You are not logged in.
When arch uses the hardened linux kernel i get a messages in firefox telling me the security feature may offer less protection
how do i fix it?
Sorry if a simular post have been post I was not able to find anything simular.
Last edited by uphill (2024-08-31 21:12:52)
Offline
The reason is the hardened kernel disables user namespaces and FF wants to use them for sandboxing.
If you enable them with
sysctl -w kernel.unprivileged_userns_clone=1
the warning should be gone.
The point is though, they are disabled for a reason and even if FF handles them perfectly, other software may not.
So, YMMV.
Offline
FF handles them perfectly
Lol. No.
"It's impossible for a white person to believe in capitalism and not believe in racism. You can't have capitalism without racism."
— Malcolm X
Offline
Strike0 wrote:FF handles them perfectly
Lol. No.
Yes, I should have written "FF would handle them perfectly" instead.
The point is how FF manages to sandbox even code that tries to circumvent the related sandboxing. For more context an example: this 2024 kernel cve must be caught. It's one example of 44% of browser exploits found to rely on userns, at least on android, by google. One can learn from the blogpost that google uses secccomp-bpf filters to mitigate the risks on android and that's what FF does too. So, the problem to mitigate when enabling said kernel feature is twofold: 1. Does the FF sandboxing handle such CVE perfectly (enough) and 2. What about other software that your client system uses (e.g. other browsers too). That's my conclusion on YMMV to this point.
Offline
even if FF handles them perfectly
There's merely a stray blank in there.
https://madaidans-insecurities.github.i … ux-sandbox
@uphill, disabling unprivileged_userns_clone is one of the major aspects of the hardened kernel
Using a FF flatpak might (idk) remove that warning but the main issue remains (maybe worse) because the local sandbox doesn't work inside bubblewrap and bubblewrap itself requries to be suid' to work with linux hardened.
Edit: F5kk
Last edited by seth (2024-09-01 09:15:32)
Online
Strike0 wrote:even if FF handles them perfectly
There's merely a stray blank in there.
https://madaidans-insecurities.github.i … ux-sandbox@uphill, disabling unprivileged_userns_clone is one of the major aspects of the hardened kernel
Using a FF flatpak might (idk) remove that warning but the main issue remains (maybe worse) because the local sandbox doesn't work inside bubblewrap and bubblewrap itself requries to be suid' to work with linux hardened.Edit: F5kk
Whats more secure don't do anything, disables user namespaces or use Firefox in flatpak.
Offline
Corporate training courses that had to give a quiz or exam to participants upon completion had a trend of including absurd answers among the multiple choice options. Like when there's a question about to whom a fire, or some other form of mishap should be reported, the correct answer is never Oprah. Having Oprah among the choices was meant to make the quiz easier for people to pass even if they slept through the training.
In the same way, anytime a question asks which option is more secure includes among multiple choice options anything related to flatpak, you can be sure that this is among the choices for the same reason Oprah was.
Security: Do nothing > Disable user namespaces > Call Oprah > Use flatpak.
Last edited by Trilby (2024-09-01 15:14:12)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Security: Do nothing > Call Oprah > ENable user namespace clones > Use flatpak.
*Dis*abling unprivileged_userns_clone is equivalent to doing nothing when using the hardened kernel.
Also we don't want have the Oprah fans coming at us, do we?
Edit: https://bbs.archlinux.org/viewtopic.php?id=299020 might interest you.
Last edited by seth (2024-09-01 15:20:12)
Online
Also we don't want have the Oprah fans coming at us, do we?
I'm not scared. It's not like they're Swifties.
EDIT: I've been out of the corporate world long enough now ... I suppose there's a pretty good chance Taylor Swift has replaced Oprah on these quizes.
Last edited by Trilby (2024-09-01 15:42:06)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Taylor Swift gives away cars??!!
Online
Edit: https://bbs.archlinux.org/viewtopic.php?id=299020 might interest you.
Some FF commit suggests the warning may indeed have been added to accomodate for the apparmor-next feature, and they were trying to fix an inaccurate pre-FF129 userns detection.
In any case, clicking away the warning toggles (about:config) security.sandbox.warn_unprivileged_namespaces to false. So, if the do-nothing fix is chosen, it's easy to revert to do a Swift check of "Is it Over Now? (Taylor’s Version)".
Offline