Fixing the brave sandbox

So we have a new brave package, but it seems as though the chromium sandbox is broken. I’m curious, do I have to weaken confinment? Perhaps I can patch our sandbox to take advantage of snapcraft confinement?

@jdstrand could you follow on this?

@posix4e - the official brave snap already is allowed to use ‘allow-sandbox: true’ with the browser-support plug. What does your snapcraft.yaml look like? Are there any security denial in journald when you observe that the sandbox is broken?

Yep! I am working on the new brave version. Here’s the branch I’m working on https://github.com/posix4e/brave/tree/sandbox

Here’s the output in devmode

$ sudo snap install --dangerous --devmode ./brave.snap 
brave v0.56.12-8.dev installed
posix4e@localhost:~/src/brave/brave$ brave
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
[9567:9793:1113/092810.916936:ERROR:rewards_service_impl.cc(133)] Failed to read file: /home/posix4e/snap/brave/x2/.config/BraveSoftware/Brave-Browser/Default/ledger_state
[9805:9805:1113/092812.503025:ERROR:sandbox_linux.cc(379)] InitializeSandbox() called with multiple threads in process gpu-process.
[9567:9567:1113/092812.533305:ERROR:gpu_process_transport_factory.cc(980)] Lost UI shared context.
[1:8:1113/092813.012972:ERROR:command_buffer_proxy_impl.cc(119)] ContextResult::kTransientFailure: Failed to send GpuChannelMsg_CreateCommandBuffer.
Error org.freedesktop.DBus.Error.Failed: cannot find desktop file "/var/lib/snapd/desktop/applications/brave_brave-browser.desktop"
[9567:9567:1113/092924.736380:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/093217.239723:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/094006.071677:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/094239.787702:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/094340.841712:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094340.841763:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094340.841791:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.135052:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown posix4e@localhost:~/src/brave/brave$ sudo snap install --dangerous --devmode ./brave.snap 
brave v0.56.12-8.dev installed
posix4e@localhost:~/src/brave/brave$ brave
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
[9567:9793:1113/092810.916936:ERROR:rewards_service_impl.cc(133)] Failed to read file: /home/posix4e/snap/brave/x2/.config/BraveSoftware/Brave-Browser/Default/ledger_state
[9805:9805:1113/092812.503025:ERROR:sandbox_linux.cc(379)] InitializeSandbox() called with multiple threads in process gpu-process.
[9567:9567:1113/092812.533305:ERROR:gpu_process_transport_factory.cc(980)] Lost UI shared context.
[1:8:1113/092813.012972:ERROR:command_buffer_proxy_impl.cc(119)] ContextResult::kTransientFailure: Failed to send GpuChannelMsg_CreateCommandBuffer.
Error org.freedesktop.DBus.Error.Failed: cannot find desktop file "/var/lib/snapd/desktop/applications/brave_brave-browser.desktop"
[9567:9567:1113/092924.736380:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/093217.239723:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/094006.071677:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/094239.787702:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/094340.841712:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094340.841763:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094340.841791:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.135052:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.135089:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.135115:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.177269:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/095429.543834:ERROR:textfield.cc(1767)] Not implemented reached in virtual bool views::Textfield::ShouldDoLearning()
[9567:9567:1113/100845.642829:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/102042.846638:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/103009.176932:ERROR:brave_stats_updater.cc(108)] Failed to send usage stats to update server, error: -2, response code: 400, url: https://laptop-updates.brave.com/1/usage/brave-core?platform=linux-bc&channel=unknown&version=0.56.12&daily=true&weekly=true&monthly=true&first=true&woi=2018-11-12&ref=none

error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.135089:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.135115:ERROR:CONSOLE(0)] "Unchecked runtime.lastError: Unknown error.", source: chrome://newtab/ (0)
[9567:9567:1113/094634.177269:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/095429.543834:ERROR:textfield.cc(1767)] Not implemented reached in virtual bool views::Textfield::ShouldDoLearning()
[9567:9567:1113/100845.642829:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/102042.846638:ERROR:input_method_base.cc(146)] Not implemented reached in virtual ui::InputMethodKeyboardController *ui::InputMethodBase::GetInputMethodKeyboardController()Using InputMethodKeyboardControllerStub
[9567:9567:1113/103009.176932:ERROR:brave_stats_updater.cc(108)] Failed to send usage stats to update server, error: -2, response code: 400, url: https://laptop-updates.brave.com/1/usage/brave-core?platform=linux-bc&channel=unknown&version=0.56.12&daily=true&weekly=true&monthly=true&first=true&woi=2018-11-12&ref=none

