Added support for custom AppArmor profiles.

netblue30 · Jul 26, 2022 · 610d743 · 610d743
1 parent 89441e4
commit 610d743
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 2 deletions.
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -337,6 +337,7 @@ extern int arg_writable_run_user; // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage; // appimage
 extern int arg_apparmor; // apparmor
+extern char apparmor_profile[30]; // apparmor profile
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block; // block X11
 extern int arg_x11_xorg; // use X11 security extension

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -133,6 +133,7 @@ int arg_writable_run_user = 0; // writable /run/user
 int arg_writable_var_log = 0; // writable /var/log
 int arg_appimage = 0; // appimage
 int arg_apparmor = 0; // apparmor
+char apparmor_profile[30]; // apparmor profile
 int arg_allow_debuggers = 0; // allow debuggers
 int arg_x11_block = 0; // block X11
 int arg_x11_xorg = 0; // use X11 security extension
@@ -1286,8 +1287,15 @@ int main(int argc, char **argv, char **envp) {
  // filtering
  //*************************************
 #ifdef HAVE_APPARMOR
- else if (strcmp(argv[i], "--apparmor") == 0)
+ else if (strcmp(argv[i], "--apparmor") == 0) {
  arg_apparmor = 1;
+ strncpy(apparmor_profile,"firejail-default",29);
+ }
+ else if (strncmp(argv[i], "--apparmor=",11) == 0) {
+ arg_apparmor = 1;
+ strncpy(apparmor_profile,argv[i]+11,29);
+ apparmor_profile[30]='\0';
+ }
 #endif
  else if (strncmp(argv[i], "--protocol=", 11) == 0) {
  if (checkcfg(CFG_SECCOMP)) {

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -938,6 +938,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  if (strcmp(ptr, "apparmor") == 0) {
 #ifdef HAVE_APPARMOR
  arg_apparmor = 1;
+ strncpy(apparmor_profile,"firejail-default",29);
+#endif
+ return 0;
+ }
+
+ if (strncmp(ptr, "apparmor ",9) == 0) {
+#ifdef HAVE_APPARMOR
+ arg_apparmor = 1;
+ strcpy(apparmor_profile,ptr+9,29);
+ apparmor_profile[30]='\0';
 #endif
  return 0;
  }

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -131,7 +131,7 @@ static void set_caps(void) {
 static void set_apparmor(void) {
  EUID_ASSERT();
  if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
- if (aa_change_onexec("firejail-default")) {
+ if (aa_stack_onexec(apparmor_profile)) {
  fwarning("Cannot confine the application using AppArmor.\n"
  "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
  "As root, run \"aa-enforce firejail-default\" to load it.\n");

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -32,6 +32,7 @@ static char *usage_str =
  " --allusers - all user home directories are visible inside the sandbox.\n"
  " --apparmor - enable AppArmor confinement.\n"
  " --apparmor.print=name|pid - print apparmor status.\n"
+ " --apparmor=profile - enable AppArmor confinement with a certain profile.\n"
  " --appimage - sandbox an AppImage application.\n"
 #ifdef HAVE_NETWORK
  " --bandwidth=name|pid - set bandwidth limits.\n"

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
@@ -479,6 +479,9 @@ Allow tools such as strace and gdb inside the sandbox by whitelisting system cal
 .TP
 \fBapparmor
 Enable AppArmor confinement.
+.TP
+\fBapparmor profile
+Enable AppArmor confinement with a custom profile.
 #endif
 .TP
 \fBcaps

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -124,6 +124,9 @@ $ firejail --allusers
 \fB\-\-apparmor
 Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
 .TP
+\fB\-\-apparmor=profile
+Enable AppArmor confinement with a custom profile. For more information, please see \fBAPPARMOR\fR section below.
+.TP
 \fB\-\-apparmor.print=name|pid
 Print the AppArmor confinement status for the sandbox identified by name or by PID.
 .br