[pkg-apparmor] Bug#1098869: apparmor: triggers a security warning in Firefox with firejail
Vincent Lefevre
vincent at vinc17.net
Mon Mar 3 21:21:17 GMT 2025
Hi,
On 2025-03-03 12:03:22 +0100, intrigeri wrote:
> Vincent Lefevre (2025-02-25):
> > I suspect that this is because the firejail-default AppArmor profile
> > does not use "userns" (contrary to the firefox AppArmor profile,
> > which completely changed).
>
> I thought "userns" was a no-op on mainline (read: non-Ubuntu) kernels.
> But who knows :) And indeed, it does look like $something is blocking
> unprivileged user namespaces. Let's try to figure out what
> $something is.
>
> Can you try adding the "userns," line to the firejail-default AppArmor
> profile and see if you can reproduce?
This makes the warning disappear, but only after a reboot.
> Another thing that could be worth trying (independently from the
> previous one) is to revert /usr/share/apparmor-features/features to
> the previous version i.e. revert the changes from this commit:
> https://salsa.debian.org/apparmor-team/apparmor/-/commit/71c0d1bfdd0556cb8466913d65ca4f6fced14b63
> Then reboot the system and try to reproduce.
After restoring the firejail-default AppArmor profile, this revert
also makes the warning disappear (after a reboot).
And after restoring this file (and a reboot), i.e. going back to the
initial state, the warning reappears as expected.
Note: each time, I created a new Firefox profile to check the presence
of the warning.
Regards,
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
More information about the pkg-apparmor-team
mailing list