Brave will not start on Arch Linux: No usable sandbox

[kmoe]

Did you search for similar issues before submitting this one?

Yes. There are a number of bugs regarding this error message and extensive discussion at #6902. However, the only solution reported as successful involved enabling kernel user namespaces, which is awkward in Arch Linux so I'm hoping another chromium sandboxing method can be used.

The closest open bug is #7146 but this is specifically for Kali Linux.

Describe the issue you encountered:

After installing Brave from source, it won't run. See below for the error message, which says there is no usable chromium sandbox.

However, chromium is adequately sandboxed on my machine: opening chrome://sandbox shows:

The standard Arch Linux kernel does not have user namespaces enabled (a deliberate decision by maintainers). In order to enable this feature an Arch user must either recompile the kernel manually or install a custom kernel (though the corresponding AUR package linux-userns is out of date).

Is it possible for Brave to use SUID sandboxing instead? Or is it already trying to fall back to SUID sandboxing on my system (as chromium itself does) but failing for some reason?

Platform (Win7, 8, 10? macOS? Linux distro?):

Arch Linux 4.11.9 x86-64 (standard kernel)

Brave Version (revision SHA):

c8e92a1

Steps to reproduce:

1. Follow instructions for running from source (clone repo, yarn)
2. Follow instructions for running Brave (npm run watch, npm start)

Actual result:

❤ @glit ➜  brave git:(master) ★ npm start

> brave@0.19.0 start /home/katy/packages/brave
> node ./tools/start.js --user-data-dir=brave-development --enable-logging --v=0 --enable-extension-activity-logging --enable-sandbox-logging --enable-dcheck

[11649:11649:0711/113459.211796:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
process exited with code 0

Expected result:

Brave browser starts normally.

Is this an issue in the currently released version?

yes

Can this issue be consistently reproduced?

yes

[luixxiul]

Please see https://github.com/brave/browser-laptop/blob/master/docs/linuxInstall.md for more info. sorry I found you have.

[aykevl]

This bug also affects Debian (stretch). I cannot run the browser with sandboxing enabled (and I won't use it with sandboxing disabled).
Als see this issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=312380

[luixxiul]

@aykevl did you try #6902 (comment) already?

[aykevl]

No, should test that.
I would consider it a workaround, though, requiring special kernel configs just to run a browser seems kinda absurd to me. I expect it to just work.

[luixxiul]

I expect it to just work.

I'd agree.

[tracktraps]

Same here on 4.12.6-1-ARCH. Chrome works, Brave not.

[ttlins]

same here on 4.12.8-2-ARCH
giving up on brave for now. recompiling kernel just isn't an option

[Lite5h4dow]

I spoke to Sampson and we found a similar issue on Deepin Debian, getting a no usable sandbox error on version 0.18.23

[jonathansampson]

@Lite5h4dow Thanks for tackling that issue with me. Just to add to your feedback, we were able to get Brave to run when we explicitly passed the --no-sandbox argument.

[Lite5h4dow]

yeah, thats what we ended up doing, im downloading the 19.3 beta to see if it has the same issue, ill update when i actually get it downloaded 👍

[Lite5h4dow]

same issue 👎 no luck with 19.3

[bytesorchestra]

https://bugs.chromium.org/p/chromium/issues/detail?id=598454
Just found out that Chrome removed the dependency from Linux setuid binary sandbox ! Only the settings of the sandbox stays enabled just for Chrome to keep working normally. But the functionality binding is removed, as I understand it...!?

https://bugs.chromium.org/p/chromium/issues/detail?id=312380
Taking a look on the backlogs, it's not clear to see if the issue is progressing...?
So frustrating...

How to contact those guys assigned for the Chromium bug?

I use Debian Stretch 9.1
Even installing the UML package did not work (User-Mode-Linux). Not sure if it has anything to do with the issue...!?

[luixxiul]

@bytesorchestra have you ever tried https://github.com/brave/browser-laptop/blob/master/docs/linuxInstall.md#linux-install-instructions and https://github.com/brave/browser-laptop/blob/master/docs/linuxInstall.md#debian-jessie-and-ubuntu-artful-zesty-yakkety-xenial-and-trusty-amd64?

[bytesorchestra]

@luixxiul Yes, I already did. Did not help at all...

[luixxiul]

please paste the log of the error, thanks.

[bytesorchestra]

@luixxiul Here you have it:
"xxxx@kvh:~$ brave
[11277:11277:1008/041909.128141:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Aborted
"

[leodutra]

Status please.

[someguynamedmatt]

For anyone that's struggling with this on Arch and doesn't want to do the insecure --no-sandbox flag I was able to get this working by enabling unprivileged containers in my system. I followed the instructions on the Arch Wiki and specifically only used the 'temporary' solution via sysctl.

