7 files changed, 438 insertions, 229 deletions
diff --git a/Makefile.in b/Makefile.in
index e47e109d3..4d7526826 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -85,6 +85,8 @@ realinstall:
        done
        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        rm -fr .etc
+        # install apparmor profile
+        sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;"
        # man pages
        install -m 0755 -d $(DESTDIR)/$(mandir)/man1
        install -m 0755 -d $(DESTDIR)/$(mandir)/man5
diff --git a/configure b/configure
index 050b4df9c..0f6f8f7fb 100755
--- a/configure
+++ b/configure
@@ -625,9 +625,6 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 HAVE_SECCOMP_H
-EGREP
-GREP
-CPP
 HAVE_FATAL_WARNINGS
 HAVE_WHITELIST
 HAVE_FILE_TRANSFER
@@ -638,6 +635,11 @@ HAVE_GLOBALCFG
 HAVE_BIND
 HAVE_CHROOT
 HAVE_SECCOMP
+EXTRA_LDFLAGS
+EGREP
+GREP
+CPP
+HAVE_APPARMOR
 RANLIB
 INSTALL_DATA
 INSTALL_SCRIPT
@@ -690,6 +692,7 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_apparmor
 enable_seccomp
 enable_chroot
 enable_bind
@@ -1319,6 +1322,7 @@ Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-apparmor       enable apparmor
  --disable-seccomp       disable seccomp
  --disable-chroot        disable chroot
  --disable-bind          disable bind
@@ -1462,52 +1466,6 @@ fi
 } # ac_fn_c_try_compile
-# ac_fn_c_try_link LINENO
-# -----------------------
-# Try to link conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_link ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  rm -f conftest.$ac_objext conftest$ac_exeext
-  if { { ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_link") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } && {
-         test -z "$ac_c_werror_flag" ||
-         test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-         test "$cross_compiling" = yes ||
-         test -x conftest$ac_exeext
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-        ac_retval=1
-fi
-  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-  # interfere with the next link command; also delete a directory that is
-  # left behind by Apple's compiler.  We do this before executing the actions.
-  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-  as_fn_set_status $ac_retval
-} # ac_fn_c_try_link
 # ac_fn_c_try_cpp LINENO
 # ----------------------
 # Try to preprocess conftest.$ac_ext, and return whether this succeeded.
@@ -1708,6 +1666,52 @@ $as_echo "$ac_res" >&6; }
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 } # ac_fn_c_check_header_compile
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  rm -f conftest.$ac_objext conftest$ac_exeext
+  if { { ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_link") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext && {
+         test "$cross_compiling" = yes ||
+         test -x conftest$ac_exeext
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+        ac_retval=1
+fi
+  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+  # interfere with the next link command; also delete a directory that is
+  # left behind by Apple's compiler.  We do this before executing the actions.
+  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+  as_fn_set_status $ac_retval
+} # ac_fn_c_try_link
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
@@ -3069,189 +3073,23 @@ else
 fi
-HAVE_SECCOMP=""
+# Allow to build without apparmor support by calling:
-# Check whether --enable-seccomp was given.
+# ./configure --disable-apparmor
-if test "${enable_seccomp+set}" = set; then :
+# This makes it possible to run snaps in devmode on almost any host,
-  enableval=$enable_seccomp;
+# regardless of the kernel version.
-fi
+HAVE_APPARMOR=""
+# Check whether --enable-apparmor was given.
-if test "x$enable_seccomp" != "xno"; then :
+if test "${enable_apparmor+set}" = set; then :
+  enableval=$enable_apparmor;
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-fi
-HAVE_CHROOT=""
-# Check whether --enable-chroot was given.
-if test "${enable_chroot+set}" = set; then :
-  enableval=$enable_chroot;
-fi
-if test "x$enable_chroot" != "xno"; then :
-        HAVE_CHROOT="-DHAVE_CHROOT"
-fi
-HAVE_BIND=""
-# Check whether --enable-bind was given.
-if test "${enable_bind+set}" = set; then :
-  enableval=$enable_bind;
-fi
-if test "x$enable_bind" != "xno"; then :
-        HAVE_BIND="-DHAVE_BIND"
-fi
-HAVE_GLOBALCFG=""
-# Check whether --enable-globalcfg was given.
