Fixing the brave sandbox


#21

I updated and got this. Do I need to run this in devmode


#22

Your paste simply shows STATUS messages for loading the profiles for your snap and no policy violations, so it should be fine. If you see other violations, respond here.


#23

Just to be clear it crashes unless it’s installed in devmode with

[4260:4260:1123/164935.945715:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)

I reran sudo journalctl | grep brave| grep audit after installing in devmode

Nov 23 16:53:30 ubuntu-bionic audit[5821]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.brave" pid=5821 comm="apparmor_parser"
Nov 23 16:54:02 ubuntu-bionic audit[5833]: AVC apparmor="ALLOWED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=5833 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.931:267): apparmor="ALLOWED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=5833 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/setgroups" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=6024 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/gid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/uid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6024]: SECCOMP auid=1000 uid=1000 gid=1000 ses=5 pid=6024 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fca6a48a4d9 code=0x7ffc0000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:268): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/setgroups" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:269): apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=6024 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:270): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/gid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.947:271): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6024/uid_map" pid=6024 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1326 audit(1542992042.947:272): auid=1000 uid=1000 gid=1000 ses=5 pid=6024 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fca6a48a4d9 code=0x7ffc0000
Nov 23 16:54:02 ubuntu-bionic audit[5833]: AVC apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=5833 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:273): apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=5833 comm="brave" capability=21  capname="sys_admin"
Nov 23 16:54:02 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/setgroups" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/uid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/gid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:274): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/setgroups" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:275): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/uid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:02 ubuntu-bionic kernel: audit: type=1400 audit(1542992042.959:276): apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/gid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="mkdir" profile="snap.brave.brave" name="/etc/opt/chrome/" pid=6025 comm="brave" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: SECCOMP auid=1000 uid=1000 gid=1000 ses=5 pid=6025 comm="brave" exe="/snap/brave/x1/opt/brave.com/brave/brave" sig=0 arch=c000003e syscall=272 compat=0 ip=0x7fe3eed204d9 code=0x7ffc0000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/setgroups" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/gid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[6025]: AVC apparmor="ALLOWED" operation="open" profile="snap.brave.brave" name="/proc/6025/uid_map" pid=6025 comm="brave" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Nov 23 16:54:03 ubuntu-bionic audit[5833]: AVC apparmor="ALLOWED" operation="capable" profile="snap.brave.brave" pid=5833 comm="brave" capability=19  capname="sys_ptrace"

#24

are you using allow-sandbox?


#25

Thanks for responding @chipaca. I think I’m using it correctly ? https://github.com/posix4e/brave/blob/sandbox/snap/snapcraft.yaml#L76


#26

i guess the question is more like “why do you use it” ?

snap confinement is essentially already a secure sandbox, so with this option you force the browser to run one sandbox inside another sandbox…


#27

Although they sound similar, the isolation is very fine grained in chromium. Is there some concern about the different forms of isolation?


#28

it is indeed not wrong but adds duplication and potentially also a performance penatly (i doubt anyone measured that though, so just guessing here)


#29

There might be an issue because you are using:

apps:
  brave:
    plugs:
      ...
      - browser-sandbox
      - browser-support
      ...

plugs:
  browser-sandbox:
    interface: browser-support
    allow-sandbox: true

Ie, you are plugging both browser-support and your defined browser-sandbox. Try removing browser-support from apps/brave/plugs, then remove/install the snap and see if that helps. If it does, please file a bug at https://bugs.launchpad.net/snapd/+filebug pointing to this forum topic.

As for brave’s use of allow-sandbox: it is expected that major browser vendors like brave will want to use allow-sandbox so it is fine and expected that the brave snap is using it.


#30

I removed browser-support and no change. Still crashing with no sandbox


#31

Can you paste the output of snap interfaces brave. You should see something like:

$ snap interfaces brave
Slot                            Plug
:browser-support                brave:browser-sandbox

If you don’t see the above, please run:

$ sudo snap connect brave:browser-sandbox

and try again. If you are still seeing policy violations, please paste the output of cat /var/lib/snapd/apparmor/profiles/snap.brave.brave as well as snap interfaces brave and snap list brave.


#32

You are onto something. The snap connect fixes the sandbox bug

Without connect we get the sandbox bug, but once we connect it works:

Example:

vagrant@ubuntu-bionic:/vagrant$  snap interfaces brave
Slot                            Plug
:desktop                        brave
:gsettings                      brave
:home                           brave
:network                        brave,lxd
:opengl                         brave
:pulseaudio                     brave
:screen-inhibit-control         brave
:unity7                         brave
:upower-observe                 brave
:x11                            brave
gtk-common-themes:gtk-3-themes  brave
gtk-common-themes:icon-themes   brave
gtk-common-themes:sound-themes  brave
-                               brave:alsa
-                               brave:avahi-observe
-                               brave:browser-sandbox
-                               brave:camera
-                               brave:cups-control
-                               brave:mount-observe
-                               brave:password-manager-service
vagrant@ubuntu-bionic:/vagrant$ sudo snap connect brave:browser-sandbox
vagrant@ubuntu-bionic:/vagrant$  snap interfaces brave
Slot                            Plug
:browser-support                brave:browser-sandbox
:desktop                        brave
:gsettings                      brave
:home                           brave
:network                        brave,lxd
:opengl                         brave
:pulseaudio                     brave
:screen-inhibit-control         brave
:unity7                         brave
:upower-observe                 brave
:x11                            brave
gtk-common-themes:gtk-3-themes  brave
gtk-common-themes:icon-themes   brave
gtk-common-themes:sound-themes  brave
-                               brave:alsa
-                               brave:avahi-observe
-                               brave:camera
-                               brave:cups-control
-                               brave:mount-observe
-                               brave:password-manager-service

#33

Ok good. Note that ‘brave’ in the store already has a snap declaration granted that will auto-connect this for you when users download the snap, but you’ll want to connect it manually as part of your developer workflow.


#34

Ok updating the PR and publishing the package, feel free to close this.


#35

If you’re publishing to the snap store yourself, then the snapcrafters repository is no-longer the “source of truth”. If you still consider that the snapcrafters repository should be the source of truth then it’s probably best not to publish snaps built from source that isn’t what is currently in the snapcrafters repository.


#36

Right snapcrafters repo is the source of truth, we will merge the pr first


#37

How can I get snapcrafters to merge my pr. https://github.com/snapcrafters/brave/pull/21 Can I become a snapcrafter? I have the support of brave


#38

As far as I know, only a snap advocate (@popey @Wimpress @evan) can merge the PR. I would help test but I’m not sure how to test this?

I’m sure you can join the snapcrafters GitHub org though I’m not sure if you can get merge/commit access for Brave or not. Hopefully a snap advocate will reply!


#39

i am sure the brave people would support me! i’m one of the linux package helpers for brave


#40

Apologies for the delay. I’ll take a look.