secureblue / secureblue

Hardened Fedora Atomic and Fedora CoreOS images
https://github.com/secureblue/secureblue/wiki
Apache License 2.0
337 stars 32 forks source link

Chromium is buggy and cannot detect links in many pages #93

Closed Sadoon-AlBader closed 11 months ago

Sadoon-AlBader commented 11 months ago

I've installed Brave for now but would prefer to use Chromium as I can't add repos with signatures properly (Because it's not supposed to be done I suppose lol) Here's an example:

image

The only links I can click on are "Latest News" and "Older News" at the bottom, as well as the main "Arch Linux" image on the top. Happens on many websites.

rpm-ostree status -v
State: idle
warning: Failed to query journal: couldn't find current boot in journal
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 18min ago
Deployments:
  ostree-image-signed:docker://ghcr.io/secureblue/kinoite-main-hardened:latest (index: 0)
                   Digest: sha256:4fac4934fdf37bb6c493dac28c603bdb2ada89906f2b284a704843470113e13f
                  Version: 39.20231130.0 (2023-11-30T22:39:48Z)
               BaseCommit: dd5626e10b2a5b094cdd3d8edfcaab90ea895accb0a2f0a542a8ec1cd2ccb71c
                   Commit: 8315045542385e9676a6613b362dcae9d0525de1e278b70abb9a80e16a6f28ad
                           ├─ brave-browser (2023-11-29T17:34:14Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:bubblejail (2023-11-27T18:33:01Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:bubblewrap-suid (2023-11-27T18:45:19Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:hardened_malloc (2023-11-27T18:34:44Z)
                           ├─ copr:copr.fedorainfracloud.org:ublue-os:akmods (2023-11-26T23:21:11Z)
                           ├─ fedora (2023-11-01T00:12:39Z)
                           ├─ fedora-cisco-openh264 (2023-03-14T10:57:01Z)
                           ├─ rpmfusion-free (2023-11-04T16:49:08Z)
                           ├─ rpmfusion-free-updates (2023-11-24T19:24:24Z)
                           ├─ rpmfusion-nonfree (2023-11-04T17:26:32Z)
                           ├─ rpmfusion-nonfree-updates (2023-11-24T19:44:29Z)
                           ├─ updates (2023-12-01T01:15:12Z)
                           └─ updates-archive (2023-11-26T03:04:34Z)
                   Staged: yes
                StateRoot: fedora
            SecAdvisories: FEDORA-2023-fa01e4c6ba  Moderate   xen-libs-4.17.2-5.fc39.x86_64
                           FEDORA-2023-fa01e4c6ba  Moderate   xen-licenses-4.17.2-5.fc39.x86_64
                           FEDORA-2023-ad944c2d34  Important  libcap-2.48-8.fc39.x86_64
                 Upgraded: ethtool 2:6.5-1.fc39 -> 2:6.6-1.fc39
                           fedora-appstream-metadata 20231107-1.fc39 -> 20231124-1.fc39
                           fedora-release-common 39-30 -> 39-34
                           fedora-release-identity-kinoite 39-30 -> 39-34
                           fedora-release-kinoite 39-30 -> 39-34
                           fedora-release-ostree-desktop 39-30 -> 39-34
                           kernel 6.5.12-300.fc39 -> 6.6.2-201.fc39
                           kernel-core 6.5.12-300.fc39 -> 6.6.2-201.fc39
                           kernel-modules 6.5.12-300.fc39 -> 6.6.2-201.fc39
                           kernel-modules-core 6.5.12-300.fc39 -> 6.6.2-201.fc39
                           kernel-modules-extra 6.5.12-300.fc39 -> 6.6.2-201.fc39
                           libcap 2.48-7.fc39 -> 2.48-8.fc39
                           liburing 2.4-3.fc39 -> 2.5-1.fc39
                           libwnck3 43.0-5.fc39 -> 43.0-6.fc39
                           qt5-qtbase 5.15.11-6.fc39 -> 5.15.11-7.fc39
                           qt5-qtbase-common 5.15.11-6.fc39 -> 5.15.11-7.fc39
                           qt5-qtbase-gui 5.15.11-6.fc39 -> 5.15.11-7.fc39
                           qt5-qtbase-mysql 5.15.11-6.fc39 -> 5.15.11-7.fc39
                           xen-libs 4.17.2-4.fc39 -> 4.17.2-5.fc39
                           xen-licenses 4.17.2-4.fc39 -> 4.17.2-5.fc39
          LayeredPackages: axel brave-browser kcm_systemd mc openssh-server powertop
                           virt-manager zsh

● ostree-image-signed:docker://ghcr.io/secureblue/kinoite-main-hardened:latest (index: 1)
                   Digest: sha256:64988e75836bf816afdb1b5c82b6cebea8bda1f20ff408441ebc3c73c5c67e99
                  Version: 39.20231129.0 (2023-11-30T03:58:35Z)
               BaseCommit: eb6fa7f593f26400eb42bf00db28cf1ec7130bb2de9262b3a415ecd5882db792
                   Commit: 51bc77242f005fe5413f4d4ab9a4c64953027871097c6d20d0e41c41b15cfce1
                           ├─ brave-browser (2023-11-29T17:34:14Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:bubblewrap-suid (2023-11-27T18:45:19Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:hardened_malloc (2023-11-27T18:34:44Z)
                           ├─ copr:copr.fedorainfracloud.org:ublue-os:akmods (2023-11-26T23:21:11Z)
                           ├─ fedora (2023-11-01T00:12:39Z)
                           ├─ fedora-cisco-openh264 (2023-03-14T10:57:01Z)
                           ├─ rpmfusion-free (2023-11-04T16:49:08Z)
                           ├─ rpmfusion-free-updates (2023-11-24T19:24:24Z)
                           ├─ rpmfusion-nonfree (2023-11-04T17:26:32Z)
                           ├─ rpmfusion-nonfree-updates (2023-11-24T19:44:29Z)
                           ├─ updates (2023-11-29T01:22:53Z)
                           └─ updates-archive (2023-11-26T03:04:34Z)
                StateRoot: fedora
          LayeredPackages: axel brave-browser kcm_systemd mc openssh-server powertop
                           virt-manager zsh

  ostree-image-signed:docker://ghcr.io/secureblue/kinoite-main-hardened:latest (index: 2)
                   Digest: sha256:5997def03e423a7881a260a2af7f69100c3745b1c8b16db703a31cc595a839e2
                  Version: 39.20231128.0 (2023-11-29T16:42:11Z)
               BaseCommit: d98e544f7ceb87af184a342e9667ca5c19fd094e61ab42e97c4d23cfbdf9e960
                   Commit: 333c3bdbd0b939ec365c81bc752191d4422e2b5ba7b9dbffd65310ec1a5c2acb
                           ├─ brave-browser (2023-11-29T17:34:14Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:bubblewrap-suid (2023-11-27T18:45:19Z)
                           ├─ copr:copr.fedorainfracloud.org:secureblue:hardened_malloc (2023-11-27T18:34:44Z)
                           ├─ copr:copr.fedorainfracloud.org:ublue-os:akmods (2023-11-26T23:21:11Z)
                           ├─ fedora (2023-11-01T00:12:39Z)
                           ├─ fedora-cisco-openh264 (2023-03-14T10:57:01Z)
                           ├─ rpmfusion-free (2023-11-04T16:49:08Z)
                           ├─ rpmfusion-free-updates (2023-11-24T19:24:24Z)
                           ├─ rpmfusion-nonfree (2023-11-04T17:26:32Z)
                           ├─ rpmfusion-nonfree-updates (2023-11-24T19:44:29Z)
                           ├─ updates (2023-11-29T01:22:53Z)
                           └─ updates-archive (2023-11-26T03:04:34Z)
                StateRoot: fedora
         InactiveRequests: openssh-server
          LayeredPackages: axel brave-browser kcm_systemd mc powertop virt-manager zsh
RoyalOughtness commented 11 months ago

I've installed Brave for now but would prefer to use Chromium as I can't add repos with signatures properly

This is not accurate. You can install brave with signatures with this:

cat << EOF > /etc/yum.repos.d/brave-browser.repo
[brave-browser]
name=Brave Browser
enabled=1
autorefresh=1
baseurl=https://brave-browser-rpm-release.s3.brave.com/x86_64
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://brave-browser-rpm-release.s3.brave.com/brave-core.asc
EOF

The only links I can click on are "Latest News" and "Older News" at the bottom, as well as the main "Arch Linux" image on the top.

Are you on wayland? If so, did you set it as the ozone platform?

boredsquirrel commented 11 months ago

https://github.com/trytomakeyouprivate/braveinstall-fedora-atomic

Look at this on an automated script that can install every release model of brave plus matching repo GPG key. It works normally, but unlike MullvadVPN for example, it doesnt fetch the key itself from an online source.

# repos
/etc/yum.repos.d/x.repo

# keys
/etc/pki/rpm-gpg/x.asc
Sadoon-AlBader commented 11 months ago

This is not accurate. You can install brave with signatures with this:

Ah awesome, thanks for the tip!

Are you on wayland? If so, did you set it as the ozone platform?

Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.

RoyalOughtness commented 11 months ago

This is not accurate. You can install brave with signatures with this:

Ah awesome, thanks for the tip!

Are you on wayland? If so, did you set it as the ozone platform?

Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.

Can you provide more details about your system?

Are you on nvidia?

and, what's the output of:

echo $XDG_SESSION_TYPE
Sadoon-AlBader commented 11 months ago

This is not accurate. You can install brave with signatures with this:

Ah awesome, thanks for the tip!

Are you on wayland? If so, did you set it as the ozone platform?

Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.

Can you provide more details about your system?

Are you on nvidia?

and, what's the output of:

echo $XDG_SESSION_TYPE

Not on nvidia, it's an Alder lake i7 1260p laptop with integrated graphics,

$ echo $XDG_SESSION_TYPE
wayland
RoyalOughtness commented 11 months ago

This is not accurate. You can install brave with signatures with this:

Ah awesome, thanks for the tip!

Are you on wayland? If so, did you set it as the ozone platform?

Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.

Can you provide more details about your system? Are you on nvidia? and, what's the output of:

echo $XDG_SESSION_TYPE

Not on nvidia, it's an Alder lake i7 1260p laptop with integrated graphics,

$ echo $XDG_SESSION_TYPE
wayland

Are you able to reproduce this if you layer chromium on top of vanilla kinoite?

Sadoon-AlBader commented 11 months ago

This is not accurate. You can install brave with signatures with this:

Ah awesome, thanks for the tip!

Are you on wayland? If so, did you set it as the ozone platform?

Yes, and I tried both ozone platforms to no avail unfortunately. Looks like there's a new system update, will attempt now.

Can you provide more details about your system? Are you on nvidia? and, what's the output of:

echo $XDG_SESSION_TYPE

Not on nvidia, it's an Alder lake i7 1260p laptop with integrated graphics,

$ echo $XDG_SESSION_TYPE
wayland

Are you able to reproduce this if you layer chromium on top of vanilla kinoite?

I was able to find the issue by coincidence. Leaving the /etc/sysctl.d/hardening.conf intact, issue persists. Commenting out

user.max_user_namespaces = 0
kernel.unprivileged_userns_clone = 0

..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.

RoyalOughtness commented 11 months ago

..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.

Posting again due to the severity of the security implications of doing this.

Do not do this.

This opens up a massive security hole. https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj https://github.com/secureblue/secureblue/issues/87#issuecomment-1836691730

Sadoon-AlBader commented 11 months ago

It's pretty scary tbh, but what are our options now? We need podman to build secureblue at least, and we need to find out why disabling userns breaks chromium (at least on my machine? Will also test on the older laptop)

RoyalOughtness commented 11 months ago

..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.

This doesn't make much sense. Is this the chromium rpm from secureblue? Also, with the issue reproduced, can you post the output of chrome://sandbox?

RoyalOughtness commented 11 months ago

It's pretty scary tbh, but what are our options now? We need podman to build secureblue at least

You don't. You can use github actions in a personal fork to do a cloud build, or use a ublue vm.

and we need to find out why disabling userns breaks chromium (at least on my machine? Will also test on the older laptop)

Yes, have a look at my questions above.

