github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2944] Firejail breaks Brave browser default sandboxing #1838

New issue
Closed
opened 2026-05-05 08:30:23 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 08:30:23 -06:00
Owner
Copy link

Originally created by @corecontingency on GitHub (Sep 6, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2944

Running brave with firejail has this error:

gzip: /proc/config.gz: Permission denied
User namespaces are not detected as enabled on your system, Brave will run with the sandbox disabled

Brave opens fine, and runs fine, but the sandbox does not work. Image is below.

brave_no_sandbox_a

It seems like brave checks if the kernel has user namespaces enabled by checking /proc/config.gz. Unfortunately, this file cannot be read from the firejail sandbox, so brave assumes user namespaces are disabled (even when they are actually enabled), so it runs with the --no-sandbox flag.

I believe this issue can be fixed if /proc/config.gz is made readable. Unfortunately, even if using a completely blank profile, this file still cannot be read. I have tried passing

noblacklist /proc/config.gz
read-only /proc/config.gz
whitelist /proc/config.gz

but the first two do nothing, and the last says it is an invalid whitelist, and firejail won't run.

How do I make this file accessible from the sandbox?

Originally created by @corecontingency on GitHub (Sep 6, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2944 Running brave with firejail has this error: gzip: /proc/config.gz: Permission denied User namespaces are not detected as enabled on your system, Brave will run with the sandbox disabled Brave opens fine, and runs fine, but the sandbox does not work. Image is below. ![brave_no_sandbox_a](https://user-images.githubusercontent.com/54042889/64463847-60521f80-d0ba-11e9-8372-c5be600fd008.png) It seems like [brave checks](https://github.com/brave/brave-browser/issues/3420) if the kernel has user namespaces enabled by checking `/proc/config.gz`. Unfortunately, this file cannot be read from the firejail sandbox, so brave assumes user namespaces are disabled (even when they are actually enabled), so it runs with the `--no-sandbox` flag. I believe this issue can be fixed if `/proc/config.gz` is made readable. Unfortunately, even if using a completely blank profile, this file still cannot be read. I have tried passing noblacklist /proc/config.gz read-only /proc/config.gz whitelist /proc/config.gz but the first two do nothing, and the last says it is an invalid whitelist, and firejail won't run. How do I make this file accessible from the sandbox?
gitea-mirror 2026-05-05 08:30:23 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 08:30:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Sep 7, 2019):

Unfortunately, even if using a completely blank profile

A blank profile (aka --noprofile) can't help here because the blacklist is hardcoded:
2e64e781bb/src/firejail/fs.c (L636)

<!-- gh-comment-id:529133745 --> @rusty-snake commented on GitHub (Sep 7, 2019): > Unfortunately, even if using a completely blank profile A blank profile (aka `--noprofile`) can't help here because the blacklist is hardcoded: https://github.com/netblue30/firejail/blob/2e64e781bb351448edb6e6f31f7c9085ca580382/src/firejail/fs.c#L636
gitea-mirror commented 2026-05-05 08:30:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 14, 2019):

@corecontingency
still an issue?

<!-- gh-comment-id:565739516 --> @rusty-snake commented on GitHub (Dec 14, 2019): @corecontingency still an issue?
gitea-mirror commented 2026-05-05 08:30:28 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Dec 16, 2019):

Yes. Just replicated this exact same bug in a Manjaro VM, using the firejail-git and brave-bin packages from the AUR.

I think that this might be fixed if Brave was able to read /proc/config.gz from the sandbox, but I don't know how hard removing the hardcoded blacklist would be. What is the reasoning behind blacklisting /proc/config.gz? I understand it contains information about the configuration options when the kernel was compiled. Could allowing a program to read this file lead to a sandbox escape, or is it just a case of "better safe than sorry"?

I am not sure how much effort should be put into this, considering chromium has a sandbox already, and the issues that firejail is having with electron based apps.

<!-- gh-comment-id:565870857 --> @corecontingency commented on GitHub (Dec 16, 2019): Yes. Just replicated this exact same bug in a Manjaro VM, using the firejail-git and brave-bin packages from the AUR. I think that this might be fixed if Brave was able to read `/proc/config.gz` from the sandbox, but I don't know how hard removing the hardcoded blacklist would be. What is the reasoning behind blacklisting `/proc/config.gz`? I understand it contains information about the configuration options when the kernel was compiled. Could allowing a program to read this file lead to a sandbox escape, or is it just a case of "better safe than sorry"? I am not sure how much effort should be put into this, considering chromium has a sandbox already, and the issues that firejail is having with electron based apps.
gitea-mirror commented 2026-05-05 08:30:29 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 16, 2019):

@corecontingency I've made a tentative patch that you can download and integrate into the firejail-git PKGBUILD you mentioned earlier. The patch enables using --noblacklist /proc/config.gz on the command line / noblacklist /proc/config.gz in a brave.local file.

