Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Epiphany needs bwrap #2995

Closed
mkdy opened this issue Oct 8, 2019 · 9 comments
Closed

Epiphany needs bwrap #2995

mkdy opened this issue Oct 8, 2019 · 9 comments

Comments

@mkdy
Copy link

mkdy commented Oct 8, 2019

A fresh version of Epiphany browser (3.34.1-1) uses bwrap for some purposes (have no idea why).
I've created epiphany.local and filled it with:
noblacklist ${PATH}/bwrap
However, it seems that bwrap itself needs some permissions such as internet access.
@Vincent43
Copy link
Collaborator

bwrap is very similar to firejail itself sandboxing tool (used by flatpak) and I guess Epiphany uses it for that. Perhaps we have to drop epiphany support as overlapping sandboxes can't work.

@rusty-snake
Copy link
Collaborator

Confirming. Fedora 31 BETA VM with firejail-git.

$ LC_ALL=C epiphany 
Reading profile /etc/firejail/epiphany.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 41676, child pid 41677
Child process initialized in 142.89 ms

** (epiphany:5): ERROR **: 17:02:33.800: Unable to fork a new child process: Failed to execute child process ?/usr/bin/bwrap? (Permission denied)

Parent is shutting down, bye...
$ LC_ALL=C firejail --noprofile epiphany 
Parent pid 41762, child pid 41763
Child process initialized in 11.65 ms
Warning: an existing sandbox was detected. /usr/bin/epiphany will run without any additional sandboxing features
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

(epiphany:2): GLib-GObject-WARNING **: 17:02:50.308: ../gobject/gsignal.c:2647: instance '0x55c894894390' has no handler with id '2782'

Parent is shutting down, bye...

@smitsohu
Copy link
Collaborator

It is probably similar to Chrome, only the (sometimes setuid) sandbox binary is different.

@FOSSONLY
Copy link

@Vincent43
In fact, Firejail had no support for the Epiphany browser so far. The existing profile called Epiphany refers to a game of the same name. You should better use the Firefox profile for Epiphany.

However, I'm not sure how good it is for programs to bring their own sandbox. So the security is in the hands of the developers, and the user loses any flexibility to define it, if you don't want to change the source code. Personally, I would always use Firejail, because I don't think any program should be able to control its own security. For me, this is something that has to be centrally enforced, to which every program has to subordinate itself. What do the others think about it?

@rusty-snake
Copy link
Collaborator

The existing profile called Epiphany refers to a game of the same name.

IMHO we should say this explicit in the profile that is not for epiphany (aka GNOME Web) and remove it form firecfg.config since it cause name conflicts. Maybe also rename to epiphany_game.profile or similar.

@rusty-snake
Copy link
Collaborator

What do the others think about it?

👍 💯 IMHO a tight firejail sandbox is better, if possible. For chromium this would mean starting with --no-sandbox and hardening the FJ profile. Anyway the fox is better 😇

rusty-snake pushed a commit to rusty-snake/firejail that referenced this issue Oct 13, 2019
Close netblue30#2995
9179b2c
@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented Oct 14, 2019
edited

Whoa there
epiphany.profile is indeed for GNOME Web
Must've slipped through the cracks with the automated descriptions pull
4666466

@Vincent43
Copy link
Collaborator

@SkewedZeppelin nice, should we sunset it though, considering it's broken with 3.34+?

@rusty-snake
Copy link
Collaborator

Adding a note about broke for 3.34+ and removing form firecfg, but leaving for now for e.g. debian users.

rusty-snake pushed a commit that referenced this issue Oct 18, 2019
Merge pull request #3004 from rusty-snake/fix-2995
1065913 
Fix #2995
@SkewedZeppelin SkewedZeppelin mentioned this issue Sep 27, 2020
Open
SkewedZeppelin added a commit that referenced this issue Nov 30, 2020
@SkewedZeppelin
Small fixes
a04e63f 
- gimp: allow mbind syscall. no start on Fedora 33 without
- minetest: disable private-cache. without persistent cache connecting to servers can take many minutes
- supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers
- supertuxkart: comment private-dev to allow controller use
- profiles: unify controller support comments
- firecfg: comment evolution with a note, and add a note to epiphany #3647 + #2995
FastAlien pushed a commit to FastAlien/firejail that referenced this issue Dec 3, 2020
@SkewedZeppelin @FastAlien
Small fixes
10811c8 
- gimp: allow mbind syscall. no start on Fedora 33 without
- minetest: disable private-cache. without persistent cache connecting to servers can take many minutes
- supertuxkart: allow bluetooth protocol. stk can directly connect/pair to WiiMote controllers
- supertuxkart: comment private-dev to allow controller use
- profiles: unify controller support comments
- firecfg: comment evolution with a note, and add a note to epiphany netblue30#3647 + netblue30#2995
@linsui linsui mentioned this issue Jun 8, 2023
Open
@glitsj16 glitsj16 mentioned this issue Nov 25, 2023
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@SkewedZeppelin @mkdy @smitsohu @Vincent43 @FOSSONLY @rusty-snake