[apparmor] Firefox 60 sys_admin capability
John Johansen
john.johansen at canonical.com
Sat May 19 01:27:25 UTC 2018
On 05/18/2018 08:56 AM, Vincas Dargis wrote:
> On 5/18/18 6:25 PM, Malte Gell wrote:
>> Hi there,
>>
>> I just upgraded from Firefox 52 to version 60.
>> I start Firefox always with the profile manager.
>> Now, FF 60 asks for sys_admin capability.
>>
>> Unless I know why, I´m reluctant to grant them....
>>
>> Does anyone have a clue why FF 60 needs sys_admin capabilities?
>>
>> Addons are locally stored in user folders, thus, updating addons can´t
>> be the reason....
>>
>> Thanx!
>>
>
> It's something about sandboxing it's content processors:
> https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html
>
To be a little more specific it is the way that is using “unprivileged user namespaces”
and is extremely unfortunate. There is no fix for this in apparmor atm, besides
granting the capabilities.
I am hoping we can land the first of the fixes to start addressing this in 4.19
but it will require additions to policy.
More information about the AppArmor
mailing list