Firejail: Remove the need for QTWEBENGINE_DISABLE_SANDBOX=1 (appimage)

Created on 30 Apr 2019 · 17Comments · Source: netblue30/firejail

QTWEBENGINE_DISABLE_SANDBOX=1 may be needed to run Qt applications that use QtWebEngine under Firejail.

At least this is the case for https://appimage.github.io/Galacteek/.

Would it make sense to have Firejail set this environment variable globally? I see it already exists in the source code but is commented out.

enhancement

Source

probonopd

Most helpful comment

It's all about the chroot syscall being included in the default seccomp filter. As this is an increasingly common problem, would it justify a new option?

Maybe tweak seccomp rule to allow defining firejail defaults +/- a chosen syscall,
like seccomp +chroot?

Vincent43 on 6 May 2019

👍3

All 17 comments

Currently this is only set for Viber,

Also see here.

rusty-snake on 30 Apr 2019

Is it already known under which circumstances QtWebEngine needs this option?

probonopd on 1 May 2019

I would say it should be never added. Firejail sandbox should be tweaked instead.

Vincent43 on 1 May 2019

👍1

Listing here which applications needs this:

GAMS Studio https://github.com/AppImage/appimage.github.io/pull/536
Plex https://github.com/AppImage/appimage.github.io/pull/132
Sielo Browser https://github.com/AppImage/appimage.github.io/pull/552

probonopd on 3 May 2019

Is it already known under which circumstances QtWebEngine needs this option?

Always (given that unprivileged user namespaces are enabled).

It's all about the chroot syscall being included in the default seccomp filter. As this is an increasingly common problem, would it justify a new option?

smitsohu on 4 May 2019

It would be best if it would not need a special option to be invoked by the user. (If the user has to do something, then QTWEBENGINE_DISABLE_SANDBOX=1 is fine imho.)

probonopd on 5 May 2019

It's all about the chroot syscall being included in the default seccomp filter. As this is an increasingly common problem, would it justify a new option?

Maybe tweak seccomp rule to allow defining firejail defaults +/- a chosen syscall,
like seccomp +chroot?

Vincent43 on 6 May 2019

👍3

I think we schould implement @Vincent43 idea

rusty-snake on 26 Jun 2019

How future proceed here?

rusty-snake on 26 Aug 2019

Adding this to Viber.profile and removing env QTWEBENGINE_DISABLE_SANDBOX=1 from there should be enough to close this. You may include this in https://github.com/netblue30/firejail/pull/2927 and wait till https://github.com/netblue30/firejail/pull/2926 is merged.

Vincent43 on 26 Aug 2019

Well, I'd say this ticket can be closed once we the user won't need to manually run env QTWEBENGINE_DISABLE_SANDBOX=1 anywhere anymore, not just for Viber.

probonopd on 28 Aug 2019

@probonopd you mean appimage apps? They seem to use default.profile. The only fix I see is to remove chroot from default seccomp filter.

Vincent43 on 28 Aug 2019

Yes, I mean AppImage apps. What would the security implications be of what you are suggesting? Would the FIrejail sandboxing still be effective?

If we have to disable either FIrejail's or Chrome's sandbox, then I'd say enable Firejail's and disable Chrome's, e.g., by exporting QTWEBENGINE_DISABLE_SANDBOX=1 all the time.

probonopd on 30 Aug 2019

We just need to allow one additional syscall (chroot) which many apps use for self-sandboxing. Everything else will stay intact and app will be protected by both firejail and chrome sandboxing.

Vincent43 on 30 Aug 2019

👍1

Thank you very much.

probonopd on 4 Sep 2019

@Vincent43 Maybe rather than removing chroot from the default seccomp blacklist, we could just remove it from default.profile? (or I understood you wrong and that was what you were saying)

smitsohu on 5 Sep 2019

@smitsohu chroot breaks most electron apps and will ultimately break all of them once they update to latest version. It's no longer suitable default in apps world.

Vincent43 on 6 Sep 2019

Was this page helpful?

0 / 5 - 0 ratings