:38

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#9 2025-12-22 19:30:14

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#10 2025-12-25 02:27:41

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#11 2025-12-25 15:41:40

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#12 Yesterday 03:27:07

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

#13 Yesterday 09:26:40

Re: [SOLVED] Apparmor not confining firejail-default profile "&unconfined"

Board footer