BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 19:06:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(kiosk): strip caps so WebKit's bwrap sandbox can start

Browse source 
WebKitGTK launches bubblewrap for its web-content process; bwrap refuses
to run when the parent process still carries unexpected CAP_* bits ("but
not setuid, old file caps config?"). Setting CapabilityBoundingSet= +
AmbientCapabilities= empty and NoNewPrivileges=yes gives bwrap a clean
caps slate to drop from, so the sandbox initialises and web/dashboard
cells render instead of crashing the kiosk.
This commit is contained in:
Mitchell R 2026-05-13 12:53:31 +02:00
parent f2dd5b9386
commit 786febbb9b
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
deploy/systemd/betterframe-kiosk.service
View file

@ -36,5 +36,15 @@ ExecStart=/usr/bin/cage -s -- /opt/betterframe/kiosk/betterframe-kiosk
Restart=always Restart=always
RestartSec=2 RestartSec=2
# WebKitGTK uses bubblewrap for its web-content sandbox. bwrap aborts with
# "Unexpected capabilities but not setuid" when launched from a process that
# still carries CAP_* bits. Strip caps + lock NoNewPrivileges so WebKit's
# sandbox can initialise cleanly. Without this WebKit cells crash on load.
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=yes
# Fallback if the above isn't enough on a given distro (disables WebKit sandbox):
#Environment=WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target