You are not logged in.

#1 2024-08-31 21:11:53

uphill
Member
Registered: 2024-08-31
Posts: 4

Some of Firefox's security features may offer less protection on your

When arch uses the hardened linux kernel i get a messages in firefox telling me the security feature may offer less protection Some of Firefox's security features may offer less protection on your current operating system

how do i fix it?

Sorry if a simular post have been post I was not able to find anything simular.

Last edited by uphill (2024-08-31 21:12:52)

Offline

#2 2024-09-01 00:26:25

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,448

Re: Some of Firefox's security features may offer less protection on your

The reason is the hardened kernel disables user namespaces and FF wants to use them for sandboxing.
If you enable them with

sysctl -w kernel.unprivileged_userns_clone=1

the warning should be gone.
The point is though, they are disabled for a reason and even if FF handles them perfectly, other software may not.
So, YMMV.

Offline

#3 2024-09-01 08:10:39

Head_on_a_Stick
Member
From: Belsize Park
Registered: 2014-02-20
Posts: 8,210
Website

Re: Some of Firefox's security features may offer less protection on your

Strike0 wrote:

FF handles them perfectly

Lol. No.


"It's impossible for a white person to believe in capitalism and not believe in racism. You can't have capitalism without racism."
— Malcolm X

Offline

#4 2024-09-01 09:12:49

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,448

Re: Some of Firefox's security features may offer less protection on your

Head_on_a_Stick wrote:
Strike0 wrote:

FF handles them perfectly

Lol. No.

Yes, I should have written "FF would handle them perfectly" instead.

The point is how FF manages to sandbox even code that tries to circumvent the related sandboxing. For more context an example: this 2024 kernel cve must be caught. It's one example of 44% of browser exploits found to rely on userns, at least on android, by google. One can learn from the blogpost that google uses secccomp-bpf filters to mitigate the risks on android and that's what  FF does too. So, the problem to mitigate when enabling said kernel feature is twofold: 1. Does the FF sandboxing handle such CVE perfectly (enough) and 2. What about other software that your client system uses (e.g. other browsers too). That's my conclusion on YMMV to this point.

Offline

#5 2024-09-01 09:14:54

seth
Member
Registered: 2012-09-03
Posts: 57,135

Re: Some of Firefox's security features may offer less protection on your

Strike0 wrote:

even if FF handles them perfectly

There's merely a stray blank in there.
https://madaidans-insecurities.github.i … ux-sandbox

@uphill, disabling unprivileged_userns_clone is one of the major aspects of the hardened kernel
Using a FF flatpak might (idk) remove that warning but the main issue remains (maybe worse) because the local sandbox doesn't work inside bubblewrap and bubblewrap itself requries to be suid' to work with linux hardened.

Edit: F5kk

Last edited by seth (2024-09-01 09:15:32)

Offline

#6 2024-09-01 14:50:46

uphill
Member
Registered: 2024-08-31
Posts: 4

Re: Some of Firefox's security features may offer less protection on your

seth wrote:
Strike0 wrote:

even if FF handles them perfectly

There's merely a stray blank in there.
https://madaidans-insecurities.github.i … ux-sandbox

@uphill, disabling unprivileged_userns_clone is one of the major aspects of the hardened kernel
Using a FF flatpak might (idk) remove that warning but the main issue remains (maybe worse) because the local sandbox doesn't work inside bubblewrap and bubblewrap itself requries to be suid' to work with linux hardened.

Edit: F5kk

Whats more secure don't do anything, disables user namespaces or use Firefox in flatpak.

Offline

#7 2024-09-01 15:13:53

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,232
Website

Re: Some of Firefox's security features may offer less protection on your

Corporate training courses that had to give a quiz or exam to participants upon completion had a trend of including absurd answers among the multiple choice options.  Like when there's a question about to whom a fire, or some other form of mishap should be reported, the correct answer is never Oprah.  Having Oprah among the choices was meant to make the quiz easier for people to pass even if they slept through the training.

In the same way, anytime a question asks which option is more secure includes among multiple choice options anything related to flatpak, you can be sure that this is among the choices for the same reason Oprah was.

Security: Do nothing > Disable user namespaces > Call Oprah > Use flatpak.

Last edited by Trilby (2024-09-01 15:14:12)


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#8 2024-09-01 15:19:11

seth
Member
Registered: 2012-09-03
Posts: 57,135

Re: Some of Firefox's security features may offer less protection on your

Security: Do nothing > Call Oprah > ENable user namespace clones > Use flatpak.

*Dis*abling unprivileged_userns_clone is equivalent to doing nothing when using the hardened kernel.

Also we don't want have the Oprah fans coming at us, do we?

Edit: https://bbs.archlinux.org/viewtopic.php?id=299020 might interest you.

Last edited by seth (2024-09-01 15:20:12)

Offline

#9 2024-09-01 15:40:43

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,232
Website

Re: Some of Firefox's security features may offer less protection on your

seth wrote:

Also we don't want have the Oprah fans coming at us, do we?

I'm not scared.  It's not like they're Swifties.

EDIT: I've been out of the corporate world long enough now ... I suppose there's a pretty good chance Taylor Swift has replaced Oprah on these quizes.

Last edited by Trilby (2024-09-01 15:42:06)


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#10 2024-09-01 15:56:50

seth
Member
Registered: 2012-09-03
Posts: 57,135

Re: Some of Firefox's security features may offer less protection on your

Taylor Swift gives away cars??!!

Offline

#11 2024-09-01 20:16:35

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,448

Re: Some of Firefox's security features may offer less protection on your

seth wrote:

Some FF commit suggests the warning may indeed have been added to accomodate for the apparmor-next feature, and they were trying to fix an inaccurate pre-FF129 userns detection.

In any case, clicking away the warning toggles (about:config) security.sandbox.warn_unprivileged_namespaces to false. So, if the do-nothing fix is chosen, it's easy to revert to do a Swift check of "Is it Over Now? (Taylor’s Version)".

Offline

Board footer

Powered by FluxBB