8

I'd like to understand how Apparmor and Firejail compare to each other: advantages, pros and cons, purposes, similarities, etc.

I might be asking to compare apples with oranges, however I've noticed several similarities. Firejail has "profiles", and they contain a list of rules that allow you to define what files an application can use. Apparmor lets you do the same, more or less. However Firejail also lets you define "capabilities", and apparently it tries to isolate the process even if it ever gains root privileges (like it is in a container?). Anyway, I can spot some similarities but I don't know either of them well enough to understand all their features and purposes.

reed
  • 15,398
  • 6
  • 43
  • 64

1 Answers1

9

AppArmor could be closer compared to SELinux than FireJail, but here's the differences.

The most important (IMO) is the level at which they run. FireJail runs as a program in userspace while AppArmor runs at the kernel level.

FireJail takes advantage of Linux namespaces to provide isolation on a user, mount, network, and process level. This isolation provides the application it's own sandbox to do whatever it wants in while preventing those changes from effecting the rest of the system. You can think of this being similar to a container like you said. Containers also use namespaces for isolation.

By contrast, AppArmor doesn't provide sandboxing, rather it limits what parts of the system the application can access. You're specifying specific resources an app cannot use. These resources are not isolated though, so two apps running with AppArmor with access to the same resource could interact.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • In what situations would you use one over the other? Obviously if you need access to shared resources, you'll need to use AppArmor, but what other considerations are there? – Kevin Wheeler Jul 21 '22 at 20:14
  • Are there any typical examples of things that would and wouldn't require access to shared resources, what typical shared resources even are, and things that would be better suited towards either FireJail or AppArmor. – Kevin Wheeler Jul 21 '22 at 20:33
  • Can someone elaborate on what it means to provide isolation on a user, mount, network, and process level? Like what kinds of things you could unjailed programs access before that now they can't access? – Kevin Wheeler Jul 21 '22 at 21:39