[nikolas]

I'm seeing this problem in Debian testing/buster. I have a custom kernel (4.18.3) and the docs linked to in this error (https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md) don't clearly state what kernel config option needs to be enabled to get brave to work. Does someone here have this info? CONFIG_NAMESPACES is enabled. Then we can update the error message.

Also, the document itself says that it's out of date. Brave should maintain their own copy of this if it's still relevant.

Here's my error:

$ brave
[2090:2090:0821/193622.696411:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can
try using --no-sandbox.
Trace/breakpoint trap

[nikolas]

Nevermind, I found the kernel config option: CONFIG_USER_NS. I'm grepping for this error message in Brave's source so I can update the docs but I can't find it - can anyone help with this?

[oritwoen]

With the new kernel, I also had a problem with running. Before updating the kernel, everything worked.

[9829:9829:0827/152816.063604:FATAL:zygote_host_impl_linux.cc(127)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trap debugger/breakpoint (memory dump)

[nikolas]

@Redni that means that the CONFIG_USER_NS option isn't turned on in your kernel. We need to update that error message.

[oritwoen]

I have in the kernel: CONFIG_USER_NS=y and CONFIG_NAMESPACES=y. And it still does not work. The settings of the kernel did not change at all, just after the departure of the new kernel number brave stopped working.

[bsclifton]

For folks experiencing this, can you please try grabbing the new version of Brave?
https://brave.com/download

If you run still run into problems, let's create an issue in the new repository:
https://github.com/brave/brave-browser

[daniel-mueller]

I still experience the problem with version 0.56.12

OS is Debian 9.6

[Mikaela]

For Debian there is open issue at brave/brave-browser#1986 (comment) including a "workaround".

[simonorono]

Still happening on Manjaro with Linux 4.19.1

[11991:11991:1114/225404.179905:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)

[Smooey]

Just posted about this in various comments on this "issue"... In Artix OS, using "runit" / no systemd. Managed to get it installed using "yaourt", then got the namespace message about not being enabled. Then enabled it, then got "Trace/breakpoint trap" in terminal after trying to run "brave" in terminal. It appears in "Internet" menu and so forth, but just doesn't do anything.

[Smooey]

Leaving an update error log here, I know you're not supposed to do this but I did it anyway. I'm posting from Virtual Box with Artix Linux OS... I ran brave from terminal with sudo privs... then got these errors from terminal. Not sure if it answers any of the questions to above errors though..

[2550:2550:1222/004537.506003:ERROR:gl_implementation.cc(281)] Failed to load /usr/lib/brave-bin/swiftshader/libGLESv2.so: /usr/lib/brave-bin/swiftshader/libGLESv2.so: cannot open shared object file: No such file or directory [2550:2550:1222/004537.542359:ERROR:viz_main_impl.cc(184)] Exiting GPU process due to errors during initialization [2575:2575:1222/004538.154049:ERROR:gl_implementation.cc(281)] Failed to load /usr/lib/brave-bin/swiftshader/libGLESv2.so: /usr/lib/brave-bin/swiftshader/libGLESv2.so: cannot open shared object file: No such file or directory [2575:2575:1222/004538.200410:ERROR:viz_main_impl.cc(184)] Exiting GPU process due to errors during initialization [2520:2527:1222/004538.341180:ERROR:browser_gpu_channel_host_factory.cc(139)] Failed to launch GPU process. [2520:2613:1222/004538.510565:ERROR:bus.cc(396)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix") [2520:2537:1222/004538.940167:ERROR:rewards_service_impl.cc(139)] Failed to read file: /root/.config/BraveSoftware/Brave-Browser/Default/ledger_state [2520:2527:1222/004540.105293:ERROR:browser_gpu_channel_host_factory.cc(139)] Failed to launch GPU process. [2520:2520:1222/004540.324615:ERROR:x11_input_method_context_impl_gtk.cc(144)] Not implemented reached in virtual void libgtkui::X11InputMethodContextImplGtk::SetSurroundingText(const base::string16 &, const gfx::Range &) [2520:2520:1222/004540.573682:ERROR:gpu_process_transport_factory.cc(967)] Lost UI shared context. [2520:2520:1222/004543.379631:ERROR:brave_stats_updater.cc(141)] Failed to send usage stats to update server, error: -2, response code: 400, url: https://laptop-updates.brave.com/1/usage/brave-core?platform=linux-bc&channel=unknown&version=0.57.18&daily=true&weekly=true&monthly=true&first=true&woi=2018-12-17&ref=none