Firejail: Question: benefits of running Firejail with AppArmor?

The benefits of generic firejail AppArmor profile are:

• blocking dbus access (=<0.9.54, only ubuntu)
• blocking ptrace access
• blocking writing to /sys and /proc (with few exceptions)
• blocking non-standard network sockets (only inet,inet6,unix,netling,raw are allowed - ubuntu)
• block executing binaries from /home
• whitelisting writing to system sockets under /run/*

Generally speaking AppArmor support is just a supplement to firejail. It's hard to develop strict profile which is then used for every possible app. Users can add their own modifications to /etc/apparmor.d/local/firejail-local profile, i.e. deny /some/secret/dir-or-program rw. Another issue is that some features like networking and dbus socket mediation are currently available only in Ubuntu distros so there is a disparity in AppArmor effectiveness on different OSes. That may be improved later this year.

Also, if I want to run both, is the recommended way to install Firejail with AppArmor support and then add apparmor to /etc/firejail/globals.local?

Some profiles have already apparmor enabled and will use it when AppArmor support is detected on system. Adding apparmor to globals.local is another option. I would recommend observing access denials in audit logs to see if anything breaks.

Thanks a lot @Vincent43 for the thorough response, it's very useful!
I'm running Arch Linux, so it seems that I won't get some of the Ubuntu-only AppArmor goodies you mentioned.
Do you know of a bug I can track in order to be notified when these features will be available in distros other than Ubuntu?

Thanks!

You can follow AppArmor kernel development here and userspace utilities here

Mailinglist used by developers is here

Here you can view fresh presentation about plans for future development. Linux 4.19 and AppArmor 3.0 are current targets for complete dbus and networking support.

Thanks a lot @Vincent43 this is very helpful!