[pkg-apparmor] Bug#1098869: apparmor: triggers a security warning in Firefox - broken firefox profile?

Vincent Lefevre vincent at vinc17.net
Tue Feb 25 11:18:53 GMT 2025 

Package: apparmor
Version: 4.1.0~beta5-2
Severity: important

After the apparmor upgrade to 4.1.0~beta5-2, Firefox
(Debian's package firefox 135.0.1-1) now displays the
following warning message:

  Some of Firefox's security features may offer less protection
  on your current operating system.

See attached screenshot.

The link "How to fix this issue" leads to

  https://support.mozilla.org/en-US/kb/install-firefox-linux

which says:

  The sandbox in Firefox makes use of unprivileged user namespaces
  when creating new processes for enforcing more security. This can be
  considered a security risk, therefore some Linux distributions have
  started to restrict its usage and only allow it to work where there
  is an AppArmor profile.

  Such profiles can only cover a limited set of installations paths,
  including Snap and Debian packages. They cannot however cover some
  other use cases, such as tarball installations as well as local
  development builds.

and then explains how to create an apparmor profile (but here, there
is already /etc/apparmor.d/firefox).

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.11.10-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.89
ii  libc6                  2.40-7

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles-extra  <none>
pn  apparmor-utils           <none>

-- debconf information:
  apparmor/homedirs:

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox-warning.png
Type: image/png
Size: 8509 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20250225/d96a3852/attachment.png>

More information about the pkg-apparmor-team mailing list