Fixing the brave sandbox

I can run it on ubuntu if that’s easier

We have plans to improve the SELinux policy to fix known issues this cycle. While we don’t have anyone working on this task at this very moment we should see significant improvements as we move towards 19.04

1 Like
posix4e@posix4e-HP-Spectre-x360-Convertible-15-bl1XX:~$ snapcraft version
snapcraft, version 2.43.1+18.4

I have a gist of the journald for that node at https://gist.github.com/posix4e/e6d01cd29bf259a7a72d4d11a1fe16f5

I don’t see any denials in the log you posted. Maybe @jdstrand can spot something out of the ordinary . Does brave work ok outside of snap? What is the actual problem with the app (aside from printing some logs)?

Gotcha I’ll run it without devmode and trigger the crash.

I looked through the log again, AFAICT the snap is trying to do things that seem to be allowed by browser-support provided allow-sandbox is enabled.

Chromium declares this in their snap:

plugs:
  browser-sandbox:
    allow-sandbox: true
    interface: browser-support

Back to the logs, this may be a problem:

audit[19388]: AVC apparmor="ALLOWED" operation="mknod" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19388 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit[19388]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19388 comm="brave" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
audit[19388]: AVC apparmor="ALLOWED" operation="unlink" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19388 comm="brave" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
audit[19373]: AVC apparmor="ALLOWED" operation="truncate" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19373 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

The browser-support interface does not allow this. @jdstrand is probably best person to suggest something there.

This is allowed when using allow-sandbox: true, which brave is allowed and expected to use. Ie, do something like this in your snapcraft.yaml:

name: brave
...
plugs:
  browser-sandbox:
    allow-sandbox: true
    interface: browser-support
...
apps:
  brave:
    ...
    plugs:
    - browser-sandbox
    ...

I neither recall if brave is using electron-builder or the details on how to enable allow-sandbox: true in electron-builder, but IIRC, there is a way to do it. Perhaps @popey or @Wimpress recall the details.

FYI, I pinged cause I thought I (mistakenly?) remembered you fiddled with SELinux policy on Fedora. I was referring to this comment: Fixing the brave sandbox which has several SELinux denials. Again just fyi as now this is being developed on Ubuntu (as you saw below).

Yep just to be clear, i have a ton of linux distros I test on. But for now I will restrict all my development to ubuntu to make things easier. I uses ubuntu 18.04 and the commands I used to install and build the snapcraft are visible in the travis.yml in the above linked pull request. I am now in the process of doing a cleanbuild and I will attempt to show you the bug I get when starting without devmode. Then I’ll like the journald log with devmode. Hopefully between the two of them we will finally figure out what needs to be done. Sorry for the confusion and thanks for the help.

Ok hear we go. I did a totally cleanbuild and a fresh install of
https://github.com/posix4e/brave/tree/sandbox

$ snap version
snap 2.35.5
snapd 2.35.5
series 16
ubuntu 18.04
kernel 4.15.0-36-generic

Here’s journald of brave-dev running without devmode


It actually crashes instead of starting

Here’s the journald of brave-dev running in devmode


It did not crash, but who wants to run in devmode.

FYI, in the future you can omit the profile_replace lines.

Nov 16 12:58:28 posix4e-HP-Spectre-x360-Convertible-15-bl1XX audit[14892]: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.brave" name="/tmp/.snap/snap/brave/x1/" pid=14892 comm="3" srcname="/snap/brave/x1/" flags="rw, rbind"

I believe @zyga-snapd has a fix for this in the core snap in edge. You might try sudo snap refresh core --edge and report back.

Nov 16 12:58:32 posix4e-HP-Spectre-x360-Convertible-15-bl1XX audit[14879]: AVC apparmor="DENIED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=14879 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This is harmless and just noise. You could get rid of it by using ‘layouts’ in snapd.

Nov 16 12:58:32 posix4e-HP-Spectre-x360-Convertible-15-bl1XX audit[15165]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/proc/15165/setgroups" pid=15165 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

This is because you aren’t using allow-sandbox: true when plugging the browser-support interface. See my comment on this here: Fixing the brave sandbox

I updated and got this. Do I need to run this in devmode

Your paste simply shows STATUS messages for loading the profiles for your snap and no policy violations, so it should be fine. If you see other violations, respond here.

Just to be clear it crashes unless it’s installed in devmode with

[4260:4260:1123/164935.945715:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)

I reran sudo journalctl | grep brave| grep audit after installing in devmode

Nov 23 16:53:30 ubuntu-bionic audit[5821]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.brave" pid=5821 comm="apparmor_parser"
Nov 23 16:54:02 ubuntu-bionic audit[5833]: AVC apparmor="ALLOWED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=5833 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.931:267): apparmor="ALLOWED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=5833 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/setgroups" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=6024 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/gid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/uid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: SECCOMP auid=1000 uid=1000 gid=1000 ses=5 pid=6024 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fca6a48a4d9 code=0x7ffc0000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:268): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/setgroups" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:269): apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=6024 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:270): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/gid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:271): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/uid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1326 audit(1542992042.947:272): auid=1000 uid=1000 gid=1000 ses=5 pid=6024 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fca6a48a4d9 code=0x7ffc0000
Nov 23 16:54:02 ubuntu-bionic audit[5833]: AVC apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=5833 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:273): apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=5833 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/setgroups" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/uid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/gid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:274): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/setgroups" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:275): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/uid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:276): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/gid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=6025 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: SECCOMP auid=1000 uid=1000 gid=1000 ses=5 pid=6025 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fe3eed204d9 code=0x7ffc0000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/setgroups" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/gid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/uid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[5833]: AVC apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=5833 comm="brave" capability=19  capname="sys_ptrace"

are you using allow-sandbox?

Thanks for responding @chipaca. I think I’m using it correctly ? https://github.com/posix4e/brave/blob/sandbox/snap/snapcraft.yaml#L76

i guess the question is more like “why do you use it” ?

snap confinement is essentially already a secure sandbox, so with this option you force the browser to run one sandbox inside another sandbox…

1 Like

Although they sound similar, the isolation is very fine grained in chromium. Is there some concern about the different forms of isolation?

it is indeed not wrong but adds duplication and potentially also a performance penatly (i doubt anyone measured that though, so just guessing here)

There might be an issue because you are using:

apps:
  brave:
    plugs:
      ...
      - browser-sandbox
      - browser-support
      ...

plugs:
  browser-sandbox:
    interface: browser-support
    allow-sandbox: true

Ie, you are plugging both browser-support and your defined browser-sandbox. Try removing browser-support from apps/brave/plugs, then remove/install the snap and see if that helps. If it does, please file a bug at https://bugs.launchpad.net/snapd/+filebug pointing to this forum topic.

As for brave’s use of allow-sandbox: it is expected that major browser vendors like brave will want to use allow-sandbox so it is fine and expected that the brave snap is using it.

1 Like