These are errors from your application. I was asking about security policy denials from journald. Eg what new journald entries are added to the output of this command when you try to run the snap: sudo journalctl | grep brave| grep audit

Nov 13 09:26:54 localhost.localdomain audit[7719]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7719 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fe6115fd4d9 code=0x50000
Nov 13 09:26:54 localhost.localdomain audit[7611]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=7611 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=5 res=1
Nov 13 09:26:55 localhost.localdomain audit[7745]: AVC avc:  denied  { read } for  pid=7745 comm="abrt-action-gen" name="brave" dev="loop5" ino=174 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 13 09:26:55 localhost.localdomain audit[7745]: AVC avc:  denied  { read } for  pid=7745 comm="abrt-action-gen" name="brave" dev="loop5" ino=174 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 13 09:26:55 localhost.localdomain audit[7762]: AVC avc:  denied  { read } for  pid=7762 comm="eu-unstrip" name="brave" dev="loop5" ino=174 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 13 09:27:14 localhost.localdomain audit[7951]: USER_CMD pid=7951 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/posix4e/src/brave/brave" cmd=736E61702072656D6F7665206272617665 terminal=pts/0 res=success'
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { read write } for  pid=8027 comm="snap-update-ns" name="brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { open } for  pid=8027 comm="snap-update-ns" path="/run/snapd/lock/brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { lock } for  pid=8027 comm="snap-update-ns" path="/run/snapd/lock/brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { write } for  pid=8027 comm="snap-update-ns" name="snap.brave" dev="cgroup" ino=16 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { add_name } for  pid=8027 comm="snap-update-ns" name="snap.brave.fstab.SYlqPmm6NryL~" scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { create } for  pid=8027 comm="snap-update-ns" name="snap.brave.fstab.SYlqPmm6NryL~" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { write open } for  pid=8027 comm="snap-update-ns" path="/run/snapd/ns/snap.brave.fstab.SYlqPmm6NryL~" dev="tmpfs" ino=101544 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { getattr } for  pid=8027 comm="snap-update-ns" path="/run/snapd/ns/snap.brave.fstab" dev="tmpfs" ino=92481 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { remove_name } for  pid=8027 comm="snap-update-ns" name="snap.brave.fstab.SYlqPmm6NryL~" dev="tmpfs" ino=101544 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { rename } for  pid=8027 comm="snap-update-ns" name="snap.brave.fstab.SYlqPmm6NryL~" dev="tmpfs" ino=101544 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8027]: AVC avc:  denied  { unlink } for  pid=8027 comm="snap-update-ns" name="snap.brave.fstab" dev="tmpfs" ino=92481 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { read } for  pid=8039 comm="snap-update-ns" name="snap.brave.fstab" dev="tmpfs" ino=101544 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { mounton } for  pid=8039 comm="snap-update-ns" path="/tmp/.snap/snap/brave/x1" dev="tmpfs" ino=96046 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { mounton } for  pid=8039 comm="snap-update-ns" path="/snap/brave/x1" dev="loop5" ino=23578 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { mounton } for  pid=8039 comm="snap-update-ns" path="/snap/brave/x1/bin" dev="tmpfs" ino=96051 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { create } for  pid=8039 comm="snap-update-ns" name="command-brave.wrapper" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { read open } for  pid=8039 comm="snap-update-ns" path="/snap/brave/x1/command-brave.wrapper" dev="tmpfs" ino=96053 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { setattr } for  pid=8039 comm="snap-update-ns" name="command-brave.wrapper" dev="tmpfs" ino=96053 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { getattr } for  pid=8039 comm="snap-update-ns" path="/snap/brave/x1/command-brave.wrapper" dev="tmpfs" ino=96053 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { