Kërkoni te Asistenca

Shmangni karremëzime gjoja asistence. S’do t’ju kërkojmë kurrë të bëni një thirrje apo të dërgoni tekst te një numër telefoni, apo të na jepni të dhëna personale. Ju lutemi, raportoni veprimtari të dyshimtë duke përdorur mundësinë “Raportoni Abuzim”.

Mësoni Më Tepër

Firefox Sandbox implications of User Namespaces being disabled

  • 2 përgjigje
  • 2 e kanë hasur këtë problem
  • 5 parje
  • Përgjigjja më e re nga crmc

more options

One of the typical configuration in linux is to turn off the user namespaces and/or network namespaces. This is because most of the exploits in linux have been related to namespaces vulnerabilities.

If there is a Firefox ver 127.0.2, running on Linux in which the user namespace is turned off then the following is observed in the Troubleshooting information, i.e. about:support Seccomp-BPF (System Call Filtering) true Seccomp Thread Synchronisation true User Namespaces for privileged processes true User Namespaces false Content Process Sandboxing true Media Plugin Sandboxing true

So how come with the username turned off, the content process and media plugin is still sandboxed? Also is having user namespace turned off, as given above, a security risk?

However if the network namespace is turned off, i.e. max_net_namespaces is set to zero, then it renders the browser unusable. Nothing works. Why is that?

Is there some documentation somewhere where these namespaces and their impact is explained in detail?

One of the typical configuration in linux is to turn off the user namespaces and/or network namespaces. This is because most of the exploits in linux have been related to namespaces vulnerabilities. If there is a Firefox ver 127.0.2, running on Linux in which the user namespace is turned off then the following is observed in the Troubleshooting information, i.e. about:support Seccomp-BPF (System Call Filtering) true Seccomp Thread Synchronisation true User Namespaces for privileged processes true User Namespaces false Content Process Sandboxing true Media Plugin Sandboxing true So how come with the username turned off, the content process and media plugin is still sandboxed? Also is having user namespace turned off, as given above, a security risk? However if the network namespace is turned off, i.e. max_net_namespaces is set to zero, then it renders the browser unusable. Nothing works. Why is that? Is there some documentation somewhere where these namespaces and their impact is explained in detail?

Krejt Përgjigjet (2)

more options

Hi

The solution might be to write an AppArmor profile, e.g. under /etc/apparmor.d/firefox-local, with content (replace <USER> with your username ; here it is assumed the firefox install lives under $HOME/bin/ ):

(This profile allows everything and only exists to give theapplication a name instead of having the label "unconfined".)


abi <abi/4.0>, include <tunables/global>

profile firefox-local /home/<USER>/bin/firefox/{firefox,firefox-bin,updater} flags=(unconfined) {

 userns,
 # Site-specific additions and overrides. See local/README for details.
 include if exists <local/firefox>

}

The proceeding with a sudo systemctl restart apparmor.service should be enough.

Ndryshuar nga Paul

E dobishme?

more options

I arrived here because starting with Firefox 129.0 a warning is shown on every start (Firefox installed as regular package with apparmor enforced profile, not flatpak). It links to an support article about apparmor and user namespaces, which includes Paul's suggestion to create an apparmor profile.

However, as the example profile notes, it does not enforce any restrictions. Moreover the warning only resolves itself, if the system has unprivileged user namespaces enabled. This is contrary to common recommendations to disable it, if possible.[1] Hence, I'd like to add the question: why does FF now start with the warning?

Some relevant resources (@ixian: the second link covers some info for your last question): [1] Apparmor wiki information for user namespaces and browsers [2] Mozilla wiki for Sandboxes

Ndryshuar nga NoahSUMO

E dobishme?

Bëni një pyetje

Duhet të bëni hyrjen te llogaria juaj që t’i përgjigjeni postimeve. Ju lutemi, filloni me një pyetje të re, nëse nuk keni ende një llogari.