Firefox's security features may offer less protection on your current operating system

Hi

Since firefox 129.0 update I see this message notification below the address bar:

Some of Firefox’s security features may offer less protection on your current operating system. How to fix this issue

On this page it describes how to fix the issue:

The page describes a fix:

Security features warning

You may see a warning that “some of Firefox’s security features may offer less protection on your current operating system”.

The sandbox in Firefox makes use of unprivileged user namespaces when creating new processes for enforcing more security. This can be considered a security risk, therefore some Linux distributions have started to restrict its usage and only allow it to work where there is an AppArmor profile.

Such profiles can only cover a limited set of installations paths, including Snap and Debian packages. They cannot however cover some other use cases, such as tarball installations as well as local development builds.

To create an AppArmor profile for Firefox:

In /etc/apparmor.d/, create a file with the name firefox-local

in the file, add the following:

# This profile allows everything and only exists to give the

# application a name instead of having the label "unconfined"

abi <abi/4.0>,

include <tunables/global>

profile firefox-local

/home/<USER>/bin/firefox/{firefox,firefox-bin,updater}

flags=(unconfined) {

    userns, 

    # Site-specific additions and overrides. See local/README for details. 

    include if exists <local/firefox> 

}

Replace <USER> with your Linux user name This assumes the Firefox install is at $HOME/bin/

Once you have saved the file, run sudo systemctl restart apparmor.service in the Linux terminal. 

However, the fix does not work for me.

I created a firefox-local profile:

/etc/apparmor.d/firefox-local

Contents:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,

include <tunables/global>

profile firefox-local

#/home/<USER>/bin/firefox/{firefox,firefox-bin,updater}
#/usr/local/bin/firefox/{firefox,firefox-bin,updater}
/usr/bin/firefox/{firefox,firefox-bin,updater}

flags=(unconfined) {

    userns, 

    # Site-specific additions and overrides. See local/README for details. 

    include if exists <local/firefox> 

}

error:
apparmor.d in profile /etc/apparmor.d/firefox-local at line 4: Could not open 'abi/4.0': No such file or directory.
I run both Apparmor and Firejail and I installed and run Firefox from the official manjaro repository

This looks like you’re running Firefox from a user-local directory or custom installation and not the official repos, right?

No, I run firefox from the official repo

A conflict ?

I have not seen such message you describe - possibly a local issue - it must relate to either apparmor or firejail.

1 Like

I’m not using firejail, but apparmor and have this warning showing up since 129 as well.

You can make the warning go away with the following two steps:

  1. disable enforcement of the apparmor profile you run (be it the one you tried to add in the first post or a regular one: sudo aa-complain firefox-local
  2. enable user namespaces with sudo sysctl -w kernel.unprivileged_userns_clone=1

Then restart firefox and it should be gone

However, both steps are the opposite of protection. Hence, I believe it’s a firefox bug/regression that does the opposite thing of what it warns about. The profile from their help which you try to get to run, basically disables apparmor for Firefox, so it’s utterly counter-productive.

The kernel setting to enable user namespaces is the insecure variant too, that is totally out of question. If you can disable it (sudo sysctl -w kernel.unprivileged_userns_clone=0), do it - despite the warning. A very good explanation is at the apparmor wiki.