New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Epiphany needs bwrap #2995
Comments
bwrap is very similar to firejail itself sandboxing tool (used by flatpak) and I guess Epiphany uses it for that. Perhaps we have to drop epiphany support as overlapping sandboxes can't work. |
Confirming. Fedora 31 BETA VM with firejail-git.
|
It is probably similar to Chrome, only the (sometimes setuid) sandbox binary is different. |
@Vincent43 However, I'm not sure how good it is for programs to bring their own sandbox. So the security is in the hands of the developers, and the user loses any flexibility to define it, if you don't want to change the source code. Personally, I would always use Firejail, because I don't think any program should be able to control its own security. For me, this is something that has to be centrally enforced, to which every program has to subordinate itself. What do the others think about it? |
IMHO we should say this explicit in the profile that is not for epiphany (aka GNOME Web) and remove it form |
👍 💯 IMHO a tight firejail sandbox is better, if possible. For |
Whoa there |
@SkewedZeppelin nice, should we sunset it though, considering it's broken with 3.34+? |
Adding a note about broke for 3.34+ and removing form firecfg, but leaving for now for e.g. debian users. |
- gimp: allow mbind syscall. no start on Fedora 33 without - minetest: disable private-cache. without persistent cache connecting to servers can take many minutes - supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers - supertuxkart: comment private-dev to allow controller use - profiles: unify controller support comments - firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
- gimp: allow mbind syscall. no start on Fedora 33 without - minetest: disable private-cache. without persistent cache connecting to servers can take many minutes - supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers - supertuxkart: comment private-dev to allow controller use - profiles: unify controller support comments - firecfg: comment evolution with a note, and add a note to epiphany netblue30#3647 + netblue30#2995
A fresh version of Epiphany browser (3.34.1-1) uses bwrap for some purposes (have no idea why).
I've created
epiphany.local
and filled it with:noblacklist ${PATH}/bwrap
However, it seems that
bwrap
itself needs some permissions such as internet access.The text was updated successfully, but these errors were encountered: