Firejail: Epiphany needs bwrap

Created on 8 Oct 2019 · 9Comments · Source: netblue30/firejail

A fresh version of Epiphany browser (3.34.1-1) uses bwrap for some purposes (have no idea why).
I've created epiphany.local and filled it with:
noblacklist ${PATH}/bwrap
However, it seems that bwrap itself needs some permissions such as internet access.

Source

mkdy

Most helpful comment

@Vincent43
In fact, Firejail had no support for the Epiphany browser so far. The existing profile called Epiphany refers to a game of the same name. You should better use the Firefox profile for Epiphany.

However, I'm not sure how good it is for programs to bring their own sandbox. So the security is in the hands of the developers, and the user loses any flexibility to define it, if you don't want to change the source code. Personally, I would always use Firejail, because I don't think any program should be able to control its own security. For me, this is something that has to be centrally enforced, to which every program has to subordinate itself. What do the others think about it?

FOSSONLY on 12 Oct 2019

👍4 👀1 ❤1 😄1

All 9 comments

bwrap is very similar to firejail itself sandboxing tool (used by flatpak) and I guess Epiphany uses it for that. Perhaps we have to drop epiphany support as overlapping sandboxes can't work.

Vincent43 on 8 Oct 2019

👍1

Confirming. Fedora 31 BETA VM with firejail-git.

$ LC_ALL=C epiphany 
Reading profile /etc/firejail/epiphany.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 41676, child pid 41677
Child process initialized in 142.89 ms

** (epiphany:5): ERROR **: 17:02:33.800: Unable to fork a new child process: Failed to execute child process ?/usr/bin/bwrap? (Permission denied)

Parent is shutting down, bye...
$ LC_ALL=C firejail --noprofile epiphany 
Parent pid 41762, child pid 41763
Child process initialized in 11.65 ms
Warning: an existing sandbox was detected. /usr/bin/epiphany will run without any additional sandboxing features
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

(epiphany:2): GLib-GObject-WARNING **: 17:02:50.308: ../gobject/gsignal.c:2647: instance '0x55c894894390' has no handler with id '2782'

Parent is shutting down, bye...

rusty-snake on 8 Oct 2019

It is probably similar to Chrome, only the (sometimes setuid) sandbox binary is different.

smitsohu on 10 Oct 2019

FOSSONLY on 12 Oct 2019

👍4 👀1 ❤1 😄1

The existing profile called Epiphany refers to a game of the same name.

IMHO we should say this explicit in the profile that is not for epiphany (aka GNOME Web) and remove it form firecfg.config since it cause name conflicts. Maybe also rename to epiphany_game.profile or similar.

rusty-snake on 12 Oct 2019

What do the others think about it?

:+1: :100: IMHO a tight firejail sandbox is better, if possible. For chromium this would mean starting with --no-sandbox and hardening the FJ profile. Anyway the fox is better :innocent:

rusty-snake on 12 Oct 2019

Whoa there
epiphany.profile is indeed for GNOME Web
Must've slipped through the cracks with the automated descriptions pull
4666466fc61b15faa162ec5a2d599a2987283164