1

If I run the following:

firejail brave-browser

And then try and access files in the browser (such as when uploading a file), Brave still has access to my entire home folder.

Usually this doesn't happen with Firejail. I've tried it with Firefox, and it only gives access to the ~/Downloads folder.

I've verified Firejail is running with firejail --list:

18974:daniel::firejail /usr/bin/brave-browser-stable

So I'm not sure what the problem is. The exact same command works with Firefox, so why isn't it hiding files with Brave?

Environment

  • OS: Pop!_OS 21.04
  • GNOME version: 3.38.5
  • Brave browser: v1.29.81 (installed with apt)

Environment

/etc/firejail/brave.profile

# Firejail profile for brave
# Description: Web browser that blocks ads and trackers by default.
# This file is overwritten after every install/update
# Persistent local customizations
include brave.local
# Persistent global definitions
include globals.local

# noexec /tmp is included in chromium-common.profile and breaks Brave
ignore noexec /tmp
# TOR is installed in ${HOME}
ignore noexec ${HOME}

noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/brave-flags.conf
# brave uses gpg for built-in password manager
noblacklist ${HOME}/.gnupg

mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave
whitelist ${HOME}/.cache/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/brave-flags.conf
whitelist ${HOME}/.gnupg

# Brave sandbox needs read access to /proc/config.gz
noblacklist /proc/config.gz

# Redirect
include chromium-common.profile

/etc/firejail/brave-browser.profile

# Firejail profile alias for brave
# This file is overwritten after every install/update

# Persistent local customizations
include brave-browser.local

# Redirect
include brave.profile
Daniel
  • 143
  • 7

1 Answers1

2

Check /etc/firejail - all the profiles are there. Most likely Firefox uses its own specific profile while brave-browser uses a generic profile which allows full $HOME access.

Using firefox profile for brave will probably not work because their configuration directories are different. You should probably start with chromium.profile as these browsers are using the same source.

Actually there's already a profile.

Please try running the browser this way:

firejail  --profile=/etc/firejail/brave.profile brave-browser-stable
Artem S. Tashkinov
  • 26,392
  • 4
  • 33
  • 64
  • That command doesn't work. How do I a) update this profile to not show the home directory, and b) make it use this by default? – Daniel Sep 29 '21 at 11:12
  • `man firejail`, this command should work. – Artem S. Tashkinov Sep 29 '21 at 18:44
  • What I mean is the command works, but it's not hiding the files in my home folder. I can still access them. – Daniel Sep 30 '21 at 00:06
  • Please inspect your profile files and see which ones open full access to `$HOME`. No one has access to your system and neither can do that for you. – Artem S. Tashkinov Sep 30 '21 at 05:40
  • I added the `brave.profile` to my post for you to see. I'm not sure what's wrong with it. And by the way, I noticed there is also a `/etc/firejail/brave-browser.profile` file - which one does it use by default? I'm guessing `brave-browser` because this is the name of the command to run the browser? – Daniel Oct 01 '21 at 04:21
  • Also sorry I accidentally edited your post - please discard my changes (it won't let me). – Daniel Oct 01 '21 at 04:23
  • If you run `firejail command`, `firejail` will try to load `command.profile` by default. It's all in the man page which you continue to refuse to read. Profiles may include/inherit other profiles. – Artem S. Tashkinov Oct 01 '21 at 08:03
  • Also when running from the terminal, firejail shows all the profiles being loaded. The command which I gave you in an answer works fine here. I've tried to run Google Chrome with it and it crashed because it cannot open its file which means at least in Fedora this profile does **not** allow to read all files in the home directory. – Artem S. Tashkinov Oct 01 '21 at 08:06
  • Lastly, if your brave browser **is already launched** firejail will do **nothing**. It only works for newly run processes. – Artem S. Tashkinov Oct 01 '21 at 08:07
  • Ok it looks like it does trigger an error if I try and upload anything outside of `~/Downloads`. However, why would it show these files at all if they can't even be uploaded? I think it should still hide files outside of `~/Downloads`, like Firefox does. – Daniel Oct 02 '21 at 04:51
  • Try URL "file:///" and see if you can browse your home folder. I've got the same confusion, seems like an "open file" dialog is a different process being running along with your user session. But this raises a different problem - a firejailed program cannot use the file paths it provides. – ogurets Dec 08 '22 at 22:04