Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Brave's native sandbox #3087

Merged
merged 4 commits into from
Dec 19, 2019
Merged

Fix Brave's native sandbox #3087

merged 4 commits into from
Dec 19, 2019

Conversation

glitsj16
Copy link
Collaborator

IMPORTANT: leave this unmerged until collaborators have had ample opportunity to review.

This is a tentative fix for #2944. The patch enables using noblacklist /proc/config.gz in /etc/firejail/brave.profile. Momentarily this is only needed for that one profile, so I'm not entirely convinced this is the best way to fix #2914. Thoughts?

@glitsj16 glitsj16 mentioned this pull request Dec 17, 2019
Closed
@rusty-snake rusty-snake added the WIP: DON'T MERGE A PR that is still being worked on label Dec 17, 2019
@Vincent43
Copy link
Collaborator

Vincent43 commented Dec 17, 2019
edited
Loading

Honestly I don't believe /proc/config.gz is so sensitive that it requires special treatment. I would propose dropping it from fs.c and adding it to disable-common.inc instead unless there is a reason /proc contents cannot be handled there.

@rusty-snake
Copy link
Collaborator

firejail cat /proc/cmdline ✔️
firejail --blacklist=/proc/cmdline cat /proc/cmdline

@glitsj16
Copy link
Collaborator Author

@Vincent43 I've updated the PR, implementing your suggestions.

@glitsj16
Copy link
Collaborator Author

For me this looks fine now. It would be appreciated if any of the reviewers could merge this after checking the updated commits. TIA.

@Vincent43
Copy link
Collaborator

@glitsj16 looks fine to me however the commits may be cleaned up to not introduce changes that are later reverted. Alternatively the whole thing may be squashed.

@glitsj16 glitsj16 merged commit 8199725 into netblue30:master Dec 19, 2019
@glitsj16 glitsj16 deleted the brave-fix branch December 19, 2019 19:36
@rusty-snake rusty-snake removed the WIP: DON'T MERGE A PR that is still being worked on label Dec 19, 2019
@glitsj16
Copy link
Collaborator Author

@netblue30 Do we need to backport this to the release-0.9.62 branch?

@rusty-snake
Copy link
Collaborator

@glitsj16 since there are some more commits with (important) fixes I opened an issue to discuss this: #3089

rusty-snake pushed a commit to rusty-snake/firejail that referenced this pull request Dec 21, 2019
@glitsj16
Fix Brave's native sandbox (netblue30#3087)
0d65bbf 
* Allow user access to /proc/config.gz

* Fix Brave's native sandbox

* Move /proc/config.gz to disable-common.inc

* Move /proc/config.gz to disable-common.inc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Command "firejail --seccomp skypeforlinux" used to work until skype's rpm update to 8.51.0.72-1.x86_64.rpm
3 participants
@glitsj16 @Vincent43 @rusty-snake