Fix Brave's native sandbox (#3087)

* Allow user access to /proc/config.gz * Fix Brave's native sandbox * Move /proc/config.gz to disable-common.inc * Move /proc/config.gz to disable-common.inc
netblue30 · Dec 19, 2019 · 8199725 · 8199725
1 parent d0b3e2b
commit 8199725
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/etc/brave.profile b/etc/brave.profile
@@ -25,5 +25,8 @@ whitelist ${HOME}/.config/brave
 whitelist ${HOME}/.config/brave-flags.conf
 whitelist ${HOME}/.gnupg
 
+# Brave sandbox needs read access to /proc/config.gz
+noblacklist /proc/config.gz
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
@@ -452,3 +452,6 @@ blacklist ${HOME}/Mail
 blacklist ${HOME}/mail
 blacklist ${HOME}/postponed
 blacklist ${HOME}/sent
+
+# kernel configuration
+blacklist /proc/config.gz
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -642,7 +642,8 @@ void fs_proc_sys_dev_boot(void) {
 	// various /proc files
 	disable_file(BLACKLIST_FILE, "/proc/irq");
 	disable_file(BLACKLIST_FILE, "/proc/bus");
-	disable_file(BLACKLIST_FILE, "/proc/config.gz");
+	// move /proc/config.gz to disable-common.inc
+	//disable_file(BLACKLIST_FILE, "/proc/config.gz");
 	disable_file(BLACKLIST_FILE, "/proc/sched_debug");
 	disable_file(BLACKLIST_FILE, "/proc/timer_list");
 	disable_file(BLACKLIST_FILE, "/proc/timer_stats");