bsdnerds.org

AppArmor vs Firejail

What is AppArmor?

AppArmor resembles quite well the SELinux that comes as default in Fedora and Red Hat.

Even though they function distinctly, both AppArmor and SELinux offer mandatory access control or MAC security.

Besides, AppArmor permits Ubuntu developers to create restrictions to actions in relation to processes.

The restrictions in AppArmor are based on profiles, usually in the form of pre-installed protocols on the system.

Still, an admin is allowed to set up additional profiles via the apparmor profiles package. Some packages might feature their individual AppArmor profiles, while other allow the admin to set up additional AppArmor profiles to restrict software.

What is Firejail?

Firejail represents a SUID program meant to lower the risk of security breaches by restricting the running capabilities of an application via Linux namespaces in relation to seccomp-bpf.

Firejail reveals tool built directly into Linux kernel with the purpose of permitting access to processes with the aid of a private view of a globally shared Kernel resource.

These include network stacks, process tables or mount tables.

Indeed, Firejail can be used concomitant with AppArmor, but it is essential to point out that specific features of AppArmor are only accessible via Ubuntu distributions.

AppArmor vs. Firejail

Mostly, you can use AppArmor or Firejail, as it is not recommended to use both at the same time even though it is possible.

Firejail makes use of private mount namespaces to create identical access control, while the capability restrictions for it are similar to AppArmor.

Firejail can create a system call filtering via seccomp and restrict networking. AppArmor can restrict mapping of files o memory, a functionality that is not offered with Firejail.

Besides, executing SUID programs increases a user’s privileges temporarily. This can be accessed in Firejail for creating setup mounts, which in other cases are not permitted.

Another distinction between AppArmor and Firejail is the fact that AppArmor is mandatory when enabled, while Firejail can be overlooked without problems.

Overall Firejail can be viewed as a simplified version of either AppArmor or SELinux.

But for the best functionalities and security measures, it is always best to opt for Linux-friendly applications.

AppArmor can offer more in terms of features and functionality.

Of course, with Firejail you can access other tech such as namespaces that function smoothly with sandbox applications, as an additional security layer.

Some experienced developers recommend using both AppArmor and Firejail, if attainable, as they can offer a very high security measure is configured correctly.