I've noticed that brave-sandbox or chrome-sandbox never shows up in aa-status among the processes in complain or enforce mode here on my Arch system. Neither in ps auxZ. This is confirmed by inotifywait /opt/brave-bin -r -m or specifically by inotifywait /opt/brave-bin/chrome-sandbox -m- it never shows up.
brave://sandbox confirms that the layer1 sandbox is a namespace sandbox. So is the brave-sandbox profile only relevant with kernels where user namespaces are disabled and, hence, a setuid sandbox is used?
I've noticed that
brave-sandbox
orchrome-sandbox
never shows up inaa-status
among the processes in complain or enforce mode here on my Arch system. Neither inps auxZ
. This is confirmed byinotifywait /opt/brave-bin -r -m
or specifically byinotifywait /opt/brave-bin/chrome-sandbox -m
- it never shows up.brave://sandbox
confirms that the layer1 sandbox is a namespace sandbox. So is thebrave-sandbox
profile only relevant with kernels where user namespaces are disabled and, hence, a setuid sandbox is used?