-if test "${enable_globalcfg+set}" = set; then :
-  enableval=$enable_globalcfg;
-fi
-if test "x$enable_globalcfg" != "xno"; then :
-        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
-fi
-HAVE_NETWORK=""
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-if test "x$enable_network" != "xno"; then :
-        HAVE_NETWORK="-DHAVE_NETWORK"
-        if test "x$enable_network" = "xrestricted"; then :
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-fi
-fi
-HAVE_USERNS=""
-# Check whether --enable-userns was given.
-if test "${enable_userns+set}" = set; then :
-  enableval=$enable_userns;
-fi
-if test "x$enable_userns" != "xno"; then :
-        HAVE_USERNS="-DHAVE_USERNS"
-fi
-HAVE_X11=""
-# Check whether --enable-x11 was given.
-if test "${enable_x11+set}" = set; then :
-  enableval=$enable_x11;
-fi
-if test "x$enable_x11" != "xno"; then :
-        HAVE_X11="-DHAVE_X11"
-fi
-HAVE_FILE_TRANSFER=""
-# Check whether --enable-file-transfer was given.
-if test "${enable_file_transfer+set}" = set; then :
-  enableval=$enable_file_transfer;
-fi
-if test "x$enable_file_transfer" != "xno"; then :
-        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
-fi
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
-  enableval=$enable_whitelist;
-fi
-if test "x$enable_whitelist" != "xno"; then :
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-fi
-HAVE_FATAL_WARNINGS=""
-# Check whether --enable-fatal_warnings was given.
-if test "${enable_fatal_warnings+set}" = set; then :
-  enableval=$enable_fatal_warnings;
-fi
-if test "x$enable_fatal_warnings" = "xyes"; then :
-        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
 fi
+if test "x$enable_apparmor" = "xyes"; then :
-# checking pthread library
+        HAVE_APPARMOR="-DHAVE_APPARMOR"
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
-$as_echo_n "checking for main in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_main+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-int
-main ()
-{
-return main ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_main=yes
-else
-  ac_cv_lib_pthread_main=no
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
-$as_echo "$ac_cv_lib_pthread_main" >&6; }
-if test "x$ac_cv_lib_pthread_main" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-  LIBS="-lpthread $LIBS"
-else
-  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
-fi
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -3650,6 +3488,208 @@ fi
 done
+if test "x$enable_apparmor" = "xyes"; then :
+        ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_apparmor_h" = xyes; then :
+else
+  as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5
+fi
+fi
+if test "x$enable_apparmor" = "xyes"; then :
+        EXTRA_LDFLAGS="-lapparmor"
+fi
+HAVE_SECCOMP=""
+# Check whether --enable-seccomp was given.
+if test "${enable_seccomp+set}" = set; then :
+  enableval=$enable_seccomp;
+fi
+if test "x$enable_seccomp" != "xno"; then :
+        HAVE_SECCOMP="-DHAVE_SECCOMP"
+fi
+HAVE_CHROOT=""
+# Check whether --enable-chroot was given.
+if test "${enable_chroot+set}" = set; then :
+  enableval=$enable_chroot;
+fi
+if test "x$enable_chroot" != "xno"; then :
+        HAVE_CHROOT="-DHAVE_CHROOT"
+fi
+HAVE_BIND=""
+# Check whether --enable-bind was given.
+if test "${enable_bind+set}" = set; then :
+  enableval=$enable_bind;
+fi
+if test "x$enable_bind" != "xno"; then :
+        HAVE_BIND="-DHAVE_BIND"
+fi
+HAVE_GLOBALCFG=""
+# Check whether --enable-globalcfg was given.
+if test "${enable_globalcfg+set}" = set; then :
+  enableval=$enable_globalcfg;
+fi
+if test "x$enable_globalcfg" != "xno"; then :
+        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
+fi
+HAVE_NETWORK=""
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+if test "x$enable_network" != "xno"; then :
+        HAVE_NETWORK="-DHAVE_NETWORK"
+        if test "x$enable_network" = "xrestricted"; then :
+               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
+fi
+fi
+HAVE_USERNS=""
+# Check whether --enable-userns was given.
