apparmor profile for firefox with or without CAP_SYS_ADMIN, CAP_SYS_CHROOT and CAP_SYS_PTRACE
Hi,
I've created a apparmor profile for firefox but I don't know whether to deny or allow the capabilities CAP_SYS_ADMIN, CAP_SYS_CHROOT and CAP_SYS_PTRACE. I've tried both ways, denying and allowing them, and firefox seems to work properly without allowing these capabilities. So here's the question: Which features of firefox actually need these capabilities? All of them are pretty powerful in the hands of a malicious program.
Hi,
I've created a apparmor profile for firefox but I don't know whether to deny or allow the capabilities CAP_SYS_ADMIN, CAP_SYS_CHROOT and CAP_SYS_PTRACE. I've tried both ways, denying and allowing them, and firefox seems to work properly without allowing these capabilities. So here's the question: Which features of firefox actually need these capabilities? All of them are pretty powerful in the hands of a malicious program.
Modified