[ubuntu-hardened] Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

Seth Arnold seth.arnold at canonical.com
Wed Mar 15 02:07:17 UTC 2017


On Tue, Mar 14, 2017 at 11:27:21AM +0100, daniel curtis wrote:
> By the way; Firejail can be used together with AppArmor? Of course I'm
> thinking about enabled/enforced Firefox profile.

Hi Daniel,

We have not tested Firejail with AppArmor. I suspect the results
wouldn't be very pleasant: AppArmor currently can't differentiate between
capabilities raised inside a user namespace or in the init namespace.
(This is why working chromium-browser and chrome profiles have to grant
access to a half-dozen or more capabilities.) If the browser were to be
run as root then AppArmor would not help much in enforcing safety.

We're working on this issue but I'm not sure arbitrary combinations of
AppArmor and Firejail will ever be first-class citizens.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170314/5ef92947/attachment.pgp>


More information about the ubuntu-hardened mailing list