BEWARE: although I personally don't see much issues in making /proc/config.gz accessable that way, it's just a dirty workaround for now. Would be nice of you could test it and report back though. We'll see what more experienced collaborators think of patching firejail this way later on.

<!-- gh-comment-id:565908844 --> @ghost commented on GitHub (Dec 16, 2019): @corecontingency I've made a [tentative patch](https://gist.github.com/glitsj16/80efb9a399187d3df6ec92aa34572c89) that you can download and integrate into the firejail-git PKGBUILD you mentioned earlier. The patch enables using `--noblacklist /proc/config.gz` on the command line / `noblacklist /proc/config.gz` in a brave.local file. **BEWARE**: although I personally don't see much issues in making /proc/config.gz accessable that way, it's just a dirty workaround for now. Would be nice of you could test it and report back though. We'll see what more experienced collaborators think of patching firejail this way later on.
gitea-mirror commented 2026-05-05 08:30:30 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Dec 16, 2019):

It works! After compiling with the patch, I added noblacklist /proc/config.gz to the profile. Shown below is what chrome://sandbox shows in brave running under firejail:

brave_fixed

Now for the discussion about how much danger this adds to the sandbox...

<!-- gh-comment-id:566305010 --> @corecontingency commented on GitHub (Dec 16, 2019): It works! After compiling with the patch, I added `noblacklist /proc/config.gz` to the profile. Shown below is what chrome://sandbox shows in brave running under firejail: ![brave_fixed](https://user-images.githubusercontent.com/54042889/70952962-1b2c7a80-2025-11ea-95d8-90690ce52eaa.png) Now for the discussion about how much danger this adds to the sandbox...
gitea-mirror commented 2026-05-05 08:30:30 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 17, 2019):

@corecontingency Thanks for testing/confirming the patch works.

I made a PR in https://github.com/netblue30/firejail/pull/3087 awaiting review. Let's move any discussion about the patch to the PR.

<!-- gh-comment-id:566318623 --> @ghost commented on GitHub (Dec 17, 2019): @corecontingency Thanks for testing/confirming the patch works. I made a PR in https://github.com/netblue30/firejail/pull/3087 awaiting review. Let's move any discussion about the patch to the PR.
gitea-mirror commented 2026-05-05 08:30:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 17, 2019):

/proc/config.gz does not exists on all distros (for example fedora). what happens if we hide it?

<!-- gh-comment-id:566547806 --> @rusty-snake commented on GitHub (Dec 17, 2019): `/proc/config.gz` does not exists on all distros (for example fedora). what happens if we hide it?
gitea-mirror commented 2026-05-05 08:30:32 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Dec 17, 2019):

That might work too. I imagine that if it cannot find /proc/config.gz it checks the config file in /boot/. Possibly it is getting confused on Manjaro/Arch and not checking /boot/ because /proc/config.gz is present in the sandbox, just unreadable?

Wait, nvm, /boot/ is unreadable entirely in firejail.

<!-- gh-comment-id:566602591 --> @corecontingency commented on GitHub (Dec 17, 2019): That might work too. I imagine that if it cannot find /proc/config.gz it checks the config file in /boot/. Possibly it is getting confused on Manjaro/Arch and not checking /boot/ because /proc/config.gz is present in the sandbox, just unreadable? Wait, nvm, /boot/ is unreadable entirely in firejail.
gitea-mirror commented 2026-05-05 08:30:33 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 18, 2019):

@corecontingency I've been doing some more research on Brave and I might have found a way to have our cake and eat it too. Translation: it might not be needed to make any changes to firejail after all and still be able to keeo Brave's native sandbox intact. It all boils down to bypassing the (sandbox) checks in /usr/bin/brave on Arch Linux and derivatives. This issue doesn't exist on Debian/Ubuntu and hopefully other Linux distributions.

Would you be willing to do another test to confirm/deny whether my logic holds up? If so, make sure you don't have firejail patched with the tentative stuff I provided above and run the below from a terminal:

$ firejail --ignore=quiet /usr/lib/brave-bin/brave

For me this starts Brave without any major hickups, showing the exact same (mostly) green sandbox status cfr. the image in your earlier post. This would keep the firejail sandbox as tight as possible, whatever the state of /proc/config.gz, which is the better option here IMHO. Feel free to disagree, shoot holes in my argumentation etcetera. We really need to fix Brave somehow, that's the only goal here... TIA.

