Package Details: brave-bin 1:1.16.68-1

Git Clone URL: https://aur.archlinux.org/brave-bin.git (read-only, click to copy)
Package Base: brave-bin
Description: Web browser that blocks ads and trackers by default (binary release).
Upstream URL: https://brave.com/download
Keywords: brave browser
Licenses: BSD, MPL2, custom:chromium
Conflicts: brave
Provides: brave, brave-browser
Submitter: vorbote
Maintainer: mixedCase
Last Packager: mixedCase
Votes: 304
Popularity: 13.11
First Submitted: 2016-04-06 13:16
Last Updated: 2020-10-27 17:12

Required by (3)

Sources (4)

Pinned Comments

mixedCase commented on 2019-03-11 13:52

=== PLEASE READ PLEASE READ BEFORE REPORTING OUT OF DATE ===

Before making your report, please note that the newer GitHub release you're looking at belongs to the "Release Channel" and --isn't marked as prerelease--.

I have a cron running that's checking every 30 minutes if there's a new release and sends me an email if so. If you see the release was tagged in the last couple of hours please give it some time before flagging.

Also please take into account a stable version may be "released" on GitHub but not marked as ready (read, NOT PRELEASE) for a long time.

Another handy tool to check latest OFFICIALLY MARKED AS STABLE version of Brave is to run:

curl https://brave-browser-downloads.s3.brave.com/latest/release.version

simonorono commented on 2018-11-15 03:35

To disable the message telling "that you're using an unsupported command-line flag --no-sandbox" you must enable user namespaces with sysctl:

sudo sysctl kernel.unprivileged_userns_clone=1

To make it persist after reboot:

echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf

Latest Comments

1 2 3 4 5 6 ... Next › Last »

mixedCase commented on 2020-10-13 00:03

@kiankasad Pushed a fix for this and removing an obsolete workaround. Thanks for the report and collaboration! Please let me know if you have any issues.

kiankasad commented on 2020-10-12 23:51

@mixedCase I think that'll work. As far as I can tell, this pseudocode covers all use cases:

if CONFIG_USER_NS=y:
   if kernel.unprivileged_userns_clone=0:
      --no-sandbox
else:
   --no-sandbox

mixedCase commented on 2020-10-12 23:46

@kiankasad Well what I'm seeing is that user namespaces do seem to be enabled by default on Arch. But the kernel parameter is still a thing and it seems to be a way to disable them, which linux-hardened uses and I imagine some users do as well.

Can you confirm you're using a kernel without Arch patches? I can change the script to simply run --no-sandbox if the kernel param exists and is set to 0, I gather that should do it without breaking users of the kernel param.

kiankasad commented on 2020-10-12 22:24

@mixedCase I linked an image to brave://sandbox results in my previous comment. https://files.kasad.com/brave-sandbox.png

mixedCase commented on 2020-10-12 22:21

@kiankasad I think you misread the wiki article, it mentions that the feature is enabled only for root in linux-hardened, while in every other kernel enabling the feature does it for all users. Relevant section:


Firstly, a kernel is required that has support for User Namespaces (a kernel with CONFIG_USER_NS). All Arch Linux kernels have support for CONFIG_USER_NS. However, due to more general security concerns, the linux-hardened kernel does ship with User Namespaces enabled only for the root user. There are two options to create unprivileged containers there:

Start the unprivileged containers only as root. Enable the sysctl setting kernel.unprivileged_userns_clone to allow normal users to run unprivileged containers. This can be done for the current session with sysctl kernel.unprivileged_userns_clone=1 and can be made permanent with sysctl.d(5).


If this is not upstream behavior, then this is patched downstream in the same manner by Arch as well. Just to make sure, I downloaded latest ISO and booted a virtual machine and sure enough, its kernel recognizes it, and I also added some nonsense to corroborate my knowledge that sysctl fails on a nonexistent parameter: https://i.imgur.com/PayQTEK.png

Can you share what brave://sandbox returns for you? Perhaps they've reenabled the deprecated setuid sandbox for some reason; in which case I'd still rather just point users to use the one that actually has been maintained upstream by Google for the past few years.

kiankasad commented on 2020-10-12 21:30

@mixedCase It's provided by a Debian kernel patch: https://serverfault.com/a/939457/562138 https://security.stackexchange.com/a/209534/221678
Grepping in the Linux source code returns nothing. I'm not sure why the file exists on your machine, but with the stock Arch kernel, it isn't there:

$ sudo ls /proc/sys/kernel/unprivileged_userns_clone
ls: cannot access '/proc/sys/kernel/unprivileged_userns_clone': No such file or directory

User namespaces will work with the default Arch kernel, even if the kernel.unprivileged_userns_clone option does not exist (as long as CONFIG_USER_NS=y). I've removed the check from the launcher script and sandboxing works fine: https://files.kasad.com/brave-sandbox.png (The yama support is unrelated)

This fix has already made it into brave-nightly-bin

EDIT: that ArchWiki page specifically states that that sysctl option is for the linux-hardened kernel, and it does not say to do anything to enable unprivileged user namespaces on the default kernel.

mixedCase commented on 2020-10-12 20:42

@kiankasad Not sure what gave you that idea, are you using linux-hardened perchance?

https://i.imgur.com/LUOYuUV.png

https://i.imgur.com/uxASIZU.png

https://wiki.archlinux.org/index.php/Linux_Containers#Enable_support_to_run_unprivileged_containers_(optional)

kiankasad commented on 2020-10-12 18:08

The file /proc/sys/kernel/unprivileged_userns_clone is provided by a kernel patch that exists in Debian. On Arch Linux, the file should never exist. This means that even when user namespaces are enabled, Brave will run with the sandbox disabled (which is not good).

This can be fixed by removing the check for /proc/sys/kernel/unprivileged_userns_clone in brave-nightly-bin.sh

I know there's a pinned comment describing how to fix this, however that fix does not work, since that kernel option is nonexistent on Arch.

mixedCase commented on 2020-10-07 21:29

Thank you @urbenlegend, the script has been updated to the latest version and to no longer use the .deb workaround.

urbenlegend commented on 2020-10-07 20:40

According to the latest release notes, Brave zip should have the OpenGL files included now, so the deb is no longer needed.