apparmor misconfigured for brave snap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On a fully up to date Ubuntu 22-04 LTS system (also in 20.04), i installed the BRAVE browser as a snap application.
The output of 'lsb_release -rd' is:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
And 'brave --version' gives: Brave Browser 115.1.56.14
On opening the brave browser I get many apparmor="DENIED" messages in the following logs:
/var/log/syslog, /var/log/kern.log
The following ones appear every 10-16 minutes:
Jul 27 09:49:55 deasX390y kernel: [ 6049.187478] audit: type=1400 audit(169047299
Jul 27 09:59:55 deasX390y kernel: [ 6649.203813] audit: type=1400 audit(169047359
Jul 27 09:59:55 deasX390y kernel: [ 6649.203836] audit: type=1400 audit(169047359
Jul 27 12:50:37 deasX390y kernel: [16890.508908] audit: type=1107 audit(169048383
Jul 27 12:50:39 deasX390y kernel: [16893.146621] audit: type=1400 audit(169048383
Jul 27 12:50:39 deasX390y kernel: [16893.146799] audit: type=1400 audit(169048383
Jul 27 12:50:39 deasX390y kernel: [16893.214176] audit: type=1400 audit(169048383
Jul 27 12:50:39 deasX390y kernel: [16893.214268] audit: type=1400 audit(169048383
Jul 27 12:50:39 deasX390y kernel: [16893.214350] audit: type=1400 audit(169048383
Jul 27 12:50:39 deasX390y kernel: [16893.222542] audit: type=1400 audit(169048383
The following ones appear every time I start BRAVE:
Jul 27 08:34:18 deasX390y kernel: [ 1512.330346] audit: type=1400 audit(169046845
Jul 27 08:34:18 deasX390y kernel: [ 1512.330419] audit: type=1400 audit(169046845
Jul 27 08:34:18 deasX390y kernel: [ 1512.330488] audit: type=1400 audit(169046845
In an effort to reduce my write-operations to my SSD (and drives of your whole user population) I would like to have this fixed.
In fact, to fix this, I can add rules to the apparmor-profile:
/var/lib/
However, every time the snap is updated the apparmor-profile gets overwritten.
For the moment, I have put the corresponding rules in <abstractions/
I know this is not nice because all snaps get read access to these files.
That is why I propose the following new lines in the generated snap profile /var/lib/
#include if exists <abstractions/
#include if exists <abstractions/
In my case the content of the abstraction file: /etc/apparmor.
could be
@{PROC}
/etc/vulkan/** r,
/run/udev/data/** r,
The user-customizab
should not be overwritten or changed by the snap nor the application.
But it would be highly useful to system administrators since here they may specify certain read-rules.
I know this rather a configuration issue (a "bug" in the configuration).
But, since I saw a similar bug report for evince I decided to report it:
https:/
I hope everything you need is included.
Have a nice day.
Hello Andreas, thanks for the report. This is slightly different than the evince issue, since that is distributed as a deb package in Ubuntu with a hand-written AppArmor profile. Brave is packaged by Brave with a generated AppArmor profile. It's possible the Brave developers just need to request some specific permissions in snap, or perhaps document how you can connect the required permissions, etc.
The "snap info brave" output suggests that they have a forum for reporting issues:
$ snap info brave /snapcraft. io/brave /community. brave.com/
name: brave
summary: Browse faster and safer with Brave.
publisher: Brave Software (brave✓)
store-url: https:/
contact: https:/
[...]
Perhaps the snapd team will have some ideas, so I'll just leave this bug here. But it's probably worth reporting to https:/ /community. brave.com/ as the Brave team have asked, so they can take a look at it, too.
Thanks