mounton } for  pid=8039 comm="snap-update-ns" path="/snap/brave/x1/command-brave.wrapper" dev="tmpfs" ino=96053 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { getattr } for  pid=8039 comm="snap-update-ns" path="/run/snapd/ns/snap.brave.fstab" dev="tmpfs" ino=101544 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:14 localhost.localdomain audit[8039]: AVC avc:  denied  { unlink } for  pid=8039 comm="snap-update-ns" name="snap.brave.fstab" dev="tmpfs" ino=101544 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:16 localhost.localdomain audit[2988]: AVC avc:  denied  { write } for  pid=2988 comm="snapd" name="brave" dev="dm-3" ino=11144713 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
Nov 13 09:27:16 localhost.localdomain audit[2988]: AVC avc:  denied  { remove_name } for  pid=2988 comm="snapd" name="snap.brave" dev="tmpfs" ino=92484 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
Nov 13 09:27:16 localhost.localdomain audit[2988]: AVC avc:  denied  { rmdir } for  pid=2988 comm="snapd" name="snap.brave" dev="tmpfs" ino=92484 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
Nov 13 09:27:16 localhost.localdomain audit[8393]: AVC avc:  denied  { read write } for  pid=8393 comm="snap-discard-ns" name="brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:16 localhost.localdomain audit[8393]: AVC avc:  denied  { open } for  pid=8393 comm="snap-discard-ns" path="/run/snapd/lock/brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:16 localhost.localdomain audit[8393]: AVC avc:  denied  { lock } for  pid=8393 comm="snap-discard-ns" path="/run/snapd/lock/brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:30 localhost.localdomain audit[8402]: USER_CMD pid=8402 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/posix4e/src/brave/brave" cmd=736E617020696E7374616C6C202D2D64616E6765726F7573202E2F62726176652E736E6170 terminal=pts/0 res=success'
Nov 13 09:27:33 localhost.localdomain audit[2988]: AVC avc:  denied  { getattr } for  pid=2988 comm="snapd" path="/run/snapd/ns/brave.mnt" dev="tmpfs" ino=94557 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:33 localhost.localdomain audit[8592]: AVC avc:  denied  { read } for  pid=8592 comm="snap-update-ns" name="brave.mnt" dev="tmpfs" ino=94557 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:33 localhost.localdomain audit[8592]: AVC avc:  denied  { open } for  pid=8592 comm="snap-update-ns" path="/run/snapd/ns/brave.mnt" dev="tmpfs" ino=94557 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:34 localhost.localdomain audit[2988]: AVC avc:  denied  { getattr } for  pid=2988 comm="snapd" path="/run/snapd/ns/brave.mnt" dev="tmpfs" ino=94557 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:34 localhost.localdomain audit[8827]: AVC avc:  denied  { read } for  pid=8827 comm="snap-update-ns" name="brave.mnt" dev="tmpfs" ino=94557 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:34 localhost.localdomain audit[8827]: AVC avc:  denied  { open } for  pid=8827 comm="snap-update-ns" path="/run/snapd/ns/brave.mnt" dev="tmpfs" ino=94557 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:27:51 localhost.localdomain audit[9194]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 sudo journalctl | grep brave| grep auditsubj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=9194 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7f30887514d9 code=0x50000
Nov 13 09:27:51 localhost.localdomain audit[8951]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=8951 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=5 res=1
Nov 13 09:27:52 localhost.localdomain audit[9217]: AVC avc:  denied  { read } for  pid=9217 comm="abrt-action-gen" name="brave" dev="loop5" ino=174 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 13 09:27:52 localhost.localdomain audit[9217]: AVC avc:  denied  { read } for  pid=9217 comm="abrt-action-gen" name="brave" dev="loop5" ino=174 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 13 09:27:52 localhost.localdomain audit[9234]: AVC avc:  denied  { read } for  pid=9234 comm="eu-unstrip" name="brave" dev="loop5" ino=174 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Nov 13 09:27:58 localhost.localdomain audit[9253]: USER_CMD pid=9253 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/posix4e/src/brave/brave" cmd=736E617020696E7374616C6C202D2D64616E6765726F7573202D2D6465766D6F6465202E2F62726176652E736E6170 terminal=pts/0 res=success'
