[GH-ISSUE #2995] Epiphany needs bwrap #1877

New issue

Closed

opened 2026-05-05 08:32:42 -06:00 by gitea-mirror · 15 comments

gitea-mirror commented 2026-05-05 08:32:42 -06:00

Owner

Copy link

Originally created by @mkdy on GitHub (Oct 8, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2995

A fresh version of Epiphany browser (3.34.1-1) uses bwrap for some purposes (have no idea why).
I've created epiphany.local and filled it with:
noblacklist ${PATH}/bwrap
However, it seems that bwrap itself needs some permissions such as internet access.

Originally created by @mkdy on GitHub (Oct 8, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2995 A fresh version of Epiphany browser (3.34.1-1) uses bwrap for some purposes (have no idea why). I've created `epiphany.local` and filled it with: `noblacklist ${PATH}/bwrap` However, it seems that `bwrap` itself needs some permissions such as internet access.

gitea-mirror closed this issue 2026-05-05 08:32:43 -06:00

gitea-mirror commented 2026-05-05 08:32:46 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Oct 8, 2019):

bwrap is very similar to firejail itself sandboxing tool (used by flatpak) and I guess Epiphany uses it for that. Perhaps we have to drop epiphany support as overlapping sandboxes can't work.

<!-- gh-comment-id:539492586 --> @Vincent43 commented on GitHub (Oct 8, 2019): bwrap is very similar to firejail itself sandboxing tool (used by flatpak) and I guess Epiphany uses it for that. Perhaps we have to drop epiphany support as overlapping sandboxes can't work.

gitea-mirror commented 2026-05-05 08:32:46 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 8, 2019):

Confirming. Fedora 31 BETA VM with firejail-git.

$ LC_ALL=C epiphany 
Reading profile /etc/firejail/epiphany.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 41676, child pid 41677
Child process initialized in 142.89 ms

** (epiphany:5): ERROR **: 17:02:33.800: Unable to fork a new child process: Failed to execute child process ?/usr/bin/bwrap? (Permission denied)

Parent is shutting down, bye...
$ LC_ALL=C firejail --noprofile epiphany 
Parent pid 41762, child pid 41763
Child process initialized in 11.65 ms
Warning: an existing sandbox was detected. /usr/bin/epiphany will run without any additional sandboxing features
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

(epiphany:2): GLib-GObject-WARNING **: 17:02:50.308: ../gobject/gsignal.c:2647: instance '0x55c894894390' has no handler with id '2782'

Parent is shutting down, bye...

<!-- gh-comment-id:539556976 --> @rusty-snake commented on GitHub (Oct 8, 2019): Confirming. Fedora 31 BETA VM with firejail-git. ``` $ LC_ALL=C epiphany Reading profile /etc/firejail/epiphany.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 41676, child pid 41677 Child process initialized in 142.89 ms ** (epiphany:5): ERROR **: 17:02:33.800: Unable to fork a new child process: Failed to execute child process ?/usr/bin/bwrap? (Permission denied) Parent is shutting down, bye... $ LC_ALL=C firejail --noprofile epiphany Parent pid 41762, child pid 41763 Child process initialized in 11.65 ms Warning: an existing sandbox was detected. /usr/bin/epiphany will run without any additional sandboxing features bwrap: Can't mount proc on /newroot/proc: Operation not permitted (epiphany:2): GLib-GObject-WARNING **: 17:02:50.308: ../gobject/gsignal.c:2647: instance '0x55c894894390' has no handler with id '2782' Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 08:32:48 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 10, 2019):

It is probably similar to Chrome, only the (sometimes setuid) sandbox binary is different.

<!-- gh-comment-id:540717616 --> @smitsohu commented on GitHub (Oct 10, 2019): It is probably similar to Chrome, only the (sometimes setuid) sandbox binary is different.

gitea-mirror commented 2026-05-05 08:32:49 -06:00

Author

Owner

Copy link

@FOSSONLY commented on GitHub (Oct 12, 2019):

@Vincent43
In fact, Firejail had no support for the Epiphany browser so far. The existing profile called Epiphany refers to a game of the same name. You should better use the Firefox profile for Epiphany.

However, I'm not sure how good it is for programs to bring their own sandbox. So the security is in the hands of the developers, and the user loses any flexibility to define it, if you don't want to change the source code. Personally, I would always use Firejail, because I don't think any program should be able to control its own security. For me, this is something that has to be centrally enforced, to which every program has to subordinate itself. What do the others think about it?

<!-- gh-comment-id:541330335 --> @FOSSONLY commented on GitHub (Oct 12, 2019): @Vincent43 In fact, Firejail had no support for the Epiphany browser so far. The existing profile called Epiphany refers to a game of the same name. You should better use the Firefox profile for Epiphany. However, I'm not sure how good it is for programs to bring their own sandbox. So the security is in the hands of the developers, and the user loses any flexibility to define it, if you don't want to change the source code. Personally, I would always use Firejail, because I don't think any program should be able to control its own security. For me, this is something that has to be centrally enforced, to which every program has to subordinate itself. What do the others think about it?

gitea-mirror commented 2026-05-05 08:32:50 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 12, 2019):

The existing profile called Epiphany refers to a game of the same name.

IMHO we should say this explicit in the profile that is not for epiphany (aka GNOME Web) and remove it form firecfg.config since it cause name conflicts. Maybe also rename to epiphany_game.profile or similar.

<!-- gh-comment-id:541330914 --> @rusty-snake commented on GitHub (Oct 12, 2019): > The existing profile called Epiphany refers to a game of the same name. IMHO we should say this explicit in the profile that is not for epiphany (aka GNOME Web) and remove it form `firecfg.config` since it cause name conflicts. Maybe also rename to `epiphany_game.profile` or similar.

gitea-mirror commented 2026-05-05 08:32:51 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 12, 2019):

What do the others think about it?

👍 💯 IMHO a tight firejail sandbox is better, if possible. For chromium this would mean starting with --no-sandbox and hardening the FJ profile. Anyway the fox is better 😇

<!-- gh-comment-id:541331616 --> @rusty-snake commented on GitHub (Oct 12, 2019): > What do the others think about it? :+1: :100: IMHO a tight firejail sandbox is better, if possible. For `chromium` this would mean starting with `--no-sandbox` and hardening the FJ profile. Anyway the fox is better :innocent:

gitea-mirror commented 2026-05-05 08:32:52 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Oct 14, 2019):

Whoa there
epiphany.profile is indeed for GNOME Web
Must've slipped through the cracks with the automated descriptions pull
4666466fc6

<!-- gh-comment-id:541732393 --> @SkewedZeppelin commented on GitHub (Oct 14, 2019): Whoa there epiphany.profile is indeed for GNOME Web Must've slipped through the cracks with the automated descriptions pull 4666466fc61b15faa162ec5a2d599a2987283164

gitea-mirror commented 2026-05-05 08:32:52 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Oct 14, 2019):

@SkewedZeppelin nice, should we sunset it though, considering it's broken with 3.34+?

<!-- gh-comment-id:541820983 --> @Vincent43 commented on GitHub (Oct 14, 2019): @SkewedZeppelin nice, should we sunset it though, considering it's broken with 3.34+?

gitea-mirror commented 2026-05-05 08:32:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 14, 2019):

Adding a note about broke for 3.34+ and removing form firecfg, but leaving for now for e.g. debian users.

<!-- gh-comment-id:541822546 --> @rusty-snake commented on GitHub (Oct 14, 2019): Adding a note about broke for 3.34+ and removing form firecfg, but leaving for now for e.g. debian users.

gitea-mirror commented 2026-05-05 08:32:54 -06:00

Author

Owner

Copy link

@msva commented on GitHub (Jul 21, 2024):

actually, it looks like it is possible (at least, for now) to kinda "mitigate" this problem by setting WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS variable value to 1 in firejail profile

Or by creating one of this files inside "jail": 0678a98c86/Source/WTF/wtf/glib/Sandbox.cpp (L42)
0678a98c86/Source/WTF/wtf/glib/Sandbox.cpp (L35)

