Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux SUID sandbox doesn't work in Brave #6247

Closed
morfikov opened this issue Oct 1, 2019 · 3 comments · Fixed by brave/brave-core#4223
Closed

Linux SUID sandbox doesn't work in Brave #6247

morfikov opened this issue Oct 1, 2019 · 3 comments · Fixed by brave/brave-core#4223
Assignees
@fmarier
Labels
OS/Linux QA Pass-Linux QA/Yes release-notes/include
Milestone
1.2.x - Release

Comments

@morfikov
Copy link

morfikov commented Oct 1, 2019
edited
Loading

I noticed that when the brave-keyring debian package is installed, it manipulates the kernel.unprivileged_userns_clone setting, and the option is set to 1 . Why do you do this? All the other browsers (chromium, google-chrome, opera) work fine with kernel.unprivileged_userns_clone set to0 . In such case, the browses simply execute the *-sandbox binary. But in the case of brave, when the option kernel.unprivileged_userns_clone is set to 0 I get the following error:

$ brave-browser
[981631:981631:1001/124303.671622:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! You probably need to enable user namespaces in your kernel. See https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux for more information.
[1]    981631 trace trap  brave-browser

I also noticed that the /opt/brave.com/brave/brave-sandbox binary isn't executed at all. The strace said that /opt/brave.com/brave/chrome-sandbox not found. I created a link to brave-sandbox and called it chrome-sandbox

# ls -al /opt/brave.com/brave | grep sandbox
-rwsr-xr-x 1 root root    227928 2019-09-27 19:31:57 brave-sandbox*
lrwxrwxrwx 1 root root        13 2019-10-01 12:46:35 chrome-sandbox -> brave-sandbox*

Now when I start brave-browser it works and executes its sandbox like the other browsers executes theirs:

# ps aux | grep sandbox
morfik    984752  0.0  0.0   2724  1872 pts/13   S+   12:47   0:00 /opt/brave.com/brave/chrome-sandbox /opt/brave.com/brave/brave --type=zygote
...

So what do you think about creating this little chrome-sandbox link? In this way the brave browser would support both of the values (0/1) in the kernel.unprivileged_userns_clone option, and you wouldn't have to manipulate with sysctl kernel parameters, which isn't really a good thing.
@kjozwiak
Copy link
Member

kjozwiak commented Oct 7, 2019

CCing @fmarier.

@fmarier
Copy link
Member

fmarier commented Oct 7, 2019

You're right, that was added in #5502 in order to make Brave work in the default Debian configuration (while user namespaces are enabled by default in Ubuntu, they're not in Debian). The reason why we require user namespaces is that the chrome sandbox is deprecated: #1986 (comment)

Thanks for pointing out that renaming/symlinking the sandbox binary makes it work. Based on what we've heard from Chromium developers however, this is not likely to work in the long run as user namespaces is the only mechanism that's supported upstream.

fmarier added a commit to brave/brave-core that referenced this issue Dec 13, 2019
@fmarier
Use the correct name for the setuid sandbox (fixes brave/brave-browse…
9dfd686 
…r#6247)
@fmarier fmarier self-assigned this Dec 13, 2019
@fmarier fmarier mentioned this issue Dec 13, 2019
Merged
32 tasks
fmarier added a commit to brave/brave-core that referenced this issue Dec 16, 2019
@fmarier
Use the correct name for the setuid sandbox (fixes brave/brave-browse…
4dcff05 
…r#6247)
@gw0 gw0 mentioned this issue Dec 17, 2019
Merged
fmarier added a commit to brave/brave-core that referenced this issue Dec 18, 2019
@fmarier
Use the correct name for the setuid sandbox (fixes brave/brave-browse…
9c4db36 
…r#6247)
@fmarier fmarier added this to the 1.4.x - Nightly milestone Dec 18, 2019
This was referenced Dec 18, 2019
Closed
Closed
@fmarier fmarier changed the title Question about kernel.unprivileged_userns_clone=0 Linux SUID sandbox doesn't work in Brave Dec 18, 2019
@fmarier fmarier mentioned this issue Dec 20, 2019
Closed
@kjozwiak kjozwiak mentioned this issue Dec 24, 2019
Closed
85 tasks
fmarier added a commit to fmarier/brave-release that referenced this issue Dec 31, 2019
@fmarier
Stop enabling usernamespaces automatically (fixes brave/brave-browser…
f2b01a7 
…#7506)

Now that the SUID sandbox is fixed (brave/brave-browser#6247), it
is no longer required to enable user namespaces in order to use
Brave.
@btlechowski
Copy link

Verification passed on

Brave 1.2.40 Chromium: 79.0.3945.88 (Official Build) (64-bit)
Revision c2a58a36b9411c80829b4b154bfcab97e581f1f3-refs/branch-heads/3945@{#954}
OS Ubuntu 18.04 LTS

Verified test plan from brave/brave-core#4223

image

@LaurenWags LaurenWags mentioned this issue Jan 6, 2020
Closed
daradib added a commit to ocf/puppet that referenced this issue Jul 14, 2020
@daradib
Enable ptrace protection for browser sandbox
f933512 
Only allow ptrace from a parent process to its children or via
CAP_SYS_PTRACE.

To verify sandbox status for Brave, Chrome, Firefox see
brave://sandbox, chrome://sandbox, about:support, respectively.

Also describe disadvantages of enabling unprivileged user namespaces.
Distributions like Debian currently disable unprivileged user namespaces
by default to decrease the kernel attack surface for local privilege
escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and
Chrome will still enforce namespace sandboxing via their setuid-root
helper executable. See brave/brave-browser#3420 and
brave/brave-browser#6247. Firefox does not include a setuid-root binary,
however, so unprivileged user namespaces are useful to have for
defence-in-depth, but not critical. See
<https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
@daradib daradib mentioned this issue Jul 14, 2020
Merged
daradib added a commit to ocf/puppet that referenced this issue Jul 14, 2020
@daradib
Enable ptrace protection for browser sandbox
a53c04b 
Only allow ptrace from a parent process to its children or via
CAP_SYS_PTRACE.

To verify sandbox status for Brave, Chrome, Firefox see
brave://sandbox, chrome://sandbox, about:support, respectively.

Also describe disadvantages of enabling unprivileged user namespaces.
Distributions like Debian currently disable unprivileged user namespaces
by default to decrease the kernel attack surface for local privilege
escalation. See Debian bug #898446. If kept disabled, Brave 1.2+ and
Chrome will still enforce namespace sandboxing via their setuid-root
helper executable. See brave/brave-browser#3420 and
brave/brave-browser#6247. Firefox does not include a setuid-root binary,
however, so unprivileged user namespaces are useful to have for
defence-in-depth, but not critical. See
<https://www.morbo.org/2018/05/linux-sandboxing-improvements-in_10.html>.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
OS/Linux QA Pass-Linux QA/Yes release-notes/include
Projects
None yet
Milestone
1.2.x - Release
Development

Successfully merging a pull request may close this issue.

Use the correct name for the setuid sandbox brave/brave-core
4 participants
@fmarier @kjozwiak @morfikov @btlechowski