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { write } for  pid=9441 comm="cp" name="brave" dev="dm-3" ino=11144713 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { open } for  pid=9441 comm="cp" path="/home/posix4e/snap/brave/x1/.config/user-dirs.dirs" dev="dm-3" ino=17318135 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { write } for  pid=9441 comm="cp" path="/home/posix4e/snap/brave/x2/.config/user-dirs.dirs" dev="dm-3" ino=18110033 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { getattr } for  pid=9441 comm="cp" path="/home/posix4e/snap/brave/x1/.config/user-dirs.locale" dev="dm-3" ino=17318136 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { open } for  pid=9441 comm="cp" path="/home/posix4e/snap/brave/x1/.config/user-dirs.locale" dev="dm-3" ino=17318136 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { write } for  pid=9441 comm="cp" path="/home/posix4e/snap/brave/x2/.config/user-dirs.locale" dev="dm-3" ino=18110034 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file permissive=1
Nov 13 09:28:01 localhost.localdomain audit[9441]: AVC avc:  denied  { getattr } for  pid=9441 comm="cp" path="/home/posix4e/snap/brave/x1/.config/dconf/user" dev="dm-3" ino=17319007 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { read write } for  pid=9544 comm="snap-update-ns" name="brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { open } for  pid=9544 comm="snap-update-ns" path="/run/snapd/lock/brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { lock } for  pid=9544 comm="snap-update-ns" path="/run/snapd/lock/brave.lock" dev="tmpfs" ino=94556 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { mounton } for  pid=9544 comm="snap-update-ns" path="/tmp/.snap/snap/brave/x2" dev="tmpfs" ino=298274 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { mounton } for  pid=9544 comm="snap-update-ns" path="/snap/brave/x2" dev="loop14" ino=23578 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { mounton } for  pid=9544 comm="snap-update-ns" path="/snap/brave/x2/bin" dev="tmpfs" ino=298279 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { create } for  pid=9544 comm="snap-update-ns" name="command-brave.wrapper" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { read open } for  pid=9544 comm="snap-update-ns" path="/snap/brave/x2/command-brave.wrapper" dev="tmpfs" ino=298281 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { setattr } for  pid=9544 comm="snap-update-ns" name="command-brave.wrapper" dev="tmpfs" ino=298281 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { getattr } for  pid=9544 comm="snap-update-ns" path="/snap/brave/x2/command-brave.wrapper" dev="tmpfs" ino=298281 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { mounton } for  pid=9544 comm="snap-update-ns" path="/snap/brave/x2/command-brave.wrapper" dev="tmpfs" ino=298281 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { add_name } for  pid=9544 comm="snap-update-ns" name="snap.brave.fstab.wFCRSbM1NBwQ~" scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { create } for  pid=9544 comm="snap-update-ns" name="snap.brave.fstab.wFCRSbM1NBwQ~" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { write open } for  pid=9544 comm="snap-update-ns" path="/run/snapd/ns/snap.brave.fstab.wFCRSbM1NBwQ~" dev="tmpfs" ino=298321 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { getattr } for  pid=9544 comm="snap-update-ns" path="/run/snapd/ns/snap.brave.fstab" dev="tmpfs" ino=201857 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { remove_name } for  pid=9544 comm="snap-update-ns" name="snap.brave.fstab.wFCRSbM1NBwQ~" dev="tmpfs" ino=298321 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { rename } for  pid=9544 comm="snap-update-ns" name="snap.brave.fstab.wFCRSbM1NBwQ~" dev="tmpfs" ino=298321 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Nov 13 09:28:02 localhost.localdomain audit[9544]: AVC avc:  denied  { unlink } for  pid=9544 comm="snap-update-ns" name="snap.brave.fstab" dev="tmpfs" ino=201857 scontext=system_u:system_r:snappy_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1

