Firefox uses cap sys_admin to set up its sandbox, which is extremely unfortunate but required on linux to be able to set up the user_namespace, do the chroot etc. Current the LSM and user namespaces don't interact as well as they should.
AppArmor can NOT properly determine the policy namespace that it should be in with the user_namespace after firefox enters its sandbox. This result in the cap_sys admin messages This is a known problem and we are working on it. At the moment we recommend granting the capability in the profile and letting firefox setup its sandbox. Unfortunately this means you can't guarantee the rest of the program isn't doing things it shouldn't. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861408 Title: firefox apparmor messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1861408/+subscriptions -- ubuntu-bugs mailing list email@example.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs