On Monday, February 10, 2020 at 11:14:26 AM UTC-7, gcpas...@gmail.com wrote: > IIRC CAP_SYS_ADMIN is needed to install seccomp-bpf filters.
We don't need capabilities for seccomp-bpf. We do need capabilities for anything namespace-related: chroot()ing to a deleted directory to revoke filesystem access, as mentioned, as well as creating isolated namespaces for networking and SysV IPC (and at some point in the future also process IDs). These form an additional layer of protection. But there seems to be a significant misunderstanding in that forum thread: the capabilities that Firefox uses are within the scope of an unprivileged user namespace, as explained in the user_namespaces(7) man page. Allowing these capabilities may expose additional kernel attack surface, but in the absence of exploitable kernel bugs they don't increase the set of resources that can be accessed. For example, CAP_SYS_CHROOT in this context doesn't allow tricking setuid root executables into doing anything, because it's restricted to a user namespace where the real root user doesn't exist and setuid execution doesn't work. Unfortunately, AppArmor doesn't seem to distinguish between these limited capabilities and the "real" capabilities in the initial user namespace, at least not by default. --Jed _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
