Comment 8 for bug 1861408

Firefox uses cap sys_admin to set up its sandbox, which is extremely unfortunate but required on linux to be able to set up the user_namespace, do the chroot etc. Current the LSM and user namespaces don't interact as well as they should.

AppArmor can NOT properly determine the policy namespace that it should be in with the user_namespace after firefox enters its sandbox. This result in the cap_sys admin messages

This is a known problem and we are working on it. At the moment we recommend granting the capability in the profile and letting firefox setup its sandbox. Unfortunately this means you can't guarantee the rest of the program isn't doing things it shouldn't.