GPU is not sandboxed

[ruihildt]

trafficstars

I see in about:support that you have basic sandbox features enabled; pretty much the same settings seen in Firefox, except that the gpu process is not listed (not sandboxed).

I run Firejail in Mint 21.2. However, Mullvad Browser won't run in Firejail while Firefox will run (can be sandboxed in Firejail). This is not a big deal for me; however, I'd like to know what Mullvad thinks about sandboxing its browser. Is it necessary? (for example, flatpaks do not need to be sandboxed).

[pirateoverboarrd]

@ruihildt I can confirm that mullvad-browser-firejail git project does work well. Flatpaks use bubblewrap for sandboxing applications, though most bigger flatpak projects AFAIK dont use full sandboxing because it breaks a lot of functionality, though they could and really should (just takes more effort). If I had to pick firejail or bubblewrap, bubblewrap is the way to go. It's just a lot harder for new users to use but with strace you can figure out what files a program needs access and then bind or ro-bind them inside a sandbox. The only downside AFAIK is that if you want to seccomps you need to build your own with eBPF. But imo its superior to firejail.

[morganava]

We follow upstream, and the GPU sandbox process is only available on Windows: https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15085