Closed Sadoon-AlBader closed 11 months ago
I've installed Brave for now but would prefer to use Chromium as I can't add repos with signatures properly
This is not accurate. You can install brave with signatures with this:
cat << EOF > /etc/yum.repos.d/brave-browser.repo
[brave-browser]
name=Brave Browser
enabled=1
autorefresh=1
baseurl=https://brave-browser-rpm-release.s3.brave.com/x86_64
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
EOF
The only links I can click on are "Latest News" and "Older News" at the bottom, as well as the main "Arch Linux" image on the top.
Are you on wayland? If so, did you set it as the ozone platform?
https://github.com/trytomakeyouprivate/braveinstall-fedora-atomic
Look at this on an automated script that can install every release model of brave plus matching repo GPG key. It works normally, but unlike MullvadVPN for example, it doesnt fetch the key itself from an online source.
# repos
/etc/yum.repos.d/x.repo
# keys
/etc/pki/rpm-gpg/x.asc
This is not accurate. You can install brave with signatures with this:
Ah awesome, thanks for the tip!
Are you on wayland? If so, did you set it as the ozone platform?
Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.
This is not accurate. You can install brave with signatures with this:
Ah awesome, thanks for the tip!
Are you on wayland? If so, did you set it as the ozone platform?
Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.
Can you provide more details about your system?
Are you on nvidia?
and, what's the output of:
echo $XDG_SESSION_TYPE
This is not accurate. You can install brave with signatures with this:
Ah awesome, thanks for the tip!
Are you on wayland? If so, did you set it as the ozone platform?
Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.
Can you provide more details about your system?
Are you on nvidia?
and, what's the output of:
echo $XDG_SESSION_TYPE
Not on nvidia, it's an Alder lake i7 1260p laptop with integrated graphics,
$ echo $XDG_SESSION_TYPE
wayland
This is not accurate. You can install brave with signatures with this:
Ah awesome, thanks for the tip!
Are you on wayland? If so, did you set it as the ozone platform?
Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.
Can you provide more details about your system? Are you on nvidia? and, what's the output of:
echo $XDG_SESSION_TYPE
Not on nvidia, it's an Alder lake i7 1260p laptop with integrated graphics,
$ echo $XDG_SESSION_TYPE wayland
Are you able to reproduce this if you layer chromium on top of vanilla kinoite?
This is not accurate. You can install brave with signatures with this:
Ah awesome, thanks for the tip!
Are you on wayland? If so, did you set it as the ozone platform?
Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.
Can you provide more details about your system? Are you on nvidia? and, what's the output of:
echo $XDG_SESSION_TYPE
Not on nvidia, it's an Alder lake i7 1260p laptop with integrated graphics,
$ echo $XDG_SESSION_TYPE wayland
Are you able to reproduce this if you layer chromium on top of vanilla kinoite?
I was able to find the issue by coincidence.
Leaving the /etc/sysctl.d/hardening.conf
intact, issue persists.
Commenting out
user.max_user_namespaces = 0
kernel.unprivileged_userns_clone = 0
..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.
..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.
Posting again due to the severity of the security implications of doing this.
Do not do this.
This opens up a massive security hole. https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj https://github.com/secureblue/secureblue/issues/87#issuecomment-1836691730
It's pretty scary tbh, but what are our options now? We need podman to build secureblue at least, and we need to find out why disabling userns breaks chromium (at least on my machine? Will also test on the older laptop)
..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.
This doesn't make much sense. Is this the chromium rpm from secureblue? Also, with the issue reproduced, can you post the output of chrome://sandbox
?
It's pretty scary tbh, but what are our options now? We need podman to build secureblue at least
You don't. You can use github actions in a personal fork to do a cloud build, or use a ublue vm.
and we need to find out why disabling userns breaks chromium (at least on my machine? Will also test on the older laptop)
Yes, have a look at my questions above.
This doesn't make much sense. Is this the chromium rpm from secureblue? Also, with the issue reproduced, can you post the output of
chrome://sandbox
?
Yep, didn't change chromium at all (but also how can I be 100% sure that it wasn't changed to the Fedora version?)
Layer 1 Sandbox | SUID
PID namespaces | Yes
Network namespaces | Yes
Seccomp-BPF sandbox | Yes
Seccomp-BPF sandbox supports TSYNC | Yes
Ptrace Protection with Yama LSM (Broker) | Yes
Ptrace Protection with Yama LSM (Non-broker) | Yes
You are adequately sandboxed.
Yep, didn't change chromium at all (but also how can I be 100% sure that it wasn't changed to the Fedora version?)
There's no difference between the secureblue and fedora version. I was clarifying that you didn't install via distrobox.
Layer 1 Sandbox | SUID PID namespaces | Yes Network namespaces | Yes Seccomp-BPF sandbox | Yes Seccomp-BPF sandbox supports TSYNC | Yes Ptrace Protection with Yama LSM (Broker) | Yes Ptrace Protection with Yama LSM (Non-broker) | Yes You are adequately sandboxed.
The SUID sandbox is being used successfully. So my guess is that the SUID sandbox is causing issues where the namespace sandbox isn't. I have no idea why that would be and I haven't been able to reproduce this on any machine. If that's the underlying cause, then this is likely an upstream issue with the chromium suid sandbox.
..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.
Posting again due to the severity of the security implications of doing this.
Do not do this.
This opens up a massive security hole. GHSA-j2qp-rvxj-43vj #87 (comment)
wrt this, I found a solution for apps not available on Fedora repos, but it's unrelated to this issue. Perhaps a small wiki for workarounds and tips is a good idea? ex: had no idea waypipe existed, works quite well and is a good way to fully sandbox apps in a VM since podman and co. are not available for security reasons.
Fresh install of secureblue on another laptop, chromium has no issues. Verified with chromium --version
that they are the same version. I'll try to rule out hardware by fresh installing secureblue on a flash drive and testing later.
..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.
Posting again due to the severity of the security implications of doing this. Do not do this. This opens up a massive security hole. GHSA-j2qp-rvxj-43vj #87 (comment)
wrt this, I found a solution for apps not available on Fedora repos, but it's unrelated to this issue. Perhaps a small wiki for workarounds and tips is a good idea? ex: had no idea waypipe existed, works quite well and is a good way to fully sandbox apps in a VM since podman and co. are not available for security reasons.
Curious, what apps are you trying to use that aren't available in fedora or flatpak?
Fresh install of secureblue on another laptop, chromium has no issues. Verified with
chromium --version
that they are the same version. I'll try to rule out hardware by fresh installing secureblue on a flash drive and testing later.
Please confirm whether you were able to reproduce.
Closing as no confirmation of repro. Please reopen if you can repro.
Fresh install of secureblue on another laptop, chromium has no issues. Verified with
chromium --version
that they are the same version. I'll try to rule out hardware by fresh installing secureblue on a flash drive and testing later.Please confirm whether you were able to reproduce.
Ah was swamped with work today, cannot reproduce at all on different machines or even different users on the same machine so you can ignore this, probably something wrong with my account. Thanks!
Neither Brave nor the Koji Chromium are affected by disabled user namespaces. They just work
This repo doesn't use koji chromium anymore, and we already confirmed this is specific to his machine. Please do not resurrect old issues unless they are reproducible.
I've installed Brave for now but would prefer to use Chromium as I can't add repos with signatures properly (Because it's not supposed to be done I suppose lol) Here's an example:
The only links I can click on are "Latest News" and "Older News" at the bottom, as well as the main "Arch Linux" image on the top. Happens on many websites.