Firejail: Firejail breaks Brave browser default sandboxing

Unfortunately, even if using a completely blank profile

A blank profile (aka --noprofile) can't help here because the blacklist is hardcoded:
https://github.com/netblue30/firejail/blob/2e64e781bb351448edb6e6f31f7c9085ca580382/src/firejail/fs.c#L636

@corecontingency
still an issue?

Yes. Just replicated this exact same bug in a Manjaro VM, using the firejail-git and brave-bin packages from the AUR.

I think that this might be fixed if Brave was able to read /proc/config.gz from the sandbox, but I don't know how hard removing the hardcoded blacklist would be. What is the reasoning behind blacklisting /proc/config.gz? I understand it contains information about the configuration options when the kernel was compiled. Could allowing a program to read this file lead to a sandbox escape, or is it just a case of "better safe than sorry"?

I am not sure how much effort should be put into this, considering chromium has a sandbox already, and the issues that firejail is having with electron based apps.

@corecontingency I've made a tentative patch that you can download and integrate into the firejail-git PKGBUILD you mentioned earlier. The patch enables using --noblacklist /proc/config.gz on the command line / noblacklist /proc/config.gz in a brave.local file.

BEWARE: although I personally don't see much issues in making /proc/config.gz accessable that way, it's just a dirty workaround for now. Would be nice of you could test it and report back though. We'll see what more experienced collaborators think of patching firejail this way later on.

It works! After compiling with the patch, I added noblacklist /proc/config.gz to the profile. Shown below is what chrome://sandbox shows in brave running under firejail:

Now for the discussion about how much danger this adds to the sandbox...

@corecontingency Thanks for testing/confirming the patch works.

I made a PR in https://github.com/netblue30/firejail/pull/3087 awaiting review. Let's move any discussion about the patch to the PR.

/proc/config.gz does not exists on all distros (for example fedora). what happens if we hide it?

That might work too. I imagine that if it cannot find /proc/config.gz it checks the config file in /boot/. Possibly it is getting confused on Manjaro/Arch and not checking /boot/ because /proc/config.gz is present in the sandbox, just unreadable?

Wait, nvm, /boot/ is unreadable entirely in firejail.

@corecontingency I've been doing some more research on Brave and I might have found a way to have our cake and eat it too. Translation: it might not be needed to make any changes to firejail after all and still be able to keeo Brave's native sandbox intact. _It all boils down to bypassing the (sandbox) checks in /usr/bin/brave on Arch Linux and derivatives_. This issue doesn't exist on Debian/Ubuntu and hopefully other Linux distributions.

Would you be willing to do another test to confirm/deny whether my logic holds up? If so, make sure you don't have firejail patched with the tentative stuff I provided above and run the below from a terminal:

$ firejail --ignore=quiet /usr/lib/brave-bin/brave

For me this starts Brave without any major hickups, showing the exact same (mostly) green sandbox status cfr. the image in your earlier post. This would keep the firejail sandbox as tight as possible, whatever the state of /proc/config.gz, which is the better option here IMHO. Feel free to disagree, shoot holes in my argumentation etcetera. We really need to fix Brave somehow, that's the only goal here... TIA.

Seems like this works, good idea! Used a fresh Manjaro vm with AUR packages firejail-git and brave-bin (all defaults) installed. The browser seems to work fine too, it saves your tabs, addons, and settings.

Downside of this method is that it might be harder for the end-user. I don't think firecfg could use a symlink in /usr/local/bin to translate a call of brave from the desktop file to firejail /usr/lib/brave-bin/brave. If this is true, after noticing the sandbox is broken in brave, users would have to head to /etc/firejail/brave.profile, and (presumably) read a comment saying to make a copy of the brave desktop file, put it in ~/.local/share/applications/, and replace the line Exec=brave %U with Exec=firejail /usr/lib/brave-bin/brave %U in the desktop file if running Arch/Manjaro.

This isn't too much of a hassle, but something to keep in mind.

@glitsj16 this approach will be hard to propagate to users as we can't really mandate how they launch brave. I still believe my proposition from https://github.com/netblue30/firejail/pull/3087#issuecomment-566576207 will work better.

@corecontingency Thanks for your response and analysis. After further deliberation it is indeed much better to go with @Vincent43's suggestions. I've updated the relevant PR accordingly.

This should be fixed by https://github.com/netblue30/firejail/commit/81997259ef3d28193e806d1e413c562927fd7631