[apparmor] Firefox 60 sys_admin capability
Vincas Dargis
vindrg at gmail.com
Sat May 19 06:58:38 UTC 2018
On 5/19/18 4:27 AM, John Johansen wrote:
> On 05/18/2018 08:56 AM, Vincas Dargis wrote:
>> On 5/18/18 6:25 PM, Malte Gell wrote:
>>> Hi there,
>>>
>>> I just upgraded from Firefox 52 to version 60.
>>> I start Firefox always with the profile manager.
>>> Now, FF 60 asks for sys_admin capability.
>>>
>>> Unless I know why, I´m reluctant to grant them....
>>>
>>> Does anyone have a clue why FF 60 needs sys_admin capabilities?
>>>
>>> Addons are locally stored in user folders, thus, updating addons can´t
>>> be the reason....
>>>
>>> Thanx!
>>>
>>
>> It's something about sandboxing it's content processors:
>> https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html
>>
>
> To be a little more specific it is the way that is using “unprivileged user namespaces”
> and is extremely unfortunate. There is no fix for this in apparmor atm, besides
> granting the capabilities.
>
> I am hoping we can land the first of the fixes to start addressing this in 4.19
> but it will require additions to policy.
Interesting, what it would look like after it's fixed?
More information about the AppArmor
mailing list