Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
www-client/firefox-bin new security warning
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3909

PostPosted: Wed Aug 21, 2024 12:31 pm    Post subject: www-client/firefox-bin new security warning Reply with quote

For a little while now www-client/firefox-bin brings the following warning at start:
Code:
Some of Firefox's security features may offer less protection on your current operating system
along with a link to support.mozilla.org.
Down the last third of the above link there's the matching section:
Code:
Security features warning

You may see a warning that “some of Firefox’s security features may offer less protection on your current operating system”.

The sandbox in Firefox makes use of unprivileged user namespaces when creating new processes for enforcing more security. This can be considered a security risk, therefore some Linux distributions have started to restrict its usage and only allow it to work where there is an AppArmor profile.

Such profiles can only cover a limited set of installations paths, including Snap and Debian packages. They cannot however cover some other use cases, such as tarball installations as well as local development builds.

To create an AppArmor profile for Firefox:

In /etc/apparmor.d/, create a file with the name firefox-local

in the file, add the following:

# This profile allows everything and only exists to give the

# application a name instead of having the label "unconfined"

abi <abi/4.0>,

include <tunables/global>

profile firefox-local

/home/<USER>/bin/firefox/{firefox,firefox-bin,updater}

flags=(unconfined) {

    userns,

    # Site-specific additions and overrides. See local/README for details.

    include if exists <local/firefox>

}

Replace <USER> with your Linux user name This assumes the Firefox install is at $HOME/bin/

Once you have saved the file, run sudo systemctl restart apparmor.service in the Linux terminal.
It seems to require sys-apps/apparmor and some sys-apps/systemd.

Here is openrc and no sys-apps/apparmor :oops:

Any experience to share how to fix from such a starting point?

Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
logrusx
Advocate
Advocate


Joined: 22 Feb 2018
Posts: 2454

PostPosted: Wed Aug 21, 2024 12:49 pm    Post subject: Re: www-client/firefox-bin new security warning Reply with quote

CaptainBlood wrote:

Any experience to share how to fix from such a starting point?


What about dropping firefox-bin and trying firefox from the binhost?

Best Regards,
Georgi
Back to top
View user's profile Send private message
sam_
Developer
Developer


Joined: 14 Aug 2020
Posts: 1982

PostPosted: Wed Aug 21, 2024 12:49 pm    Post subject: Reply with quote

I think you may have misread it. It sounds like it needs (unprivileged) user namespaces and it thinks you don't have them. Do you have them disabled in your kernel?

(It's saying that distributions often disable unpriv'd user NS and might only allow it via AppArmor etc. That is not the case in Gentoo.)
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22727

PostPosted: Wed Aug 21, 2024 1:33 pm    Post subject: Reply with quote

Building on sam_'s query, at the same prompt as was used to get this error from Firefox, what is the output of unshare --user true? The correct answer is "Nothing." I expect you will get some error output.
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3909

PostPosted: Wed Aug 21, 2024 2:04 pm    Post subject: Reply with quote

sam_ wrote:
I think you may have misread it. It sounds like it needs (unprivileged) user namespaces and it thinks you don't have them. Do you have them disabled in your kernel?

(It's saying that distributions often disable unpriv'd user NS and might only allow it via AppArmor etc. That is not the case in Gentoo.)

Although everything is done manually in kernel here:
Code:
grep -e GENTOO -e IPC_NS -e NET_NS -e PID_NS -e USER_NS -e SYSVIPC /boot/config-6.10.6-gentoo-std
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_SYSVIPC_COMPAT=y
CONFIG_IPC_NS=y
# CONFIG_USER_NS is not set
CONFIG_PID_NS=y
CONFIG_NET_NS=y
# CONFIG_NET_NSH is not set
# CONFIG_NET_NS_REFCNT_TRACKER is not set
# CONFIG_GENTOO_LINUX is not set
So indeed
Code:
CONFIG_USER_NS is not set
likely from an unclear security debate from the past. (Completely resolved?)

Nice explanations, good enough to sort out the origin of the warning here and to decide what to do.

Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3909

PostPosted: Wed Aug 21, 2024 4:51 pm    Post subject: Reply with quote

CaptainBlood wrote:
likely from an unclear security debate from the past. (Completely resolved?)
Code:
kernel-hardening-checker -c /boot/config-6.10.6-gentoo-std|grep CONFIG_USER_NS
CONFIG_USER_NS                          |kconfig| is not set |  clipos  |cut_attack_surface| FAIL: "y"

Thks 4 ur attention, interest & support
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum