Hey all! I just booted up firefox 129 today after having been away for a while and received a message concerning the security due to Firefox not having the ability to utilize unprivileged namespaces (linked to this page: Install Firefox on Linux | Firefox Help). For context I use Arch Linux with unprivileged namespaces disabled (linux-hardened) and apparmor with default profiles (I am waiting for the apparmor.d project to become stable). Unfortunately, the apparmor package has not been updated to the newest version yet that gives firefox access to user namespaces. My question is whether prior to firefox 129, I had been using a security compromised web browser due to the lack of access to user namespaces.
I think so. If you want to verify, you can downgrade the package and check on about:support with unprivileged namespaces turned off
Then why haven’t I recieved this notification until now?
I don’t know, ask Mozilla 
I think you weren’t running completely unsandboxed, but your sandbox was likely weaker. Disable userns and check your sandbox level on about:support
Yeah, it seems like the user namespaces security feature is disabled in the previous version, despite no notification. Is this something that I should be concerned about (from a previous exposure point of view)?
To note, it says that user namespaces for privileged processes is enabled but for unprivileged processes it is disabled.
Depends on your threat model. Here’s Info on the linux sandbox.
You still have been using the Seccomp part of the sandbox, but neither namespaces, nor chroot. So the sandboxing and site isolation has been weaker.
Hopefully your mentioned Apparmor feature also comes to Arch. I have only seen it on Ubuntu so far. Would be a great addition.
In the meantime, is is better from a security perspective to disable unprivileged namespaces even if it means a weakened firefox sandbox, or enable unprivileged namespaces?
I found some interesting links to add to this conversation:
So based on your research since August, what did you conclude?
After reading through the links and finding some other sources, it seems like enabling unprivileged user namespaces and not using browser Flatpaks is the way to go, at least for now?
Brief summary of what I read:
- Enabling unprivileged user namespaces provides better Firefox sandboxing
- Enabling unprivileged use namespaces also increases attack surface and there’s been a number of related exploits
- Firefox sandboxing is weakened when using Flatpaks, even if unprivileged user namespaces are enabled, and the simplest approach for improving this will significantly increase memory usage
- Even Chromium sandboxing is weakened when using Flatpaks (although it does better than Firefox)
So it’s about deciding which bad thing is worse, with no clear winner.
However, all mainstream distros default to enabling unprivileged user namespaces, and it seems like the browser’s own sandboxing is more important than either the Flatpak’s sandboxing or the risk of enabling unprivileged user namespaces because you’re already in big trouble if malware breaks out of the browser sandbox.
I’d love for somebody who knows more to jump in!
You can also restrict namespaces with a sandbox manager with the native package (bubblejail supports this).
If you are using an apparmor distro, you can also disable the option in the kernel and use an apparmor profile to allow it for specific binaries. See: Install Firefox on Linux | Firefox Help
Ubuntu added this feature so that unpriv-userns can be granted to specific applications: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
similar to what @asanyan mentioned.
For those on a distro using SELinux, there’s the user_namespace class that you can deny for the unconfined domain and then selectively enable for apps that require it. For example: secureblue/files/scripts/selinux/user_namespace/grant_userns.cil at 382b09171e8cd6c0873a37a2d1e36443d37ea9e8 · secureblue/secureblue · GitHub
1 Like