+if test "${enable_userns+set}" = set; then :
+  enableval=$enable_userns;
+fi
+if test "x$enable_userns" != "xno"; then :
+        HAVE_USERNS="-DHAVE_USERNS"
+fi
+HAVE_X11=""
+# Check whether --enable-x11 was given.
+if test "${enable_x11+set}" = set; then :
+  enableval=$enable_x11;
+fi
+if test "x$enable_x11" != "xno"; then :
+        HAVE_X11="-DHAVE_X11"
+fi
+HAVE_FILE_TRANSFER=""
+# Check whether --enable-file-transfer was given.
+if test "${enable_file_transfer+set}" = set; then :
+  enableval=$enable_file_transfer;
+fi
+if test "x$enable_file_transfer" != "xno"; then :
+        HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
+fi
+HAVE_WHITELIST=""
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist;
+fi
+if test "x$enable_whitelist" != "xno"; then :
+        HAVE_WHITELIST="-DHAVE_WHITELIST"
+fi
+HAVE_FATAL_WARNINGS=""
+# Check whether --enable-fatal_warnings was given.
+if test "${enable_fatal_warnings+set}" = set; then :
+  enableval=$enable_fatal_warnings;
+fi
+if test "x$enable_fatal_warnings" = "xyes"; then :
+        HAVE_FATAL_WARNINGS="-W -Wall -Werror"
+fi
+# checking pthread library
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5
+$as_echo_n "checking for main in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_main+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread_main=yes
+else
+  ac_cv_lib_pthread_main=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5
+$as_echo "$ac_cv_lib_pthread_main" >&6; }
+if test "x$ac_cv_lib_pthread_main" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+  LIBS="-lpthread $LIBS"
+else
+  as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5
+fi
 ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default"
 if test "x$ac_cv_header_pthread_h" = xyes; then :
@@ -4855,6 +4895,7 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
@@ -4866,6 +4907,7 @@ echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 printf "   uid_min: "; grep UID_MIN uids.h
 printf "   gid_min: "; grep GID_MIN uids.h
+printf "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo
diff --git a/configure.ac b/configure.ac
index a84396ad4..315c25038 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,6 +9,27 @@ AC_PROG_CC
 AC_PROG_INSTALL
 AC_PROG_RANLIB
+# Allow to build without apparmor support by calling:
+# ./configure --disable-apparmor
+# This makes it possible to run snaps in devmode on almost any host,
+# regardless of the kernel version.
+HAVE_APPARMOR=""
+AC_ARG_ENABLE([apparmor],
+    AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        HAVE_APPARMOR="-DHAVE_APPARMOR"
+        AC_SUBST(HAVE_APPARMOR)
+])
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR(
+        [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )])
+])
+AS_IF([test "x$enable_apparmor" = "xyes"], [
+        EXTRA_LDFLAGS="-lapparmor"
+])
+AC_SUBST([EXTRA_LDFLAGS])
 HAVE_SECCOMP=""
 AC_ARG_ENABLE([seccomp],
    AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
@@ -117,6 +138,7 @@ echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
 echo "   seccomp: $HAVE_SECCOMP"
 echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
+echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
 echo "   bind: $HAVE_BIND"
@@ -128,6 +150,7 @@ echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 printf "   uid_min: "; grep UID_MIN uids.h
 printf "   gid_min: "; grep GID_MIN uids.h
+printf "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
 echo
diff --git a/etc/firejail-default b/etc/firejail-default
new file mode 100644
index 000000000..609ab6c19
--- /dev/null
+++ b/etc/firejail-default
@@ -0,0 +1,129 @@
+#include <tunables/global>
+profile firejail-default {
+#####
+# D-Bus is a huge security hole, we disable it here. Uncomment this line if you
+# need D-Bus functionality.
+#
+#dbus,
+#####
+# Mask /proc and /sys information leakage. The configuration here is barely
+# enough to run "top" or "ps aux".
