Apparmor misconfigured for brave snap

Dear developers.
I love the brave-browser.

Recently, I reported a “bug” or a “mis-configuration issue” at:

It basically says that the current ‘apparmor’ configuration of the snap-brave browser causes a lot of DENIED messages in
/var/log/syslog
/var/log/kern.log

I have observed these messages on Ubuntu 20.04.6 LTS and Ubuntu 22.04 LTS.
My ‘brave --version’ is Brave Browser 115.1.56.20

I restate my errors and BELOW I propose way to correct / suppress the behaviour.

On opening the brave browser I get many apparmor=“DENIED” messages in the following logs:
/var/log/syslog, /var/log/kern.log

The following ones appear every 10-16 minutes:
Jul 27 09:49:55 deasX390y kernel: [ 6049.187478] audit: type=1400 audit(1690472995.817:562): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/proc/pressure/memory” pid=7878 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 09:59:55 deasX390y kernel: [ 6649.203813] audit: type=1400 audit(1690473595.825:563): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/proc/pressure/cpu” pid=7878 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 09:59:55 deasX390y kernel: [ 6649.203836] audit: type=1400 audit(1690473595.825:564): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/proc/pressure/io” pid=7878 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 12:50:37 deasX390y kernel: [16890.508908] audit: type=1107 audit(1690483837.106:1541): pid=1570 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor=“DENIED” operation=“dbus_method_call” bus=“system” path=“/” interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” mask=“send” name=“org.bluez” pid=29517 label=“snap.brave.brave” peer_pid=1565 peer_label=“unconfined”
Jul 27 12:50:39 deasX390y kernel: [16893.146621] audit: type=1400 audit(1690483839.742:1626): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/run/udev/data/+thunderbolt:domain0” pid=29517 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.146799] audit: type=1400 audit(1690483839.742:1627): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/run/udev/data/+thunderbolt:0-0” pid=29517 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214176] audit: type=1400 audit(1690483839.810:1628): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/run/udev/data/c510:1” pid=29517 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214268] audit: type=1400 audit(1690483839.810:1629): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/run/udev/data/c510:2” pid=29517 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214350] audit: type=1400 audit(1690483839.810:1630): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/run/udev/data/c510:0” pid=29517 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.222542] audit: type=1400 audit(1690483839.818:1631): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/run/udev/data/+dmi:id” pid=29517 comm=“ThreadPoolForeg” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

The following ones appear every time I start BRAVE:
Jul 27 08:34:18 deasX390y kernel: [ 1512.330346] audit: type=1400 audit(1690468458.967:419): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/etc/vulkan/implicit_layer.d/” pid=8798 comm=“brave” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 08:34:18 deasX390y kernel: [ 1512.330419] audit: type=1400 audit(1690468458.967:420): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/etc/vulkan/explicit_layer.d/” pid=8798 comm=“brave” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 27 08:34:18 deasX390y kernel: [ 1512.330488] audit: type=1400 audit(1690468458.967:421): apparmor=“DENIED” operation=“open” profile=“snap.brave.brave” name=“/etc/vulkan/icd.d/” pid=8798 comm=“brave” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

In an effort to reduce my write-operations to my SSD (and drives of your whole user population) I would like to have this fixed.

In fact, to fix this, I can add rules to the apparmor-profile:
/var/lib/snapd/apparmor/profiles/snap.brave.brave

However, every time the snap is updated the apparmor-profile gets overwritten.

For the moment, I have put the corresponding rules in <abstractions/base>.
I know this is not nice because all snaps get read access to these files.

That is why I propose the following new lines in the generated snap profile /var/lib/snapd/apparmor/profiles/snap.brave.brave:

#include if exists <abstractions/vulkan>
#include if exists <abstractions/app-brave-usr>

In my case the content of the abstraction file: /etc/apparmor.d/abstractions/app-brave-usr
could be
@{PROC}/pressure/** r,
/etc/vulkan/** r,
/run/udev/data/** r,

The user-customizable-abstraction file ( /etc/apparmor.d/abstractions/app-brave-usr )
should not be overwritten or changed by the snap nor the application.
But it would be highly useful to system administrators since here they may specify certain read-rules.

I know this rather a configuration issue (a “bug” in the configuration).

I hope everything you need is included.
Have a nice day.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.