[apparmor] Firefox 60 sys_admin capability
John Johansen
john.johansen at canonical.com
Sat May 19 07:15:09 UTC 2018
On 05/18/2018 11:58 PM, Vincas Dargis wrote:
> On 5/19/18 4:27 AM, John Johansen wrote:
>> On 05/18/2018 08:56 AM, Vincas Dargis wrote:
>>> On 5/18/18 6:25 PM, Malte Gell wrote:
>>>> Hi there,
>>>>
>>>> I just upgraded from Firefox 52 to version 60.
>>>> I start Firefox always with the profile manager.
>>>> Now, FF 60 asks for sys_admin capability.
>>>>
>>>> Unless I know why, I´m reluctant to grant them....
>>>>
>>>> Does anyone have a clue why FF 60 needs sys_admin capabilities?
>>>>
>>>> Addons are locally stored in user folders, thus, updating addons can´t
>>>> be the reason....
>>>>
>>>> Thanx!
>>>>
>>>
>>> It's something about sandboxing it's content processors:
>>> https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html
>>>
>>
>> To be a little more specific it is the way that is using “unprivileged user namespaces”
>> and is extremely unfortunate. There is no fix for this in apparmor atm, besides
>> granting the capabilities.
>>
>> I am hoping we can land the first of the fixes to start addressing this in 4.19
>> but it will require additions to policy.
>
> Interesting, what it would look like after it's fixed?
>
Basically the idea is to transition into a special profile or even
policy ns for the sandbox task.
something along the lines of
profile firefox {
clone flags=(newns) -> firefox//sandbox,
profile sandbox {
capability sys_admin,
capability sys_chroot,
capability set_suid,
capability set_guid,
...
}
}
the syntax isn't finalized, clone is likely not what we will use. It
could be unshare or system namespace, ...
But currently we are limited to being only able to mediate the ns
creation and transition in clone, hopefully the ability to do it with
unshare and setns in the future.
More information about the AppArmor
mailing list