diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-01-29 18:28:30 +0100 |
|---|---|---|
| committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-01-31 08:11:34 +0000 |
| commit | a6084bb054709086ba5d156e5b5b2dafd7323774 (patch) | |
| tree | c6a792f944fa0edec1ec6aa1baabf2968c325b35 | |
| parent | add quiet to lzdiff/lzmadec (#3932) (diff) | |
| download | firejail-a6084bb054709086ba5d156e5b5b2dafd7323774.tar.gz firejail-a6084bb054709086ba5d156e5b5b2dafd7323774.tar.zst firejail-a6084bb054709086ba5d156e5b5b2dafd7323774.zip | |
Disable the webkit2gtk-4.0 sandbox in bijiben
webkit2gtk uses a bwrap based sandbox by default since 4.0, see #3647.
This is good as it means more security by default on for linux system.
Unfortunately is it not possible to run bwrap inside firejail if bwrap
is started with --unshare-pid --proc /proc at all. In general we should
exclude a program from firecfg until a final solution is found. But
bijiben is special, while epiphany or evolution display random stuff
from the internet is webkit2gtk in bijiben used to display local files
create by the user. Bijiben has a thight profile (net none, whitelist,
private-bin, ...) therefore my decision here was to disable the
webkit2gtk sandbox rather then firejail.
| -rw-r--r-- | etc/profile-a-l/bijiben.profile | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index dbde3e4de..b074cc0b0 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
| @@ -57,3 +57,5 @@ dbus-user.own org.gnome.Notes | |||
| 57 | dbus-user.talk ca.desrt.dconf | 57 | dbus-user.talk ca.desrt.dconf |
| 58 | dbus-user.talk org.freedesktop.Tracker1 | 58 | dbus-user.talk org.freedesktop.Tracker1 |
| 59 | dbus-system none | 59 | dbus-system none |
| 60 | |||
| 61 | env WEBKIT_FORCE_SANDBOX=0 | ||