netblue30 · netblue30 · Jan 4, 2023 · Nov 15, 2022
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
@@ -33,6 +33,8 @@ include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
+# Fixme!
+apparmor-replace
 caps.drop all
 # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
 #machine-id

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -339,6 +339,7 @@ extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;	// appimage
 extern int arg_apparmor;	// apparmor
 extern char *apparmor_profile;	// apparmor profile
+extern bool apparmor_replace; // whether apparmor should replace the profile (legacy behavior)
 extern int arg_allow_debuggers;	// allow debuggers
 extern int arg_x11_block;	// block X11
 extern int arg_x11_xorg;	// use X11 security extension

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -134,6 +134,7 @@ int arg_writable_var_log = 0;		// writable /var/log
 int arg_appimage = 0;				// appimage
 int arg_apparmor = 0;				// apparmor
 char *apparmor_profile = NULL;	// apparmor profile
+bool apparmor_replace = false;	// apparmor profile
 int arg_allow_debuggers = 0;			// allow debuggers
 int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;				// use X11 security extension
@@ -1383,6 +1384,10 @@ int main(int argc, char **argv, char **envp) {
 			arg_apparmor = 1;
 			apparmor_profile = argv[i] + 11;
 		}
+		else if (strncmp(argv[i], "--apparmor-replace", 18) == 0) {
+			arg_apparmor = 1;
+			apparmor_replace = true;
+		}
 #endif
 		else if (strncmp(argv[i], "--protocol=", 11) == 0) {
 			if (checkcfg(CFG_SECCOMP)) {

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -956,6 +956,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 
+	if (strcmp(ptr, "apparmor-replace") == 0) {
+#ifdef HAVE_APPARMOR
+		arg_apparmor = 1;
+		apparmor_replace = true;
+#endif
+		return 0;
+	}
+
+	if (strcmp(ptr, "apparmor-stack") == 0) {
+#ifdef HAVE_APPARMOR
+		arg_apparmor = 1;
+		apparmor_replace = false;
+#endif
+		return 0;
+	}
+
 	if (strncmp(ptr, "protocol ", 9) == 0) {
 		if (checkcfg(CFG_SECCOMP)) {
 			const char *add = ptr + 9;

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -130,7 +130,14 @@ static void set_caps(void) {
 static void set_apparmor(void) {
 	EUID_ASSERT();
 	if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-		if (aa_stack_onexec(apparmor_profile)) {
+		int res = 0;
+		if(apparmor_replace){
+			fwarning("Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.\n");
+			res = aa_change_onexec(apparmor_profile);
+		} else {
+			res = aa_stack_onexec(apparmor_profile);
+		}
+		if (res) {
 			fwarning("Cannot confine the application using AppArmor.\n"
 				"Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
 				"As root, run \"aa-enforce firejail-default\" to load it.\n");