########################################
Description of the issue:

SELinux is preventing /app/brave/brave from execmod access on the file /memfd:swiftshader_jit (deleted).

The brave application attempted to load /memfd:swiftshader_jit (deleted) which
requires text relocation. This is a potential security problem. Most libraries
should not need this permission. The SELinux Memory Protection Tests web page
explains this check. This tool examined the library and it looks like it was
built correctly. So setroubleshoot can not determine if this application is
compromised or not. This could be a serious issue. Your system may very well be
compromised. Contact your security administrator and report this issue.

########################################
Steps to Reproduce (add as many as necessary):

1. Launch Brave
2. Visit any website invoking Brave to load /memfd:swiftshader_jit

########################################
Actual Result (gifs and screenshots are welcome!):

Websites seem to function normally when SELinux Alert appears

########################################
Expected Result:

Visit websites without SELinux Alerts appearing

########################################
Reproduces how often:

Reproduction based on visiting websites where Brave needs to load /memfd:swiftshader_jit

########################################
Brave Version(See the About Brave page in the main menu):

BRAVE: Release v1.43.93
OS: Red Hat Enterprise Linux 9.0
GNOME: 40.4.0

########################################
Reproducible on current live release (yes/no):

Yes

########################################
Additional information:

OS: Red Hat Enterprise Linux 9.0
GNOME: 40.4.0

/etc/selinux/config
SELINUX=enforcing (must stay in this mode to maintain security)

SELINUX ALERT DETAILS

SELinux is preventing /app/brave/brave from execmod access on the file /memfd:swiftshader_jit (deleted).

***** Plugin allow_execmod (53.1 confidence) suggests *********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised. Setroubleshoot examined ‘/memfd:swiftshader_jit.(deleted)’ to make sure it was built correctly, but can not determine if this application has been compromised.
Do
contact your security administrator and report this issue

***** Plugin catchall_boolean (42.6 confidence) suggests ******************

If you want to allow selinuxuser to execmod
Then you must tell SELinux about this by enabling the ‘selinuxuser_execmod’ boolean.

Do
setsebool -P selinuxuser_execmod 1

***** Plugin catchall (5.76 confidence) suggests **************************

If you believe that brave should be allowed execmod access on the memfd:swiftshader_jit (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘brave’ --raw | audit2allow -M my-brave

semodule -X 300 -i my-brave.pp

Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects /memfd:swiftshader_jit (deleted) [ file ]
Source brave
Source Path /app/brave/brave
Port
Host WRK1
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Local Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name WRK1
Platform Linux WRK1 5.14.0-70.22.1.el9_0.x86_64 #1 SMP
PREEMPT Tue Aug 2 10:02:12 EDT 2022 x86_64 x86_64
Alert Count 6
First Seen 2022-09-06 21:40:41 EDT
Last Seen 2022-09-15 13:15:52 EDT
Local ID 477891a1-1d99-4359-8eec-5e1fcf9e2ef0

Raw Audit Messages
type=AVC msg=audit(1663262152.320:725): avc: denied { execmod } for pid=17836 comm=“brave” path=2F6D656D66643A73776966747368616465725F6A6974202864656C6574656429 dev=“tmpfs” ino=1497 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1663262152.320:725): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f405b496000 a1=3000 a2=5 a3=18 items=0 ppid=5049 pid=17836 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=6 comm=brave exe=/app/brave/brave subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: brave,unconfined_t,user_tmp_t,file,execmod

Reproducible visiting https://www.starlink.com

Reproducible visiting https://www.citi.com

Reproducible visiting https://www.tradingview.com

Unknown origin but also observed with Brave on this machine.

It is unclear if this is an omission in the Brave policy or if this is of concern related to security.

UPDATE: looking into this issue it is highly likely this is because the user does not enable ‘use of hardware acceleration’ in the browser settings.

This also means this is NOT site-specific.

cfr. https://github.com/google/swiftshader
cfr. https://swiftshader.googlesource.com/SwiftShader/+/8bab33e3a8f4686fa2a89aba882ec645e43c3a0d/src/System/Linux/MemFd.cpp

in other words, if security is your priority, consider if you require this to work or not

enabling hardware accelation vs keeping it disabled shifts any potential attack surface to vastly different architectures (CPU/GPU) and related software

@x3k7 please verify if enabling hardware acceleration lifts the alert condition for the sites mentioned, thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.