AppArmor: allow access needed for Firefox sandboxing via unprivileged user namespace

Most distributions now ship with unprivileged user namespaces enabled,
which Firefox uses to set up its own sandbox. That sandbox is more
fine-grained and powerful than our AppArmor policy, so let's allow
Firefox to use it.

diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
index f5ddc4a5f85a634314e080e674ec9b89f854fa54..b086cb79739d95ffcd8b64abd8ad7e4dd4a763cc 100644 (file)
--- a/apparmor/torbrowser.Browser.firefox
+++ b/apparmor/torbrowser.Browser.firefox
@@ -130,7 +130,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
   deny /run/user/[0-9]*/dconf/user rw,
   deny /usr/bin/lsb_release x,
-  deny capability sys_admin,
 
   # Silence denial logs about PulseAudio
   deny /etc/pulse/client.conf r,
@@ -152,5 +151,11 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   # Yubikey NEO also needs this:
   /sys/devices/**/hidraw/hidraw*/uevent r,
 
+  # Needed for Firefox sandboxing via unprivileged user namespaces
+  capability sys_admin,
+  capability sys_chroot,
+  owner @{PROC}/@{pid}/{gid,uid}_map w,
+  owner @{PROC}/@{pid}/setgroups w,
+
   #include <local/torbrowser.Browser.firefox>
 }