@mixedCase I linked an image to brave://sandbox results in my previous comment. https://web.archive.org/web/20210118200105/https://files.kasad.com/brave-sandbox.png
Search Criteria
Package Details: brave-bin 1:1.73.91-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/brave-bin.git (read-only, click to copy) |
|---|---|
| Package Base: | brave-bin |
| Description: | Web browser that blocks ads and trackers by default (binary release) |
| Upstream URL: | https://brave.com |
| Keywords: | brave browser |
| Licenses: | BSD, MPL2, custom:chromium |
| Conflicts: | brave |
| Provides: | brave, brave-browser |
| Submitter: | toropisco |
| Maintainer: | alerque (alosarjos) |
| Last Packager: | alosarjos |
| Votes: | 821 |
| Popularity: | 17.69 |
| First Submitted: | 2016-04-06 13:16 (UTC) |
| Last Updated: | 2024-11-20 18:19 (UTC) |
Dependencies (8)
- alsa-lib
- gtk3 (gtk3-no_deadkeys_underlineAUR, gtk3-classicAUR, gtk3-classic-xfceAUR, gtk3-patched-filechooser-icon-viewAUR)
- libxss
- nss (nss-hgAUR)
- ttf-font (neuropol-ttfAUR, ttf-win7-fontsAUR, ttf-ms-win8AUR, ttf-ms-win8-arabicAUR, ttf-ms-win8-hebrewAUR, ttf-ms-win8-seaAUR, ttf-ms-win8-indicAUR, ttf-ms-win8-japaneseAUR, ttf-ms-win8-koreanAUR, ttf-ms-win8-zh_cnAUR, ttf-ms-win8-zh_twAUR, ttf-ms-win8-thaiAUR, ttf-ms-win8-otherAUR, ttf-kidsAUR, ttf-liberation-sans-narrowAUR, ttf-cavafy-scriptAUR, ttf-ms-fontsAUR, ttf-dejavu-ibAUR, ttf-zeldaAUR, ttf-oxygenAUR, ttf-oxygen-gfAUR, ttf-share-gfAUR, ttf-gostAUR, otf-inconsolata-dzAUR, ttf-d2codingAUR, ttf-agaveAUR, ttf-caracteresAUR, ttf-cuprumAUR, ttf-autour-oneAUR, ttf-impallari-milongaAUR, ttf-impallari-miltonianAUR, ttf-clarity-cityAUR, ttf-ms-win10AUR, ttf-ms-win10-japaneseAUR, ttf-ms-win10-koreanAUR, ttf-ms-win10-seaAUR, ttf-ms-win10-thaiAUR, ttf-ms-win10-zh_cnAUR, ttf-ms-win10-zh_twAUR, ttf-ms-win10-otherAUR, ttf-win10AUR, ttf-ms-win10-cdnAUR, ttf-bmonoAUR, ttf-pt-astra-factAUR, ttf-weblysleekuiAUR, ttf-pt-astra-sansAUR, ttf-pt-astra-serifAUR, ttf-pt-sansAUR, ttf-pt-serifAUR, ttf-pt-monoAUR, ttf-pt-root_uiAUR, ttf-xo-fontsAUR, noto-fonts-liteAUR, ttf-paratypeAUR, ttf-plemoljp-binAUR, ttf-dejavu-emojilessAUR, noto-fonts-variable-liteAUR, ttf-lucida-fontsAUR, ttf-plemoljpAUR, ttf-juiseeAUR, ttf-ms-win10-autoAUR, ttf-karlaAUR, noto-fonts-latin-greek-cyrillicAUR, apple-fontsAUR, ttf-noto-sans-vfAUR, ttf-noto-serif-vfAUR, ttf-noto-sans-mono-vfAUR, ttf-ms-win11AUR, ttf-ms-win11-japaneseAUR, ttf-ms-win11-koreanAUR, ttf-ms-win11-seaAUR, ttf-ms-win11-thaiAUR, ttf-ms-win11-zh_cnAUR, ttf-ms-win11-zh_twAUR, ttf-ms-win11-otherAUR, ttf-ms-win11-autoAUR, gnu-free-fonts, noto-fonts, ttf-bitstream-vera, ttf-croscore, ttf-dejavu, ttf-droid, ttf-ibm-plex, ttf-input, ttf-input-nerd, ttf-liberation)
- cups (cups-gitAUR, cups-gssapiAUR) (optional) – Printer support
- libgnome-keyring (optional) – Enable GNOME keyring support
- libnotify (libnotify-gitAUR) (optional) – Native notification support
Required by (10)
- brave-extension-bitwarden-git (requires brave) (optional)
- chromium-material-icons-for-github-bin (requires brave) (optional)
- chromium-vencord (requires brave) (optional)
- chromium-vencord-bin (requires brave) (optional)
- chromium-vencord-git (requires brave) (optional)
- ice-ssb-git (requires brave) (optional)
- mermaid-cli-brave (requires brave)
- mermaid-cli-brave (requires brave) (make)
- nfauthenticationkey (requires brave) (optional)
- profile-sync-daemon-brave (requires brave) (optional)
Sources (4)
kiankasad commented on 2020-10-12 22:24 (UTC) (edited on 2021-01-18 20:03 (UTC) by kiankasad)
mixedCase commented on 2020-10-12 22:21 (UTC)
@kiankasad I think you misread the wiki article, it mentions that the feature is enabled only for root in linux-hardened, while in every other kernel enabling the feature does it for all users. Relevant section:
Firstly, a kernel is required that has support for User Namespaces (a kernel with CONFIG_USER_NS). All Arch Linux kernels have support for CONFIG_USER_NS. However, due to more general security concerns, the linux-hardened kernel does ship with User Namespaces enabled only for the root user. There are two options to create unprivileged containers there:
Start the unprivileged containers only as root. Enable the sysctl setting kernel.unprivileged_userns_clone to allow normal users to run unprivileged containers. This can be done for the current session with sysctl kernel.unprivileged_userns_clone=1 and can be made permanent with sysctl.d(5).
