I'm using AppArmor on my system (Gentoo, vanilla kernel 4.9). I discovered that every time Firefox starts is trying to get very powerful CAP_SYS_ADMIN capability. Does Firefox drop this capability before process handles external data/access internet? Does denying this capability have any negative consequences? EDIT: I just found out Firefox is using this capabilities to sandbox itself. Its great but default AppArmor policies like http://ftp.pl.debian.org/debian/pool/main/a/apparmor/apparmor-profiles_2.12-4_all.deb will deny CAP_SYS_ADMIN. Does Mozilla have any communication channels with major distributions or should i file bug reports myself?