<!-- gh-comment-id:566835459 --> @ghost commented on GitHub (Dec 18, 2019): @corecontingency I've been doing some more research on Brave and I **might** have found a way to have our cake and eat it too. Translation: it might not be needed to make any changes to firejail after all **and** still be able to keeo Brave's native sandbox intact. _It all boils down to bypassing the (sandbox) checks in `/usr/bin/brave` on Arch Linux and derivatives_. This issue doesn't exist on Debian/Ubuntu and hopefully other Linux distributions. Would you be willing to do another test to confirm/deny whether my logic holds up? If so, make sure you don't have firejail patched with the tentative stuff I provided above and run the below from a terminal: `$ firejail --ignore=quiet /usr/lib/brave-bin/brave` For me this starts Brave without any major hickups, showing the exact same (mostly) green sandbox status cfr. the image in your earlier post. This would keep the firejail sandbox as tight as possible, whatever the state of /proc/config.gz, which is the better option here IMHO. Feel free to disagree, shoot holes in my argumentation etcetera. We really need to fix Brave somehow, that's the only goal here... TIA.
gitea-mirror commented 2026-05-05 08:30:33 -06:00
Author
Owner
Copy link

@corecontingency commented on GitHub (Dec 18, 2019):

Seems like this works, good idea! Used a fresh Manjaro vm with AUR packages firejail-git and brave-bin (all defaults) installed. The browser seems to work fine too, it saves your tabs, addons, and settings.

Downside of this method is that it might be harder for the end-user. I don't think firecfg could use a symlink in /usr/local/bin to translate a call of brave from the desktop file to firejail /usr/lib/brave-bin/brave. If this is true, after noticing the sandbox is broken in brave, users would have to head to /etc/firejail/brave.profile, and (presumably) read a comment saying to make a copy of the brave desktop file, put it in ~/.local/share/applications/, and replace the line Exec=brave %U with Exec=firejail /usr/lib/brave-bin/brave %U in the desktop file if running Arch/Manjaro.

This isn't too much of a hassle, but something to keep in mind.

<!-- gh-comment-id:566863639 --> @corecontingency commented on GitHub (Dec 18, 2019): Seems like this works, good idea! Used a fresh Manjaro vm with AUR packages `firejail-git` and `brave-bin` (all defaults) installed. The browser seems to work fine too, it saves your tabs, addons, and settings. Downside of this method is that it might be harder for the end-user. I don't think `firecfg` could use a symlink in `/usr/local/bin` to translate a call of `brave` from the desktop file to `firejail /usr/lib/brave-bin/brave`. If this is true, after noticing the sandbox is broken in brave, users would have to head to `/etc/firejail/brave.profile`, and (presumably) read a comment saying to make a copy of the brave desktop file, put it in `~/.local/share/applications/`, and replace the line `Exec=brave %U` with `Exec=firejail /usr/lib/brave-bin/brave %U` in the desktop file if running Arch/Manjaro. This isn't too much of a hassle, but something to keep in mind.
gitea-mirror commented 2026-05-05 08:30:34 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Dec 18, 2019):

@glitsj16 this approach will be hard to propagate to users as we can't really mandate how they launch brave. I still believe my proposition from https://github.com/netblue30/firejail/pull/3087#issuecomment-566576207 will work better.

<!-- gh-comment-id:566996796 --> @Vincent43 commented on GitHub (Dec 18, 2019): @glitsj16 this approach will be hard to propagate to users as we can't really mandate how they launch brave. I still believe my proposition from https://github.com/netblue30/firejail/pull/3087#issuecomment-566576207 will work better.
gitea-mirror commented 2026-05-05 08:30:34 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 19, 2019):

@corecontingency Thanks for your response and analysis. After further deliberation it is indeed much better to go with @Vincent43's suggestions. I've updated the relevant PR accordingly.

<!-- gh-comment-id:567318242 --> @ghost commented on GitHub (Dec 19, 2019): @corecontingency Thanks for your response and analysis. After further deliberation it is indeed much better to go with @Vincent43's suggestions. I've updated the relevant PR accordingly.
gitea-mirror commented 2026-05-05 08:30:35 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Dec 20, 2019):

This should be fixed by 81997259ef

<!-- gh-comment-id:568036043 --> @Vincent43 commented on GitHub (Dec 20, 2019): This should be fixed by https://github.com/netblue30/firejail/commit/81997259ef3d28193e806d1e413c562927fd7631
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1838
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?