[pkg-apparmor] Bug#1098869: apparmor: triggers a security warning in Firefox with firejail
intrigeri
intrigeri at debian.org
Mon Mar 3 11:03:22 GMT 2025
Control: tag -1 + moreinfo
Hi,
Vincent Lefevre (2025-02-25):
>> This actually occurs only with firejail (I actually use a wrapper
>> doing that), e.g.
>>
>> firejail /usr/bin/firefox
>>
>> According to "ps -efZ", it is the firejail-default AppArmor profile
>> that is used.
Good to know! I have never looked at how firejail uses AppArmor.
> I suspect that this is because the firejail-default AppArmor profile
> does not use "userns" (contrary to the firefox AppArmor profile,
> which completely changed).
I thought "userns" was a no-op on mainline (read: non-Ubuntu) kernels.
But who knows :) And indeed, it does look like $something is blocking
unprivileged user namespaces. Let's try to figure out what
$something is.
Can you try adding the "userns," line to the firejail-default AppArmor
profile and see if you can reproduce?
Another thing that could be worth trying (independently from the
previous one) is to revert /usr/share/apparmor-features/features to
the previous version i.e. revert the changes from this commit:
https://salsa.debian.org/apparmor-team/apparmor/-/commit/71c0d1bfdd0556cb8466913d65ca4f6fced14b63
Then reboot the system and try to reproduce.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list