On Monday, 10 February 2020 15:22:38 UTC+1, dinar qurbanov wrote: > i have enabled firefox apparmor profile in linux mint, and one of log > messages about denied requests is sys_admin capability. firefox works > normally at its surface behavior, for me. how much bad things may > happen because it has not this capability?
You will probably end up with parts of Firefox's own sandbox being disabled or crippled. > "cap_sys_admin seems to be related to namespaces and seccomp which > firefox’s sandbox uses and cap_sys_chroot is needed for chroot which > firefox also uses. We use chroot() to isolate processes that have to deal with (potentially hostile) webpages from accessing the filesystem: https://searchfox.org/mozilla-central/source/security/sandbox/linux/launch/SandboxLaunch.cpp#638 Note that the process will drop this capability after having used it during startup (code is a few lines later). I don't think there's a good reason to block it. IIRC CAP_SYS_ADMIN is needed to install seccomp-bpf filters. We use these to block those same processes from using kernel features we know Firefox doesn't need. When access isn't restricted this way, it becomes easier for an attacker to find a bug in the Linux kernel and escape the sandbox. Firefox's sandbox is much more restrictive than what you get by just removing those capabilities, so my (strong) recommendation would be to leave them be, so Firefox can actually set up its own sandbox correctly. PTRACE is used by the crash reporter to get a stack trace. If you like us to fix any crashing bug you run into, it might be good to leave that enabled as well. -- GCP _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
