Ubuntu
snapd package

apparmor misconfigured for brave snap

Bug #2028885 reported by Andreas Wachtel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
New
Undecided
Unassigned

Bug Description

On a fully up to date Ubuntu 22-04 LTS system (also in 20.04), i installed the BRAVE browser as a snap application.
The output of 'lsb_release -rd' is:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
And 'brave --version' gives: Brave Browser 115.1.56.14

On opening the brave browser I get many apparmor="DENIED" messages in the following logs:
/var/log/syslog, /var/log/kern.log

The following ones appear every 10-16 minutes:
Jul 27 09:49:55 deasX390y kernel: [ 6049.187478] audit: type=1400 audit(1690472995.817:562): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/proc/pressure/memory" pid=7878 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 09:59:55 deasX390y kernel: [ 6649.203813] audit: type=1400 audit(1690473595.825:563): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/proc/pressure/cpu" pid=7878 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 09:59:55 deasX390y kernel: [ 6649.203836] audit: type=1400 audit(1690473595.825:564): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/proc/pressure/io" pid=7878 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:37 deasX390y kernel: [16890.508908] audit: type=1107 audit(1690483837.106:1541): pid=1570 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=29517 label="snap.brave.brave" peer_pid=1565 peer_label="unconfined"
Jul 27 12:50:39 deasX390y kernel: [16893.146621] audit: type=1400 audit(1690483839.742:1626): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/+thunderbolt:domain0" pid=29517 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.146799] audit: type=1400 audit(1690483839.742:1627): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/+thunderbolt:0-0" pid=29517 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214176] audit: type=1400 audit(1690483839.810:1628): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:1" pid=29517 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214268] audit: type=1400 audit(1690483839.810:1629): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:2" pid=29517 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214350] audit: type=1400 audit(1690483839.810:1630): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/c510:0" pid=29517 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.222542] audit: type=1400 audit(1690483839.818:1631): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/run/udev/data/+dmi:id" pid=29517 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

The following ones appear every time I start BRAVE:
Jul 27 08:34:18 deasX390y kernel: [ 1512.330346] audit: type=1400 audit(1690468458.967:419): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/etc/vulkan/implicit_layer.d/" pid=8798 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 08:34:18 deasX390y kernel: [ 1512.330419] audit: type=1400 audit(1690468458.967:420): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/etc/vulkan/explicit_layer.d/" pid=8798 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 08:34:18 deasX390y kernel: [ 1512.330488] audit: type=1400 audit(1690468458.967:421): apparmor="DENIED" operation="open" profile="snap.brave.brave" name="/etc/vulkan/icd.d/" pid=8798 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

In an effort to reduce my write-operations to my SSD (and drives of your whole user population) I would like to have this fixed.

In fact, to fix this, I can add rules to the apparmor-profile:
/var/lib/snapd/apparmor/profiles/snap.brave.brave

However, every time the snap is updated the apparmor-profile gets overwritten.

For the moment, I have put the corresponding rules in <abstractions/base>.
I know this is not nice because all snaps get read access to these files.

That is why I propose the following new lines in the generated snap profile /var/lib/snapd/apparmor/profiles/snap.brave.brave:

#include if exists <abstractions/vulkan>
#include if exists <abstractions/app-brave-usr>

In my case the content of the abstraction file: /etc/apparmor.d/abstractions/app-brave-usr
could be
  @{PROC}/pressure/** r,
  /etc/vulkan/** r,
  /run/udev/data/** r,

The user-customizable-abstraction file ( /etc/apparmor.d/abstractions/app-brave-usr )
should not be overwritten or changed by the snap nor the application.
But it would be highly useful to system administrators since here they may specify certain read-rules.

I know this rather a configuration issue (a "bug" in the configuration).
But, since I saw a similar bug report for evince I decided to report it:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1891338

I hope everything you need is included.
Have a nice day.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Andreas, thanks for the report. This is slightly different than the evince issue, since that is distributed as a deb package in Ubuntu with a hand-written AppArmor profile. Brave is packaged by Brave with a generated AppArmor profile. It's possible the Brave developers just need to request some specific permissions in snap, or perhaps document how you can connect the required permissions, etc.

The "snap info brave" output suggests that they have a forum for reporting issues:

$ snap info brave
name: brave
summary: Browse faster and safer with Brave.
publisher: Brave Software (brave✓)
store-url: https://snapcraft.io/brave
contact: https://community.brave.com/
[...]

Perhaps the snapd team will have some ideas, so I'll just leave this bug here. But it's probably worth reporting to https://community.brave.com/ as the Brave team have asked, so they can take a look at it, too.

Thanks

Revision history for this message
Andreas Wachtel (and-wachtel) wrote :

Dear Seth,

thank you for the kind response.
I sent a report to brave community, sorry that I sent it to you first.

If you want to know the link, here it goes:
https://community.brave.com/t/apparmor-misconfigured-for-brave-snap/501262

Thanks again.
Andreas

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.