It appears you are running this on a non-AppArmor system. What is the output of: snap version.

snap 2.36-1.fc28
snapd 2.36-1.fc28
series 16
fedora 28
kernel 4.18.17-200.fc28.x86_64

Since this is a Fedora system with SELinux enforcing, I’ll hand off to @mborzecki, @zyga-snapd and/or @Conan_Kudo.

I can run it on ubuntu if that’s easier

We have plans to improve the SELinux policy to fix known issues this cycle. While we don’t have anyone working on this task at this very moment we should see significant improvements as we move towards 19.04

1 Like
posix4e@posix4e-HP-Spectre-x360-Convertible-15-bl1XX:~$ snapcraft version
snapcraft, version 2.43.1+18.4

I have a gist of the journald for that node at https://gist.github.com/posix4e/e6d01cd29bf259a7a72d4d11a1fe16f5

I don’t see any denials in the log you posted. Maybe @jdstrand can spot something out of the ordinary . Does brave work ok outside of snap? What is the actual problem with the app (aside from printing some logs)?

Gotcha I’ll run it without devmode and trigger the crash.

I looked through the log again, AFAICT the snap is trying to do things that seem to be allowed by browser-support provided allow-sandbox is enabled.

Chromium declares this in their snap:

plugs:
  browser-sandbox:
    allow-sandbox: true
    interface: browser-support

Back to the logs, this may be a problem:

audit[19388]: AVC apparmor="ALLOWED" operation="mknod" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19388 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
audit[19388]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19388 comm="brave" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
audit[19388]: AVC apparmor="ALLOWED" operation="unlink" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19388 comm="brave" requested_mask="d" denied_mask="d" fsuid=1000 ouid=1000
audit[19373]: AVC apparmor="ALLOWED" operation="truncate" profile="snap.brave.brave" name="/dev/shm/shmfd-KP149M" pid=19373 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

The browser-support interface does not allow this. @jdstrand is probably best person to suggest something there.

This is allowed when using allow-sandbox: true, which brave is allowed and expected to use. Ie, do something like this in your snapcraft.yaml:

name: brave
...
plugs:
  browser-sandbox:
    allow-sandbox: true
    interface: browser-support
...
apps:
  brave:
    ...
    plugs:
    - browser-sandbox
    ...

I neither recall if brave is using electron-builder or the details on how to enable allow-sandbox: true in electron-builder, but IIRC, there is a way to do it. Perhaps @popey or @Wimpress recall the details.

FYI, I pinged cause I thought I (mistakenly?) remembered you fiddled with SELinux policy on Fedora. I was referring to this comment: Fixing the brave sandbox which has several SELinux denials. Again just fyi as now this is being developed on Ubuntu (as you saw below).

Yep just to be clear, i have a ton of linux distros I test on. But for now I will restrict all my development to ubuntu to make things easier. I uses ubuntu 18.04 and the commands I used to install and build the snapcraft are visible in the travis.yml in the above linked pull request. I am now in the process of doing a cleanbuild and I will attempt to show you the bug I get when starting without devmode. Then I’ll like the journald log with devmode. Hopefully between the two of them we will finally figure out what needs to be done. Sorry for the confusion and thanks for the help.

Ok hear we go. I did a totally cleanbuild and a fresh install of
https://github.com/posix4e/brave/tree/sandbox

$ snap version
snap 2.35.5
snapd 2.35.5
series 16
ubuntu 18.04
kernel 4.15.0-36-generic

Here’s journald of brave-dev running without devmode


It actually crashes instead of starting

Here’s the journald of brave-dev running in devmode


It did not crash, but who wants to run in devmode.

FYI, in the future you can omit the profile_replace lines.

Nov 16 12:58:28 posix4e-HP-Spectre-x360-Convertible-15-bl1XX audit[14892]: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.brave" name="/tmp/.snap/snap/brave/x1/" pid=14892 comm="3" srcname="/snap/brave/x1/" flags="rw, rbind"

I believe @zyga-snapd has a fix for this in the core snap in edge. You might try sudo snap refresh core --edge and report back.

Nov 16 12:58:32 posix4e-HP-Spectre-x360-Convertible-15-bl1XX audit[14879]: AVC apparmor="DENIED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=14879 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This is harmless and just noise. You could get rid of it by using ‘layouts’ in snapd.

Nov 16 12:58:32 posix4e-HP-Spectre-x360-Convertible-15-bl1XX audit[15165]: AVC apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/proc/15165/setgroups" pid=15165 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

This is because you aren’t using allow-sandbox: true when plugging the browser-support interface. See my comment on this here: Fixing the brave sandbox