Replies: 1 comment
-
|
Yes, While the apparmor.d project primarily confines all root processes, user services and desktop environments, it confines only few core applications. It is suggested to sandbox other applications with, e.g., Firejail which comes with many profiles for them while it doesn't sandbox root processes, user services and DEs so there is no overlap in most cases. However, there are sometimes problems with core applications which have both an apparmor.d profile and a firejail profile if it comes to profile transitions when launching "helper applications". E.g., if you're using Thunderbird as your mail application and you want to open attached pdf files with your preferred pdf reader or attached documents with LibreOffice you will probably run into trouble. You have to test it yourself but you might want to exclude specific core applications from being sandboxed by |
Beta Was this translation helpful? Give feedback.
-
Hi, thanks for this lovely resource. I am new to Linux hardening and tinkering on my personal laptop. I have properly configured and set up these profiles and all is working properly. Now I am wondering if it is worth it to add formal sandboxing on top of AppArmor MAC. I know firejail and apparmor have some limited interaction, but I noticed that using firejail means that the firejail-default profile is used instead of apparmor profile. I'm not sure this is desirable behavior. Is there not a way to enforce them both? Would that be foolish or redundant?
Thanks in advance for your help!
Beta Was this translation helpful? Give feedback.
All reactions