search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
394 stars 34 forks source link

brave-sandbox profile #351

Open curiosityseeker opened 3 weeks ago

curiosityseeker commented 3 weeks ago

I've noticed that brave-sandbox or chrome-sandbox never shows up in aa-status among the processes in complain or enforce mode here on my Arch system. Neither in ps auxZ. This is confirmed by inotifywait /opt/brave-bin -r -m or specifically by inotifywait /opt/brave-bin/chrome-sandbox -m- it never shows up.

brave://sandbox confirms that the layer1 sandbox is a namespace sandbox. So is the brave-sandbox profile only relevant with kernels where user namespaces are disabled and, hence, a setuid sandbox is used?

roddhjav commented 2 weeks ago

It is possible that these sandbox profiles are not used anymore by chrome. I would have to have a deeper look at it.