Package: apparmor Version: 4.1.0~beta5-2 Severity: important After the apparmor upgrade to 4.1.0~beta5-2, Firefox (Debian's package firefox 135.0.1-1) now displays the following warning message:
Some of Firefox's security features may offer less protection on your current operating system. See attached screenshot. The link "How to fix this issue" leads to https://support.mozilla.org/en-US/kb/install-firefox-linux which says: The sandbox in Firefox makes use of unprivileged user namespaces when creating new processes for enforcing more security. This can be considered a security risk, therefore some Linux distributions have started to restrict its usage and only allow it to work where there is an AppArmor profile. Such profiles can only cover a limited set of installations paths, including Snap and Debian packages. They cannot however cover some other use cases, such as tarball installations as well as local development builds. and then explains how to create an apparmor profile (but here, there is already /etc/apparmor.d/firefox). -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.11.10-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor depends on: ii debconf [debconf-2.0] 1.5.89 ii libc6 2.40-7 apparmor recommends no packages. Versions of packages apparmor suggests: pn apparmor-profiles-extra <none> pn apparmor-utils <none> -- debconf information: apparmor/homedirs: -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
