Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

daniel curtis

Hi Seth

>> This is probably due to the kernel in 12.04 LTS (...)

True, it must be related with 12.04 kernel version, because I'm using latest Firefox 52.0 version and there are only two options enabled. Anyway, I hope that everything will be OK when I will upgrade my system to the 16.04 version, just as You have written; "Once you upgrade to 16.04 LTS or newer you'll probably see all four of these values report True."

By the way; Firejail can be used together with AppArmor? Of course I'm thinking about enabled/enforced Firefox profile.

Best regards.


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

Seth Arnold
On Tue, Mar 14, 2017 at 11:27:21AM +0100, daniel curtis wrote:
> By the way; Firejail can be used together with AppArmor? Of course I'm
> thinking about enabled/enforced Firefox profile.

Hi Daniel,

We have not tested Firejail with AppArmor. I suspect the results
wouldn't be very pleasant: AppArmor currently can't differentiate between
capabilities raised inside a user namespace or in the init namespace.
(This is why working chromium-browser and chrome profiles have to grant
access to a half-dozen or more capabilities.) If the browser were to be
run as root then AppArmor would not help much in enforcing safety.

We're working on this issue but I'm not sure arbitrary combinations of
AppArmor and Firejail will ever be first-class citizens.

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

daniel curtis

Hi Seth,

Okay, I see. Thank You very much for an answer - as always very good and valuable ;- )

Best regards.

P.S. I've sent - by accident - this message on the AppArmor list. I'm sorry about that.

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened