AppArmor and SELinux support disabled in 0.9.64.4 deb?

[tredondo]

I'm a semi-technical user running Ubuntu 20 LTS. If I install firejail from the package manager, I get v0.9.62, which comes with AppArmor support is enabled (I guess that's expected with AppArmor being on by default since Ubuntu 7) and doesn't list SELinux at all. If I install the the amd64 .deb, firejail --version shows AppArmor support is disabled and SELinux support is disabled.

$ firejail --version
firejail version 0.9.64.4

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

$ aa-status 
apparmor module is loaded.

How do I enable those? Or do I want only one of them? How do I choose which? That Wikipedia comparison is going over my head and the new firejail docs only mention SELinux in passing.

Do I need to use from git? The reasons on that page don't include enabling AppArmor (omission?).

[rusty-snake]

How do I enable those?

The output of --version shows which features are enabled/disabled at compile time, it does not shows whether they are enabled/disabled at runtime. This means you need to compile firejail from source with e.g. ./configure --enable-apparmor.
https://github.com/netblue30/firejail/wiki/Using-firejail-from-git#debianubuntu

Or do I want only one of them?

It is possible to have a kernel with AA ans SE support? IDK but since nobody does it, it's either not possible or pointless.

How do I choose which?

By choosing your distro. If you want a SELinux system with Ubuntu for example you need to compile your kernel, systemd, coreutils, … with SELinux enabled.

Debian/Ubuntu/Mint: AppArmor
Fedora/RHEL: SELinux
OpenSUSE: AppArmor
Arch Linux and Gentoo: Both (IIRC both have no default so AA and SE require the same work to enable)

Do I need to use from git?

No, you can also compile the source-code from 0.9.64.4 (see above).

[reinerh]

It is possible to have a kernel with AA ans SE support?

Yes, but you decide via kernel boot parameter which one you want to have active.

It's btw also possible to compile with support for both AppArmor and SELinux. The packages in Debian are built this way, as users can decide which one they want to use (though AppArmor is default).

[topimiettinen]

Firejail can indeed be compiled to support multiple MACs and so can the kernel. Enabling multiple MACs in the kernel however doesn't work always, currently AppArmor and SELinux can't really be enabled at the same time (kernel command line lsm=apparmor,selinux). There are patches to do that, so maybe in the near future this will be possible. With new kernels it's already possible to enable for example TOMOYO and SELinux at the same time and this works perfectly.

At least on Debian, there's certainly no need to recompile systemd etc. for SELinux, there's just some work to do to label the file systems, tweak the policies etc. There are only a few (maybe also obsolete) Apparmor profiles supplied, the SELinux policies don't work so well without tweaking and Smack tools aren't packaged.

Enabling multiple MACs means that each LSM gets to forbid the actions at LSM interface in the kernel. This is useful because capabilities and application profiles of the MAC systems can complement each other. For example, it's a bit hard to tighten SELinux profiles because it's only possible to add new allow rules, not delete them (there's no `deny'). TOMOYO can start enforcing very early as the first step of initrd, then SELinux later when the root file system is mounted and AppArmor seems to be enabled much much later at boot. I've found quickest to generate the rules for TOMOYO from scratch, even if there are no default rules. There's quite steep learning curve for SELinux but it seems to be the most powerful. Network support (application level firewalling) seems to be a weak point for most MACs.

Firejail does not need to care about TOMOYO (because how it works), there's good AppArmor support and experimental SELinux support.

I haven't tried Smack yet. IMA and Integrity LSMs also seem somewhat interesting. Enabling Yama is trivial.

[tredondo]

I've followed the Debian With AppArmor instructions but /usr/bin/firejail --version still shows AppArmor support is disabled:

firejail version 0.9.66

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is disabled
        - AppImage support is enabled
        - ...

./configure --enable-apparmor --prefix=/usr output:

checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking whether C compiler accepts -mindirect-branch=thunk... no
checking whether C compiler accepts -mretpoline... no
checking whether C compiler accepts -fstack-clash-protection... yes
checking whether C compiler accepts -fstack-protector-strong... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for AA... yes
checking for gawk... yes
checking for main in -lpthread... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking linux/seccomp.h usability... yes
checking linux/seccomp.h presence... yes
checking for linux/seccomp.h... yes
configure: creating ./config.status
config.status: creating mkdeb.sh
config.status: creating Makefile
config.status: creating src/common.mk
config.status: creating src/lib/Makefile
config.status: creating src/fcopy/Makefile
config.status: creating src/fnet/Makefile
config.status: creating src/firejail/Makefile
config.status: creating src/fnetfilter/Makefile
config.status: creating src/firemon/Makefile
config.status: creating src/libtrace/Makefile
config.status: creating src/libtracelog/Makefile
config.status: creating src/firecfg/Makefile
config.status: creating src/fbuilder/Makefile
config.status: creating src/fsec-print/Makefile
config.status: creating src/ftee/Makefile
config.status: creating src/fseccomp/Makefile
config.status: creating src/fldd/Makefile
config.status: creating src/libpostexecseccomp/Makefile
config.status: creating src/fsec-optimize/Makefile
config.status: creating src/profstats/Makefile
config.status: creating src/man/Makefile
config.status: creating src/zsh_completion/Makefile
config.status: creating src/bash_completion/Makefile
config.status: creating test/Makefile
config.status: creating src/jailcheck/Makefile

Configuration options:
   prefix: /usr
   sysconfdir: /etc
   apparmor: -DHAVE_APPARMOR
   SELinux labeling support: 
   global config: -DHAVE_GLOBALCFG
   chroot: -DHAVE_CHROOT
   network: -DHAVE_NETWORK
   user namespace: -DHAVE_USERNS
   X11 sandboxing support: -DHAVE_X11
   whitelisting: -DHAVE_WHITELIST
   private home support: -DHAVE_PRIVATE_HOME
   file transfer support: -DHAVE_FILE_TRANSFER
   overlayfs support: 
   DBUS proxy support: -DHAVE_DBUSPROXY
   allow tmpfs as regular user: -DHAVE_USERTMPFS
   enable --ouput logging: -DHAVE_OUTPUT
   Manpage support: -DHAVE_MAN
   firetunnel support: -DHAVE_FIRETUNNEL
   busybox workaround: no
   Spectre compiler patch: yes
   EXTRA_LDFLAGS:  -lapparmor
   EXTRA_CFLAGS:  -fstack-clash-protection -fstack-protector-strong 
   fatal warnings: 
   Gcov instrumentation: 
   Install contrib scripts: yes
   Install as a SUID executable: yes
   LTS: 
   Always enforce filters: 

After cloning the repo, I checked out the 0.9.66 tag.

If I don't do that and run the same commands, I do get AppArmor support is enabled.

[reinerh]

checking for AA... yes

apparmor: -DHAVE_APPARMOR

When this is defined, the code will definitely print enabled. Are you sure you also ran make install?
Can you please show a complete log of what you were doing?

[tredondo]

Thanks @rusty-snake, I've compiled with AppArmor from git, since the tarball resulted in that error that you saw, #4059.

So the actionable items might be,

• briefly document somewhere (man firejail I guess) the differences between AppArmor and SELinux (esp. how to choose)
• add to the reasons on the https://github.com/netblue30/firejail/wiki/Using-firejail-from-git page, "enabling AppArmor or SELinux support"

[tredondo]

I've edited the using from git wiki to link here.