diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 36e3405b0e7..47eb8638ed2 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -33,6 +33,8 @@ include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor +# Fixme! +apparmor-replace caps.drop all # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. #machine-id diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee5a..65f93d9d108 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage extern int arg_apparmor; // apparmor extern char *apparmor_profile; // apparmor profile +extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior) extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 extern int arg_x11_xorg; // use X11 security extension diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99d4..54479dc0c25 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -134,6 +134,7 @@ int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage int arg_apparmor = 0; // apparmor char *apparmor_profile = NULL; // apparmor profile +bool apparmor_replace = false; // apparmor profile int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extension @@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) { arg_apparmor = 1; apparmor_profile = argv[i] + 11; } + else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) { + arg_apparmor = 1; + apparmor_replace = true; + } #endif else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d1e..15e83328802 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -956,6 +956,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "apparmor-replace") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_replace = true; +#endif + return 0; + } + + if (strcmp(ptr, "apparmor-stack") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; + apparmor_replace = false; +#endif + return 0; + } + if (strncmp(ptr, "protocol ", 9) == 0) { if (checkcfg(CFG_SECCOMP)) { const char *add = ptr + 9; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9299268a378..3295362e127 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -130,7 +130,14 @@ static void set_caps(void) { static void set_apparmor(void) { EUID_ASSERT(); if (checkcfg(CFG_APPARMOR) && arg_apparmor) { - if (aa_stack_onexec(apparmor_profile)) { + int res = 0; + if(apparmor_replace){ + fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n"); + res = aa_change_onexec(apparmor_profile); + } else { + res = aa_stack_onexec(apparmor_profile); + } + if (res) { fwarning("Cannot confine the application using AppArmor.\n" "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n" "As root, run \"aa-enforce firejail-default\" to load it.\n");