show user a dismisable notification when user namespaces are not available
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
People
(Reporter: gerard-majax, Assigned: gerard-majax, NeedInfo)
References
Details
Attachments
(2 files, 2 obsolete files)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr128+
|
Details | Review |
|
92.09 KB,
image/png
|
Details |
Capture d’écran du 2024-05-29 18-12-09.png
Starting with Ubuntu 24.04 userns are not available by default to non packaged versions (they ship an AppArmor profile for Snap and packaged versions), and prior to bug 1884347 would (purposedly) crash processes. We might want to inform our population of users running tarball that they need to create an AppArmor profile
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Comment 1•4 months ago
|
||
|
|
Assignee | |
Comment 2•4 months ago
|
||
|
||
Updated•4 months ago
|
|
||
Comment 3•4 months ago
|
||
gerard-majax, can you give me some way to test this? We'd like to make sure this warning is visible to Thunderbird users as well, and I don't think I use any user namespaces :)
Also, how does the screencap show the desired warning in Firefox if the phabricator patch hasn't been merged yet?
|
|
Assignee | |
Comment 4•4 months ago
|
||
(In reply to Heather Ellsworth from comment #3)
gerard-majax, can you give me some way to test this? We'd like to make sure this warning is visible to Thunderbird users as well, and I don't think I use any user namespaces :)
i thought sandboxing was not enabled on thunderbird?
Also, how does the screencap show the desired warning in Firefox if the phabricator patch hasn't been merged yet?
that's my local debug build ?
|
|
||
Comment 5•4 months ago
•
|
||
i thought sandboxing was not enabled on thunderbird?
As of Ubuntu 24.04, the thunderbird deb package is a transition package that just installs the snap. So thunderbird is sandboxed with apparmor, like Firefox on Ubuntu.
that's my local debug build
ah of course :)
|
|
Assignee | |
Comment 6•4 months ago
|
||
(In reply to Heather Ellsworth from comment #5)
i thought sandboxing was not enabled on thunderbird?
As of Ubuntu 24.04, the thunderbird deb package is a transition package that just installs the snap. So thunderbird is sandboxed with apparmor, like Firefox on Ubuntu.
yes but the snap package is not impacted ;
that's my local debug build
ah of course :)
i just checked and my thunderbird (local tarball install in $HOME/bin/) does indeed have (same as firefox) sandboxing enabled, so it's hit as well. I'm not sure how the notification is going to work in this case, i dont know comm-central :(
|
|
Assignee | |
Comment 7•3 months ago
|
||
|
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Comment 8•3 months ago
|
||
We will also likely have to uplift that to 128 for ESR I believe?
|
||
Updated•3 months ago
|
|
|
Assignee | |
Comment 9•3 months ago
|
||
Heather, after Gijs's review things have moved and should be easier to pickup for Thunderbird. You're welcome to give a look at the pending patch :)
|
|
Assignee | |
Comment 10•3 months ago
|
||
|
|
||
Updated•3 months ago
|
|
||
Comment 11•3 months ago
|
||
|
||
Comment 12•3 months ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 13•2 months ago
|
||
Comment on attachment 9404598 [details]
Bug 1899516 - Warn user when missing unprivileged user namespace r?#firefox-desktop-core-reviewers!
Beta/Release Uplift Approval Request
- User impact if declined: Sandbox runs in degraded state in some installation and user will not be aware
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Install from tarball on ubuntu 24.04 uptodate, start firefox, you should see the notification
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We leave some users with a degraded sandbox
- String changes made/needed: Added a few strings to toolkit/locales/en-US/toolkit/updates/elevation.ftl (instead of creating a new file to ease uplift)
- Is Android affected?: No
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: While it's not flagged as sec: it still impacts security of some users, and ESR will be supported for a long time so we would leave people running with a degraded sandbox for long
- User impact if declined: Sandbox runs in degraded state in some installation and user will not be aware
- Fix Landed on Version: 130
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Code is simple and tested, landed on nightly and no problem reported, uplift requested to 129
|
|
Assignee | |
Updated•2 months ago
|
|
||
Updated•2 months ago
|
|
||
Comment 14•2 months ago
|
||
Comment on attachment 9404598 [details]
Bug 1899516 - Warn user when missing unprivileged user namespace r?#firefox-desktop-core-reviewers!
Approved for 129.0b6
|
|
||
Comment 15•2 months ago
|
||
| uplift | ||
|
|
||
Updated•2 months ago
|
|
||
Comment 16•2 months ago
|
||
Unfortunately I couldn't get the message to appear on two different Ubuntu 24.04 VM's (one clean installed) and one native Ubuntu 24.04 with the latest version of Firefox 130.0a1 (2024-07-18). :gerard-majax can you verify the fixes as they will be available on the other branches as well? Thanks!
|
|
Assignee | |
Comment 17•2 months ago
|
||
(In reply to Catalin Sasca, Desktop QA [:csasca] from comment #16)
Unfortunately I couldn't get the message to appear on two different Ubuntu 24.04 VM's (one clean installed) and one native Ubuntu 24.04 with the latest version of Firefox 130.0a1 (2024-07-18). :gerard-majax can you verify the fixes as they will be available on the other branches as well? Thanks!
Just to make it clear, it's not that the feature does not work, we verified and somehow on your systems the firefox you run does have the feature properly detected by the sandboxing code, so we are not showing the notification because we dont need to. Technically, this is working as intended. What I cannot figure out is why you have the feature working when it should not, but that's another issue. Let's mention you confirmed seeing the notification when running via mozregression which confirms that at least a firefox binary ran from /tmp/... gets blocked by AppArmor.
We need to continue investigating, maybe there's some AppArmor rule/bug in your case?
I can confirm that on my VMs I do see the notification at least on Nightly. I'll verify on Beta later.
|
|
Assignee | |
Comment 18•2 months ago
|
||
I believe we have been able to come to something that reproduces as expected
|
|
||
Comment 19•2 months ago
|
||
So after talking to :gerard-majax and finding a way to work it out, I've been able to verify that the notification is present on Firefox 129.0b6 and Firefox 130.0a1 (2024-07-21). Tests were performed on Ubuntu 24.04.
|
|
||
Comment 20•2 months ago
|
||
Comment on attachment 9404598 [details]
Bug 1899516 - Warn user when missing unprivileged user namespace r?#firefox-desktop-core-reviewers!
Approved for 128.1esr.
|
|
||
Comment 21•2 months ago
|
||
| uplift | ||
|
|
||
Updated•2 months ago
|
|
|
||
Comment 23•2 months ago
|
||
Verified that the notification is present on Firefox 128.1.0esr as well on Ubuntu 24.04.
Description
•