diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2019-12-19 19:36:08 +0000 |
---|---|---|
committer | rusty-snake <print_hello_world+Public@protonmail.com> | 2019-12-21 14:54:54 +0100 |
commit | 0d65bbf3126d4e73088b2ee5f7f4a7c3cbe9c1af (patch) | |
tree | 0d3a08dbddacdc920f7a8c8843130defe71b284a | |
parent | small fix (diff) | |
download | firejail-0d65bbf3126d4e73088b2ee5f7f4a7c3cbe9c1af.tar.gz firejail-0d65bbf3126d4e73088b2ee5f7f4a7c3cbe9c1af.tar.zst firejail-0d65bbf3126d4e73088b2ee5f7f4a7c3cbe9c1af.zip |
Fix Brave's native sandbox (#3087)
* Allow user access to /proc/config.gz
* Fix Brave's native sandbox
* Move /proc/config.gz to disable-common.inc
* Move /proc/config.gz to disable-common.inc
-rw-r--r-- | etc/brave.profile | 3 | ||||
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 3 |
3 files changed, 8 insertions, 1 deletions
diff --git a/etc/brave.profile b/etc/brave.profile index 984fab5a8..7cd925a4c 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
@@ -20,5 +20,8 @@ whitelist ${HOME}/.config/brave | |||
20 | whitelist ${HOME}/.config/BraveSoftware | 20 | whitelist ${HOME}/.config/BraveSoftware |
21 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
22 | 22 | ||
23 | # Brave sandbox needs read access to /proc/config.gz | ||
24 | noblacklist /proc/config.gz | ||
25 | |||
23 | # Redirect | 26 | # Redirect |
24 | include chromium-common.profile | 27 | include chromium-common.profile |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 137e4f8bd..16f231108 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -452,3 +452,6 @@ blacklist ${HOME}/Mail | |||
452 | blacklist ${HOME}/mail | 452 | blacklist ${HOME}/mail |
453 | blacklist ${HOME}/postponed | 453 | blacklist ${HOME}/postponed |
454 | blacklist ${HOME}/sent | 454 | blacklist ${HOME}/sent |
455 | |||
456 | # kernel configuration | ||
457 | blacklist /proc/config.gz | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3ba968004..316057ec5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -642,7 +642,8 @@ void fs_proc_sys_dev_boot(void) { | |||
642 | // various /proc files | 642 | // various /proc files |
643 | disable_file(BLACKLIST_FILE, "/proc/irq"); | 643 | disable_file(BLACKLIST_FILE, "/proc/irq"); |
644 | disable_file(BLACKLIST_FILE, "/proc/bus"); | 644 | disable_file(BLACKLIST_FILE, "/proc/bus"); |
645 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); | 645 | // move /proc/config.gz to disable-common.inc |
646 | //disable_file(BLACKLIST_FILE, "/proc/config.gz"); | ||
646 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); | 647 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); |
647 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); | 648 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); |
648 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); | 649 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); |