View previous topic :: View next topic |
Author |
Message |
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3848
|
Posted: Wed Aug 21, 2024 12:31 pm Post subject: www-client/firefox-bin new security warning |
|
|
For a little while now www-client/firefox-bin brings the following warning at start: Code: | Some of Firefox's security features may offer less protection on your current operating system | along with a link to support.mozilla.org.
Down the last third of the above link there's the matching section: Code: | Security features warning
You may see a warning that “some of Firefox’s security features may offer less protection on your current operating system”.
The sandbox in Firefox makes use of unprivileged user namespaces when creating new processes for enforcing more security. This can be considered a security risk, therefore some Linux distributions have started to restrict its usage and only allow it to work where there is an AppArmor profile.
Such profiles can only cover a limited set of installations paths, including Snap and Debian packages. They cannot however cover some other use cases, such as tarball installations as well as local development builds.
To create an AppArmor profile for Firefox:
In /etc/apparmor.d/, create a file with the name firefox-local
in the file, add the following:
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile firefox-local
/home/<USER>/bin/firefox/{firefox,firefox-bin,updater}
flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/firefox>
}
Replace <USER> with your Linux user name This assumes the Firefox install is at $HOME/bin/
Once you have saved the file, run sudo systemctl restart apparmor.service in the Linux terminal. | It seems to require sys-apps/apparmor and some sys-apps/systemd.
Here is openrc and no sys-apps/apparmor
Any experience to share how to fix from such a starting point?
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
logrusx Advocate
Joined: 22 Feb 2018 Posts: 2400
|
Posted: Wed Aug 21, 2024 12:49 pm Post subject: Re: www-client/firefox-bin new security warning |
|
|
CaptainBlood wrote: |
Any experience to share how to fix from such a starting point?
|
What about dropping firefox-bin and trying firefox from the binhost?
Best Regards,
Georgi |
|
Back to top |
|
|
sam_ Developer
Joined: 14 Aug 2020 Posts: 1948
|
Posted: Wed Aug 21, 2024 12:49 pm Post subject: |
|
|
I think you may have misread it. It sounds like it needs (unprivileged) user namespaces and it thinks you don't have them. Do you have them disabled in your kernel?
(It's saying that distributions often disable unpriv'd user NS and might only allow it via AppArmor etc. That is not the case in Gentoo.) |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22618
|
Posted: Wed Aug 21, 2024 1:33 pm Post subject: |
|
|
Building on sam_'s query, at the same prompt as was used to get this error from Firefox, what is the output of unshare --user true? The correct answer is "Nothing." I expect you will get some error output. |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3848
|
Posted: Wed Aug 21, 2024 2:04 pm Post subject: |
|
|
sam_ wrote: | I think you may have misread it. It sounds like it needs (unprivileged) user namespaces and it thinks you don't have them. Do you have them disabled in your kernel?
(It's saying that distributions often disable unpriv'd user NS and might only allow it via AppArmor etc. That is not the case in Gentoo.) |
Although everything is done manually in kernel here: Code: | grep -e GENTOO -e IPC_NS -e NET_NS -e PID_NS -e USER_NS -e SYSVIPC /boot/config-6.10.6-gentoo-std
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_SYSVIPC_COMPAT=y
CONFIG_IPC_NS=y
# CONFIG_USER_NS is not set
CONFIG_PID_NS=y
CONFIG_NET_NS=y
# CONFIG_NET_NSH is not set
# CONFIG_NET_NS_REFCNT_TRACKER is not set
# CONFIG_GENTOO_LINUX is not set | So indeed Code: | CONFIG_USER_NS is not set | likely from an unclear security debate from the past. (Completely resolved?)
Nice explanations, good enough to sort out the origin of the warning here and to decide what to do.
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3848
|
Posted: Wed Aug 21, 2024 4:51 pm Post subject: |
|
|
Code: | kernel-hardening-checker -c /boot/config-6.10.6-gentoo-std|grep CONFIG_USER_NS
CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" |
Thks 4 ur attention, interest & support _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
|