+#
+/ r,
+/[^proc,^sys]** mrwlk,
+/proc/ r,
+/proc/meminfo r,
+/proc/cpuinfo r,
+/proc/filesystems r,
+/proc/uptime r,
+/proc/loadavg r,
+/proc/stat r,
+/proc/@{pid}/ r,
+/proc/@{pid}/fd/ r,
+/proc/@{pid}/task/ r,
+/proc/@{pid}/cmdline r,
+/proc/@{pid}/comm r,
+/proc/@{pid}/stat r,
+/proc/@{pid}/statm r,
+/proc/@{pid}/status r,
+/proc/sys/kernel/pid_max r,
+/proc/sys/kernel/shmmax r,
+/sys/ r,
+/sys/bus/ r,
+/sys/bus/** r,
+/sys/class/ r,
+/sys/class/** r,
+/sys/devices/ r,
+/sys/devices/** r,
+/proc/@{pid}/maps r,
+/proc/@{pid}/mounts r,
+/proc/@{pid}/mountinfo r,
+/proc/@{pid}/oom_score_adj r,
+/{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/user/**/dconf/ r,
+/{,var/}run/user/**/dconf/user r,
+#####
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, uncomment /home line.
+#
+/lib/** ix,
+/lib64/** ix,
+/bin/** ix,
+/sbin/** ix,
+/usr/bin/** ix,
+/usr/sbin/** ix,
+/usr/local/** ix,
+/usr/lib/** ix,
+/usr/games/** ix,
+/opt/** ix,
+#/home/** ix,
+#####
+# Allow all networking functionality, and control it from Firejail.
+#
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+#####
+# There is no equivalent in Firejail for filtering signals.
+#
+signal,
+#####
+# Disable all capabilities. If you run your sandbox as root, you might need to
+# enable/uncomment some of them.
+#
+capability chown,
+capability dac_override,
+capability dac_read_search,
+capability fowner,
+capability fsetid,
+capability kill,
+capability setgid,
+capability setuid,
+capability setpcap,
+capability linux_immutable,
+capability net_bind_service,
+capability net_broadcast,
+capability net_admin,
+capability net_raw,
+capability ipc_lock,
+capability ipc_owner,
+capability sys_module,
+capability sys_rawio,
+capability sys_chroot,
+capability sys_ptrace,
+capability sys_pacct,
+capability sys_admin,
+capability sys_boot,
+capability sys_nice,
+capability sys_resource,
+capability sys_time,
+capability sys_tty_config,
+capability mknod,
+capability lease,
+capability audit_write,
+capability audit_control,
+capability setfcap,
+capability mac_override,
+capability mac_admin,
+#####
+# No mount/umount functionality when running as regular user.
+#
+mount,
+remount,
+umount,
+pivot_root,
+}
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 21f415ba5..15253b5ab 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
 HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -f *.o firejail firejail.1 firejail.1.gz
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0fd81979f..1502a0312 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -39,6 +39,9 @@
 # define PR_SET_NO_NEW_PRIVS 38
 #endif
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
 static int monitored_pid = 0;
@@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_debug && child_pid == 1)
                printf("PID namespace installed\n");
        //****************************
        // set hostname
        //****************************
@@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) {
        else
                fs_basic_fs();
        
        //****************************
        // set hostname in /etc/hostname
        //****************************
@@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) {
        pid_t app_pid = fork();
        if (app_pid == -1)
                errExit("fork");
-                
        if (app_pid == 0) {
+#ifdef HAVE_APPARMOR
+                errno = 0;
+                if (aa_change_onexec("firejail-default")) 
+                        fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno);
+#endif          
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                start_application();    // start app
        }
diff --git a/todo b/todo
index 009f9fe99..7a96bb2c4 100644
--- a/todo
+++ b/todo
@@ -251,6 +251,7 @@ References
 23. AppArmor
 $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
+$ sudo apt-get install libapparmor-dev
 $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
 $ sudo update-grub
@@ -259,5 +260,7 @@ $ sudo reboot
 If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
 $ sudo aa-notify -p -f /var/log/audit/audit.log
+/sys/module/apparmor/parameters/enabled
+/sys/kernel/security/apparmor