Hi. On Fri, Jul 13, 2018 at 07:10:51PM +0300, Ge wrote: > Hello > Im trying to make my own profiles for apparmor. > > I made a profile for firefox-esr but for some reason i cant get apparmor > to confine it. I run aa-enforce firefox-esr but nothing change.
First, you're supposed to restart confined process, as Apparmor profile applies on process start only. Second, Apparmor applies to a full pathnames only, and aa-enforce is dumb enough to pick /usr/bin/firefox-esr instead of a real firefox binary (which should be /usr/lib/firefox-esr/firefox-esr). > Any ideas? > Thanks in advance for your help. Third, I see a discrepancy here: > $sudo aa-status > apparmor module is loaded. > 21 profiles are loaded. > 21 profiles are in enforce mode. > /etc/apparmor.d/usr.lib.firefox-esr.firefox-esr ... > /usr/bin/firefox ... > 3 processes are in enforce mode. > /usr/bin/freshclam (689) > /usr/lib/firefox-esr/plugin-container (1843) ... > 1 processes are unconfined but have a profile defined. > /usr/lib/firefox-esr/firefox-esr (1798) Which binary does your custom profile apply to? Can you share it? Reco
