Hey all! I just booted up firefox 129 today after having been away for a while and received a message concerning the security due to Firefox not having the ability to utilize unprivileged namespaces (linked to this page: Install Firefox on Linux | Firefox Help). For context I use Arch Linux with unprivileged namespaces disabled (linux-hardened) and apparmor with default profiles (I am waiting for the apparmor.d project to become stable). Unfortunately, the apparmor package has not been updated to the newest version yet that gives firefox access to user namespaces. My question is whether prior to firefox 129, I had been using a security compromised web browser due to the lack of access to user namespaces.
I think so. If you want to verify, you can downgrade the package and check on about:support with unprivileged namespaces turned off
Then why haven’t I recieved this notification until now?
I don’t know, ask Mozilla 
I think you weren’t running completely unsandboxed, but your sandbox was likely weaker. Disable userns and check your sandbox level on about:support
Yeah, it seems like the user namespaces security feature is disabled in the previous version, despite no notification. Is this something that I should be concerned about (from a previous exposure point of view)?
To note, it says that user namespaces for privileged processes is enabled but for unprivileged processes it is disabled.
Depends on your threat model. Here’s Info on the linux sandbox.
You still have been using the Seccomp part of the sandbox, but neither namespaces, nor chroot. So the sandboxing and site isolation has been weaker.
Hopefully your mentioned Apparmor feature also comes to Arch. I have only seen it on Ubuntu so far. Would be a great addition.
In the meantime, is is better from a security perspective to disable unprivileged namespaces even if it means a weakened firefox sandbox, or enable unprivileged namespaces?
I found some interesting links to add to this conversation: