[pkg-apparmor] Bug#1098869: apparmor: triggers a security warning in Firefox with firejail
intrigeri
intrigeri at debian.org
Tue Mar 4 08:25:26 GMT 2025
Control: reassign -1 firejail
Control: retitle -1 firejail-default AppArmor profile needs userns rule
Hi,
Vincent Lefevre (2025-03-03):
> On 2025-03-03 12:03:22 +0100, intrigeri wrote:
>> Can you try adding the "userns," line to the firejail-default AppArmor
>> profile and see if you can reproduce?
>
> This makes the warning disappear, but only after a reboot.
Perfect, thanks. So I'm reassigning this bug to firejail, where this
update needs to be applied. I'm not tagging this "patch" because
I don't know what problem this profile is meant to solve and whether
adding this rule is appropriate there.
Context for firejail maintainers: AppArmor 4.1.0~beta5 packages block
userns unless the "userns" rule is in the policy. So the
firejail-default profile now breaks apps that need userns (in some
cases, only partly, like in this one).
>> Another thing that could be worth trying (independently from the
>> previous one) is to revert /usr/share/apparmor-features/features to
>> the previous version i.e. revert the changes from this commit:
>> https://salsa.debian.org/apparmor-team/apparmor/-/commit/71c0d1bfdd0556cb8466913d65ca4f6fced14b63
>> Then reboot the system and try to reproduce.
>
> After restoring the firejail-default AppArmor profile, this revert
> also makes the warning disappear (after a reboot).
>
> And after restoring this file (and a reboot), i.e. going back to the
> initial state, the warning reappears as expected.
Good, thank you. Now I understand how the combination of recent kernel
+ updated pinned feature set + outdated policy works wrt. userns.
Thankfully there's a trivial fix that can be applied to any affected
policy so I'm confident it'll all be fixed in time for Trixie. If it
turns out to be significantly more complicated, we can revert the
update of the pinned feature set which should make this whole class of
regressions disappear (at the cost of not gaining the corresponding
security improvement).
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list