From 23e5d5e94bbed9ab9e788108227d5e50959e12cd Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 19 Feb 2018 10:11:39 -0500
Subject: added support to disable apparmor globally in
 /etc/firejail/firejail.config

---
 src/firejail/checkcfg.c | 9 +++++++++
 src/firejail/firejail.h | 1 +
 src/firejail/sandbox.c  | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 2629fb3ec..0d77c199b 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -103,6 +103,15 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
+			// apparmor
+			else if (strncmp(ptr, "apparmor ", 9) == 0) {
+				if (strcmp(ptr + 9, "yes") == 0)
+					cfg_val[CFG_APPARMOR] = 1;
+				else if (strcmp(ptr + 9, "no") == 0)
+					cfg_val[CFG_APPARMOR] = 0;
+				else
+					goto errout;
+			}
 			// bind
 			else if (strncmp(ptr, "bind ", 5) == 0) {
 				if (strcmp(ptr + 5, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e8dc390d4..ca3b73ffc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -742,6 +742,7 @@ enum {
 	CFG_ARP_PROBES,
 	CFG_XPRA_ATTACH,
 	CFG_PRIVATE_LIB,
+	CFG_APPARMOR,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 47bb94a52..503d822a9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1065,7 +1065,7 @@ int sandbox(void* sandbox_arg) {
 
 	if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-		if (arg_apparmor) {
+		if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
 			errno = 0;
 			if (aa_change_onexec("firejail-default")) {
 				fwarning("Cannot confine the application using AppArmor.\n"
-- 
cgit v1.2.3-54-g00ecf