Firefox uses cap sys_admin to set up its sandbox, which is extremely
unfortunate but required on linux to be able to set up the
user_namespace, do the chroot etc. Current the LSM and user namespaces
don't interact as well as they should.

AppArmor can NOT properly determine the policy namespace that it should
be in with the user_namespace after firefox enters its sandbox. This
result in the cap_sys admin messages

This is a known problem and we are working on it. At the moment we
recommend granting the capability in the profile and letting firefox
setup its sandbox. Unfortunately this means you can't guarantee the rest
of the program isn't doing things it shouldn't.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861408

Title:
  firefox apparmor messages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1861408/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to