-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firejail breaks Brave browser default sandboxing #2944
Comments
A blank profile (aka Line 636 in 2e64e78
|
@corecontingency |
Yes. Just replicated this exact same bug in a Manjaro VM, using the firejail-git and brave-bin packages from the AUR. I think that this might be fixed if Brave was able to read I am not sure how much effort should be put into this, considering chromium has a sandbox already, and the issues that firejail is having with electron based apps. |
@corecontingency I've made a tentative patch that you can download and integrate into the firejail-git PKGBUILD you mentioned earlier. The patch enables using BEWARE: although I personally don't see much issues in making /proc/config.gz accessable that way, it's just a dirty workaround for now. Would be nice of you could test it and report back though. We'll see what more experienced collaborators think of patching firejail this way later on. |
@corecontingency Thanks for testing/confirming the patch works. I made a PR in #3087 awaiting review. Let's move any discussion about the patch to the PR. |
|
That might work too. I imagine that if it cannot find /proc/config.gz it checks the config file in /boot/. Possibly it is getting confused on Manjaro/Arch and not checking /boot/ because /proc/config.gz is present in the sandbox, just unreadable? Wait, nvm, /boot/ is unreadable entirely in firejail. |
@corecontingency I've been doing some more research on Brave and I might have found a way to have our cake and eat it too. Translation: it might not be needed to make any changes to firejail after all and still be able to keeo Brave's native sandbox intact. It all boils down to bypassing the (sandbox) checks in Would you be willing to do another test to confirm/deny whether my logic holds up? If so, make sure you don't have firejail patched with the tentative stuff I provided above and run the below from a terminal:
For me this starts Brave without any major hickups, showing the exact same (mostly) green sandbox status cfr. the image in your earlier post. This would keep the firejail sandbox as tight as possible, whatever the state of /proc/config.gz, which is the better option here IMHO. Feel free to disagree, shoot holes in my argumentation etcetera. We really need to fix Brave somehow, that's the only goal here... TIA. |
Seems like this works, good idea! Used a fresh Manjaro vm with AUR packages Downside of this method is that it might be harder for the end-user. I don't think This isn't too much of a hassle, but something to keep in mind. |
@glitsj16 this approach will be hard to propagate to users as we can't really mandate how they launch brave. I still believe my proposition from #3087 (comment) will work better. |
@corecontingency Thanks for your response and analysis. After further deliberation it is indeed much better to go with @Vincent43's suggestions. I've updated the relevant PR accordingly. |
This should be fixed by 8199725 |
Running brave with firejail has this error:
Brave opens fine, and runs fine, but the sandbox does not work. Image is below.
It seems like brave checks if the kernel has user namespaces enabled by checking
/proc/config.gz
. Unfortunately, this file cannot be read from the firejail sandbox, so brave assumes user namespaces are disabled (even when they are actually enabled), so it runs with the--no-sandbox
flag.I believe this issue can be fixed if
/proc/config.gz
is made readable. Unfortunately, even if using a completely blank profile, this file still cannot be read. I have tried passingbut the first two do nothing, and the last says it is an invalid whitelist, and firejail won't run.
How do I make this file accessible from the sandbox?
The text was updated successfully, but these errors were encountered: