[GH-ISSUE #1110] Brave profile broken

gitea-mirror commented

2026-05-05 06:35:57 -06:00

Owner

Originally created by @pizzadude on GitHub (Feb 20, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1110

The Brave browser profile is broken

"aptitude show brave" says Brave is version Version: 0.13.4-1

This is the output of launching Brave with firejail:

$ firejail brave
Reading profile /etc/firejail/brave.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Parent pid 28004, child pid 28005
Child process initialized
[0219/221333.154817:ERROR:resource_bundle.cc(759)] Failed to load /usr/share/brave/chrome_100_percent.pak
Some features may not be available.
[0219/221333.156393:ERROR:resource_bundle.cc(759)] Failed to load /usr/share/brave/chrome_100_percent.pak
Some features may not be available.
[0219/221333.156430:ERROR:resource_bundle.cc(759)] Failed to load /usr/share/brave/chrome_200_percent.pak
Some features may not be available.

Parent is shutting down, bye...

Originally created by @pizzadude on GitHub (Feb 20, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1110 The Brave browser profile is broken "aptitude show brave" says Brave is version Version: 0.13.4-1 This is the output of launching Brave with firejail: $ firejail brave Reading profile /etc/firejail/brave.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Parent pid 28004, child pid 28005 Child process initialized [0219/221333.154817:ERROR:resource_bundle.cc(759)] Failed to load /usr/share/brave/chrome_100_percent.pak Some features may not be available. [0219/221333.156393:ERROR:resource_bundle.cc(759)] Failed to load /usr/share/brave/chrome_100_percent.pak Some features may not be available. [0219/221333.156430:ERROR:resource_bundle.cc(759)] Failed to load /usr/share/brave/chrome_200_percent.pak Some features may not be available. Parent is shutting down, bye...

gitea-mirror

2026-05-05 06:35:57 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 06:36:05 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 20, 2017):

I loaded the latest 0.13.4-1 deb archive on Debian stable:

$ firejail --noprofile brave
Parent pid 12945, child pid 12946
Child process initialized
[2:2:0220/102505.223225:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

Parent is shutting down, bye...
netblue@debian:~/work/github/firejail$ uname -r
4.7.0-0.bpo.1-amd64

It looks like they ported the SUID sandbox from Chromium in their browser. The sandbox is totally broken. In my case it complains about my kernel version. I am using a 4.7 kernel, it has all sandboxing support imaginable.

Pass --no-sandbox as argument to brave, it will disable the sandbox. The browser will come up, but it will complain about not all feature being available. Also, some process crashes - on Ubuntu you'll see a crash report coming.

$ firejail brave --no-sandbox

The only thing we can do in this moment is to wait for them to fix the browser. Once they fix it, we'll have to modify the profile to allow their sandbox to run, similar to what we do for Chromium. I'll mark this as enhancement and keep an eye on Brave. Thanks for bringing this up.

@netblue30 commented on GitHub (Feb 20, 2017): I loaded the latest 0.13.4-1 deb archive on Debian stable: ````` $ firejail --noprofile brave Parent pid 12945, child pid 12946 Child process initialized [2:2:0220/102505.223225:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. Parent is shutting down, bye... netblue@debian:~/work/github/firejail$ uname -r 4.7.0-0.bpo.1-amd64 ````` It looks like they ported the SUID sandbox from Chromium in their browser. The sandbox is totally broken. In my case it complains about my kernel version. I am using a 4.7 kernel, it has all sandboxing support imaginable. Pass --no-sandbox as argument to brave, it will disable the sandbox. The browser will come up, but it will complain about not all feature being available. Also, some process crashes - on Ubuntu you'll see a crash report coming. ````` $ firejail brave --no-sandbox ````` The only thing we can do in this moment is to wait for them to fix the browser. Once they fix it, we'll have to modify the profile to allow their sandbox to run, similar to what we do for Chromium. I'll mark this as enhancement and keep an eye on Brave. Thanks for bringing this up.

gitea-mirror commented

2026-05-05 06:36:08 -06:00

Author

Owner

@ibukanov commented on GitHub (Feb 25, 2017):

I could run the brave as is if I whitelist chroot call. I.e. if I replace seccomp in the profile with

seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,ioprio_set,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,tuxcall,reboot,mfsservctl,get_kernel_syms

then brave starts. But I wonder if I really need to list the default seccomp filter if I just want to remove a call or two from it.

@ibukanov commented on GitHub (Feb 25, 2017): I could run the brave as is if I whitelist chroot call. I.e. if I replace seccomp in the profile with ``` seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,ioprio_set,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,tuxcall,reboot,mfsservctl,get_kernel_syms ``` then brave starts. But I wonder if I really need to list the default seccomp filter if I just want to remove a call or two from it.

gitea-mirror commented

2026-05-05 06:36:11 -06:00

Author

Owner

@epsilonPositive commented on GitHub (Mar 12, 2017):

Brave is now counseling users with this problem to enable user namespaces:
https://github.com/brave/browser-laptop/issues/6902

Though this fixes the issue of brave crashing on load, it will still not run in a firejail sandbox.

@epsilonPositive commented on GitHub (Mar 12, 2017): Brave is now counseling users with this problem to enable user namespaces: https://github.com/brave/browser-laptop/issues/6902 Though this fixes the issue of brave crashing on load, it will still not run in a firejail sandbox.

gitea-mirror commented

2026-05-05 06:36:14 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 13, 2017):

@epsilonPositive - try this profile:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/brave.local

# Profile for Brave browser
noblacklist ~/.config/brave
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

#caps.drop all
netfilter
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp

whitelist ${DOWNLOADS}

mkdir ~/.config/brave
whitelist ~/.config/brave
mkdir ~/.pki
whitelist ~/.pki

# lastpass, keepass
# for keepass we additionally need to whitelist our .kdbx password database
whitelist ~/.keepass
whitelist ~/.config/keepass
whitelist ~/.config/KeePass
whitelist ~/.lastpass
whitelist ~/.config/lastpass

include /etc/firejail/whitelist-common.inc

@netblue30 commented on GitHub (Mar 13, 2017): @epsilonPositive - try this profile: ````` # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/brave.local # Profile for Brave browser noblacklist ~/.config/brave noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc #caps.drop all netfilter #nonewprivs #noroot #protocol unix,inet,inet6,netlink #seccomp whitelist ${DOWNLOADS} mkdir ~/.config/brave whitelist ~/.config/brave mkdir ~/.pki whitelist ~/.pki # lastpass, keepass # for keepass we additionally need to whitelist our .kdbx password database whitelist ~/.keepass whitelist ~/.config/keepass whitelist ~/.config/KeePass whitelist ~/.lastpass whitelist ~/.config/lastpass include /etc/firejail/whitelist-common.inc `````

gitea-mirror commented

2026-05-05 06:36:18 -06:00

Author

Owner

@epsilonPositive commented on GitHub (Mar 13, 2017):

This profile does the trick. Along with enabled namespaces, this allows me to run Brave in firejail without using the --no-sandbox option.

Thanks!

@epsilonPositive commented on GitHub (Mar 13, 2017): This profile does the trick. Along with enabled namespaces, this allows me to run Brave in firejail without using the --no-sandbox option. Thanks!

gitea-mirror commented

2026-05-05 06:36:20 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 16, 2017):

Cool!

@netblue30 commented on GitHub (Mar 16, 2017): Cool!

gitea-mirror commented

2026-05-05 06:36:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 3, 2017):

Checked in the profile above.

@netblue30 commented on GitHub (Apr 3, 2017): Checked in the profile above.

Rows
Columns

[GH-ISSUE #1110] Brave profile broken #760