[Feature]: Enable Sandbox mode for MS Edge on Ubuntu 24.04 and UP
hifron opened this issue · 2 comments
Describe the feature/enhancement you need
Enable Sandbox mode for MS Edge on Ubuntu 24.04 and UP.
For this there is need apparmor profile on Ubuntu Linux 24.04 due changes security restrictions as described here:
https://bugs.launchpad.net/apparmor/+bug/2046844
There are also projects on Github with some prepackaged apparmor.d profiles, but application should have this file with its deb installation file
The scenario/use case where you would use this feature
deb msedge installation file should have this file during install or msedge upgrade for next version.
Problem is that msedge is without source and without reproducible build and chromium project is not for this. So please make such apparmor profile for msedge and package it with msedge or contact Ubuntu support to make such file in their apparmor default settings...
How important is this request to you?
Impactful. My app's user experience would be significantly compromised without it.
Suggested implementation
No response
What does your app do? Is there a pending deadline for this request?
If not made, then edge://sandbox/ could report something like this:
You are adequately sandboxed. but without Ptrace Protection with Yama LSM (Non-broker)
and edge://gpu/ report that Driver: Sandboxed : false
Enable Sandbox Mode for MS Edge on Ubuntu 24.04 and Up
Description
To fully enable sandbox mode for Microsoft Edge on Ubuntu 24.04 and later, an AppArmor profile is necessary due to the recent changes in security restrictions outlined in Launchpad Bug 2046844.
While there are GitHub projects that offer prepackaged apparmor.d profiles, it is essential that the MS Edge installation package includes the appropriate AppArmor profile as part of its .deb installation file.
Use Case
The msedge installation file should come bundled with the required AppArmor profile during installation or updates. Given that MS Edge does not provide source code or a reproducible build, it is crucial to have this profile to ensure proper sandboxing.
If this is not addressed, users may encounter unsatisfactory security configurations, as indicated by messages such as:
You are adequately sandboxed, but without Ptrace Protection with Yama LSM (Non-broker)
Driver: Sandboxed: false on the edge://gpu/ page.
Importance
This request is highly impactful. The user experience of applications relying on MS Edge would be significantly compromised without proper sandboxing, leading to potential security vulnerabilities.
Suggested Implementation
Package the necessary AppArmor profile with the MS Edge installation or update files.
Alternatively, collaborate with Ubuntu support to ensure that this profile is included in their default AppArmor settings.
Your attention to this matter would greatly improve the security and functionality of MS Edge for Ubuntu users.
Thank you!