Brave-browser: broken sandbox (archlinux)

cc @mbacchi

A commonly-quoted workaround is enabling unprivileged user namespaces using

sudo sysctl kernel.unprivileged_userns_clone=1

However, before doing that, see this reply on arch-general for why it's not enabled by default.

Note also that (from the link above):

Moreover there are many applications that use this feature to provide or enhance security
Among them are:

lxc, systemd-nspawn, docker, flatpak, bubblewrap, firejail, firefox, chromium

There's one well-written sandbox there (Chromium's usage) and it doesn't require this feature.

Which is true: Chromium works just fine on Arch with the defaults, so I don't see a reason why Brave shouldn't.

Related: #1986 (same for Debian)

@Liunkae I believe this issue should be reopened, and had mentioned it with @bbondy in the related PR. Two reasons:

1. Reducing the security of the user's OS is not an acceptable security solution. Earlier in this thread, @veox linked to the statement from Arch as to why user name spaces are not enabled by default. Arch has stated that enabling this parameter greatly increases the attack surface. This is not an acceptable solution. We need a real sandbox solution.
2. Even beyond the major security concerns, the Debian instructions linked do not resolve the issue for Arch Linux users. Many distros beyond Arch each have user name space disabled for security reasons, and the commands for changing kernel security parameters will vary across them. Having users learn the correct command for their distro is unscalable and an ugly solution. This Github issue was created for Arch Linux, so it makes no sense to close it with a reference to a Debian solution.

Please, please consider a better sandboxing solution. This is an opportunity for Brave to lead and do better than Chromium.

This was also reported in #6247 and fixed in https://github.com/brave/brave-core/pull/4223.