<!-- gh-comment-id:2241497862 --> @msva commented on GitHub (Jul 21, 2024): actually, it looks like it is possible (at least, for now) to kinda "mitigate" this problem by setting [WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS](https://github.com/WebKit/WebKit/blob/0678a98c864ee36f0114ea4e7d303fd07788a822/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp#L105) variable value to `1` in firejail profile Or by creating one of this files inside "jail": https://github.com/WebKit/WebKit/blob/0678a98c864ee36f0114ea4e7d303fd07788a822/Source/WTF/wtf/glib/Sandbox.cpp#L42 https://github.com/WebKit/WebKit/blob/0678a98c864ee36f0114ea4e7d303fd07788a822/Source/WTF/wtf/glib/Sandbox.cpp#L35

gitea-mirror commented 2026-05-05 08:32:54 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 21, 2024):

@msva

looks like it is possible ...by setting WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1

Very nice find! Can you open a PR to add this to our epiphany.profile?

Side note:

Going over the referenced ProcessLauncherGlib.cpp file I noticed that this env var replaces the now deprecated WEBKIT_FORCE_SANDBOX env var. We set the latter in the bijiben.profile:

969e29b756/etc/profile-a-l/bijiben.profile (L62)

<!-- gh-comment-id:2241582668 --> @ghost commented on GitHub (Jul 21, 2024): @msva > looks like it is possible ...by setting WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1 Very nice find! Can you open a PR to add this to our epiphany.profile? Side note: Going over the referenced [ProcessLauncherGlib.cpp](https://github.com/WebKit/WebKit/blob/0678a98c864ee36f0114ea4e7d303fd07788a822/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp#L117) file I noticed that this env var replaces the now deprecated `WEBKIT_FORCE_SANDBOX` env var. We set the latter in the `bijiben.profile`: https://github.com/netblue30/firejail/blob/969e29b756e91e00b1b0b5f86f9f4d8801ad987b/etc/profile-a-l/bijiben.profile#L62

gitea-mirror commented 2026-05-05 08:32:55 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 21, 2024):

Can you open a PR to add this to our epiphany.profile?

No, we should not add this.

<!-- gh-comment-id:2241610504 --> @rusty-snake commented on GitHub (Jul 21, 2024): > Can you open a PR to add this to our epiphany.profile? No, we should not add this.

gitea-mirror commented 2026-05-05 08:32:55 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 21, 2024):

No, we should not add this.

@rusty-snake Unsafe to do so?

<!-- gh-comment-id:2241661338 --> @ghost commented on GitHub (Jul 21, 2024): > No, we should not add this. @rusty-snake Unsafe to do so?

gitea-mirror commented 2026-05-05 08:32:56 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 21, 2024):

Yes

epiphany+bwrap is more secure than firejail+epiphany-bwrap. If people still want to do this against my/our advise, for the more-secure-felling-but-less-secure-in-reality, we could add a comment (I really do not want to promote those unsafe debugging hacks).

<!-- gh-comment-id:2241691205 --> @rusty-snake commented on GitHub (Jul 21, 2024): Yes epiphany+bwrap is more secure than firejail+epiphany-bwrap. If people still want to do this against my/our advise, for the more-secure-felling-but-less-secure-in-reality, we could add a comment (I really do not want to promote those unsafe debugging hacks).

gitea-mirror commented 2026-05-05 08:32:56 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 21, 2024):

@rusty-snake

I totally agree. We already have a comment in epiphany.profile referring to this issue, so I think we're good as-is. Thanks for your explaining!

On that note, we should drop the unsafe workaround in bijiben.profile. As far as I understand the deprecated env var won't work any longer anyway.

<!-- gh-comment-id:2241696217 --> @ghost commented on GitHub (Jul 21, 2024): @rusty-snake I totally agree. We already have a comment in epiphany.profile referring to this issue, so I think we're good as-is. Thanks for your explaining! On that note, we should drop the unsafe workaround in `bijiben.profile`. As far as I understand the deprecated env var won't work any longer anyway.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1877

No description provided.