If this is not upstream behavior, then this is patched downstream in the same manner by Arch as well. Just to make sure, I downloaded latest ISO and booted a virtual machine and sure enough, its kernel recognizes it, and I also added some nonsense to corroborate my knowledge that sysctl fails on a nonexistent parameter: https://i.imgur.com/PayQTEK.png
Can you share what brave://sandbox returns for you? Perhaps they've reenabled the deprecated setuid sandbox for some reason; in which case I'd still rather just point users to use the one that actually has been maintained upstream by Google for the past few years.
kiankasad commented on 2020-10-12 21:30 (UTC) (edited on 2021-01-18 20:04 (UTC) by kiankasad)
@mixedCase It's provided by a Debian kernel patch:
https://serverfault.com/a/939457/562138
https://security.stackexchange.com/a/209534/221678
Grepping in the Linux source code returns nothing.
I'm not sure why the file exists on your machine, but with the stock Arch kernel, it isn't there:
$ sudo ls /proc/sys/kernel/unprivileged_userns_clone
ls: cannot access '/proc/sys/kernel/unprivileged_userns_clone': No such file or directory
User namespaces will work with the default Arch kernel, even if the kernel.unprivileged_userns_clone option does not exist (as long as CONFIG_USER_NS=y). I've removed the check from the launcher script and sandboxing works fine: https://web.archive.org/web/20210118200105/https://files.kasad.com/brave-sandbox.png
(The yama support is unrelated)
This fix has already made it into brave-nightly-bin
EDIT: that ArchWiki page specifically states that that sysctl option is for the linux-hardened kernel, and it does not say to do anything to enable unprivileged user namespaces on the default kernel.
mixedCase commented on 2020-10-12 20:42 (UTC)
@kiankasad Not sure what gave you that idea, are you using linux-hardened perchance?
https://i.imgur.com/LUOYuUV.png
https://i.imgur.com/uxASIZU.png
https://wiki.archlinux.org/index.php/Linux_Containers#Enable_support_to_run_unprivileged_containers_(optional)
kiankasad commented on 2020-10-12 18:08 (UTC) (edited on 2020-10-12 21:38 (UTC) by kiankasad)
The file /proc/sys/kernel/unprivileged_userns_clone is provided by a kernel patch that exists in Debian. On Arch Linux, the file should never exist. This means that even when user namespaces are enabled, Brave will run with the sandbox disabled (which is not good).
This can be fixed by removing the check for /proc/sys/kernel/unprivileged_userns_clone in brave-nightly-bin.sh
I know there's a pinned comment describing how to fix this, however that fix does not work, since that kernel option is nonexistent on Arch.
mixedCase commented on 2020-10-07 21:29 (UTC)
Thank you @urbenlegend, the script has been updated to the latest version and to no longer use the .deb workaround.
urbenlegend commented on 2020-10-07 20:40 (UTC)
According to the latest release notes, Brave zip should have the OpenGL files included now, so the deb is no longer needed.
mixedCase commented on 2020-09-29 13:20 (UTC)
@numToStr It's a temporary workaround for an upstream packaging issue which has been supposedly fixed in Brave master already but will take a little while to trickle down into stable.
numToStr commented on 2020-09-29 10:03 (UTC)
Why is there .zip and .deb packages?
mixedCase commented on 2020-09-18 13:45 (UTC)
@francoism90 No I'm not getting that, with or without Vulkan. I don't have that file either but the browser doesn't seem to complain about it.
Pinned Comments
alerque commented on 2021-11-27 03:11 (UTC)
@ant0n et all, lets keep the comments here about packaging issues, general Brave usage issues should go in another forum to not clutter up this comment space. I'm deleting comments that have no relation to packaging. Grey areas like crashes that could be blamed on Arch can stay until proven otherwise, but things like how to configure Brave to handle popups or site X or whatever just don't belong here. Thanks for understanding.