Sadoon-AlBader commented 11 months ago

This doesn't make much sense. Is this the chromium rpm from secureblue? Also, with the issue reproduced, can you post the output of chrome://sandbox?

Yep, didn't change chromium at all (but also how can I be 100% sure that it wasn't changed to the Fedora version?)

Layer 1 Sandbox | SUID
PID namespaces | Yes
Network namespaces | Yes
Seccomp-BPF sandbox | Yes
Seccomp-BPF sandbox supports TSYNC | Yes
Ptrace Protection with Yama LSM (Broker) | Yes
Ptrace Protection with Yama LSM (Non-broker) | Yes

You are adequately sandboxed.
RoyalOughtness commented 11 months ago

Yep, didn't change chromium at all (but also how can I be 100% sure that it wasn't changed to the Fedora version?)

There's no difference between the secureblue and fedora version. I was clarifying that you didn't install via distrobox.

Layer 1 Sandbox | SUID
PID namespaces | Yes
Network namespaces | Yes
Seccomp-BPF sandbox | Yes
Seccomp-BPF sandbox supports TSYNC | Yes
Ptrace Protection with Yama LSM (Broker) | Yes
Ptrace Protection with Yama LSM (Non-broker) | Yes

You are adequately sandboxed.

The SUID sandbox is being used successfully. So my guess is that the SUID sandbox is causing issues where the namespace sandbox isn't. I have no idea why that would be and I haven't been able to reproduce this on any machine. If that's the underlying cause, then this is likely an upstream issue with the chromium suid sandbox.

Sadoon-AlBader commented 11 months ago

..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.

Posting again due to the severity of the security implications of doing this.

Do not do this.

This opens up a massive security hole. GHSA-j2qp-rvxj-43vj #87 (comment)

wrt this, I found a solution for apps not available on Fedora repos, but it's unrelated to this issue. Perhaps a small wiki for workarounds and tips is a good idea? ex: had no idea waypipe existed, works quite well and is a good way to fully sandbox apps in a VM since podman and co. are not available for security reasons.

Sadoon-AlBader commented 11 months ago

Fresh install of secureblue on another laptop, chromium has no issues. Verified with chromium --version that they are the same version. I'll try to rule out hardware by fresh installing secureblue on a flash drive and testing later.

RoyalOughtness commented 11 months ago

..which I did to get podman and toolbox working, solved the issue. It's really weird. I just tried twice again to be 100% sure and yep that's it.

Posting again due to the severity of the security implications of doing this. Do not do this. This opens up a massive security hole. GHSA-j2qp-rvxj-43vj #87 (comment)

wrt this, I found a solution for apps not available on Fedora repos, but it's unrelated to this issue. Perhaps a small wiki for workarounds and tips is a good idea? ex: had no idea waypipe existed, works quite well and is a good way to fully sandbox apps in a VM since podman and co. are not available for security reasons.

Curious, what apps are you trying to use that aren't available in fedora or flatpak?

RoyalOughtness commented 11 months ago

Fresh install of secureblue on another laptop, chromium has no issues. Verified with chromium --version that they are the same version. I'll try to rule out hardware by fresh installing secureblue on a flash drive and testing later.

Please confirm whether you were able to reproduce.

RoyalOughtness commented 11 months ago

Closing as no confirmation of repro. Please reopen if you can repro.

Sadoon-AlBader commented 11 months ago

Fresh install of secureblue on another laptop, chromium has no issues. Verified with chromium --version that they are the same version. I'll try to rule out hardware by fresh installing secureblue on a flash drive and testing later.

Please confirm whether you were able to reproduce.

Ah was swamped with work today, cannot reproduce at all on different machines or even different users on the same machine so you can ignore this, probably something wrong with my account. Thanks!

boredsquirrel commented 11 months ago

Neither Brave nor the Koji Chromium are affected by disabled user namespaces. They just work

RoyalOughtness commented 11 months ago

This repo doesn't use koji chromium anymore, and we already confirmed this is specific to his machine. Please do not resurrect old issues unless they are reproducible.