Hi
Here’s what I needed to be able to quickly, for example, modify the Chromium profile in order to debug it with Visual Studio Code. However, the temporary directories of Visual Studio Code webstores were blocked. I am aware of security systems such as sandboxing, selinux, apparmor, firejail… But apparmor is the solution here!
Next, for your information, the command “aa-logprof” belongs to apparmor, allowing direct modification of profiles based on denied accesses, in complain mode.
For example, for Chromium, you need to first copy the Snap profile (/var/lib/snapd/apparmor/profiles/snap.chromium.chromium) to the apparmor profiles in /etc/apparmor.d/ and also in /etc/apparmor.d/snaps.d/, simply renaming it as chromium.
Set both profiles to complain mode:
This one blocks requests, but you can’t use aa-logprof on it; there are no entries in the logs.
sudo aa-complain /etc/apparmor.d/snaps.d/chromium
This one make possible the aa-logprof and modify the rules.
sudo aa-complain /etc/apparmor.d/snap.chromium.chromium
Launch the application and do what needs to be done…
Now, run sudo aa-logprof to manage the requests.
Copy the contents of /etc/apparmor.d/snap.chromium.chromium to /etc/apparmor.d/snaps.d/chromium, then switch everything back to enforcing:
sudo aa-enforce /etc/apparmor.d/snaps.d/chromium
sudo aa-enforce /etc/apparmor.d/snap.chromium.chromium
Restart apparmor:
sudo systemctl restart apparmor.service
And THERE YOU HAVE IT! Many people will benefit from this, and it’s through empirical means that I discovered it! Couldn’t find this answer anywhere, not even from chat GPT and the like