i have enabled firefox apparmor profile in linux mint, and one of log messages about denied requests is sys_admin capability. firefox works normally at its surface behavior, for me. how much bad things may happen because it has not this capability?
i have found some information: https://forums.whonix.org/t/why-does-the-tor-browser-apparmor-profile-have-sys-admin-sys-chroot-and-ptrace-capabilities/7409 : "sys_admin will allow the Tor Browser to do a whole load of things that it probably shouldn’t be able to." "cap_sys_admin seems to be related to namespaces and seccomp which firefox’s sandbox uses and cap_sys_chroot is needed for chroot which firefox also uses. These should probably be added back but those capabilities can be dangerous." _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
