Created attachment 270241 [details] New launcher script. If you do an `about:sandbox` in the chromium browser it warns you that it is not adequately sandboxed. Chromium does support Linux seccomp sandboxing, but it is not enabled by default. If you add the flag `--enable-seccomp-sandbox` to the command line it will use it and provide better sandboxing. The best place to put this is ni the chromium-launcher.sh script.
seccomp sandbox is still in development and not on by default for a reason. My "about:sandbox" page says the browser is adequately sandboxed. If yours shows a different result, could you post more details?
Ah, I reproduced the "not adequately sandboxed" message on another system with different kernel config. The sandbox requires PID and network namespaces to be fully effective. I've added checks to the ebuild. Thank you for reporting, that was a good catch!
Nice, I've recompiled my kernel. But how about "--enable-seccomp-sandbox" parameter? The message says "Seccomp sandbox No" without it
(In reply to comment #3) > Nice, I've recompiled my kernel. But how about "--enable-seccomp-sandbox" > parameter? The message says "Seccomp sandbox No" without it Feel free to use/try/test unsupported and experimental switches locally, but I'd rather not make them the default.
I read warning messages from an e-build that warned me about having PID and networking namespaces. I am not sure what version as it was in ~amd64 and I have updated since then. I recompiled my kernel after reading those messages and I am "...adequately sandboxed.".
the changes added to recent ebuilds (>=chromium-16*): pkg_pretend() { if [[ "${MERGE_TYPE}" == "source" || "${MERGE_TYPE}" == "binary" ]]; then # Fail if the kernel doesn't support features needed for sandboxing, # bug #363907. ERROR_PID_NS="PID_NS is required for sandbox to work" ERROR_NET_NS="NET_NS is required for sandbox to work" CONFIG_CHECK="PID_NS NET_NS" check_extra_config fi } to support these kernel checks have the unfortunate affect of breaking binary xpak based installs, checking kernel parameters in pkg_pretend() causes an install time requirement of the configured kernel source tree - quite an issue if you have a binary build system + many clients ---- Calculating dependencies... done! [binary NS ~] www-client/chromium-16.0.912.21 [9999-r1] USE="gnome gnome-keyring kerberos -bindist (-pulseaudio) -test" LINGUAS="en_GB -am -ar -bg -bn -ca -cs -da -de -el -es -es_LA -et -fa -fi -fil -fr -gu -he -hi -hr -hu -id -it -ja -kn -ko -lt -lv -ml -mr -nb -nl -pl -pt_BR -pt_PT -ro -ru -sk -sl -sr -sv -sw -ta -te -th -tr -uk -vi -zh_CN -zh_TW" 0 kB Total: 1 package (1 in new slot, 1 binary), Size of downloads: 0 kB >>> Running pre-merge checks for www-client/chromium-16.0.912.21 * chromium-16.0.912.21.tbz2 size ;-) ... [ ok ] * Determining the location of the kernel source code * Unable to find kernel sources at /usr/src/linux * Please make sure that /usr/src/linux points at your running kernel, * (or the kernel you wish to build against). * Alternatively, set the KERNEL_DIR environment variable to the kernel sources location * Unable to calculate Linux Kernel version for build, attempting to use running version * Checking for suitable kernel configuration options... * PID_NS is required for sandbox to work * NET_NS is required for sandbox to work * Please check to make sure these options are set correctly. * Failure to do so may cause unexpected problems. * Once you have satisfied these options, please try merging * this package again. * ERROR: www-client/chromium-16.0.912.21 failed (pretend phase): * Incorrect kernel configuration options * * Call stack: * ebuild.sh, line 91: Called pkg_pretend * environment, line 4149: Called check_extra_config * environment, line 1582: Called die * The specific snippet of code: * die "Incorrect kernel configuration options"; * ------- zgrep -E '(PID_NS|NET_NS)' /proc/config.gz CONFIG_PID_NS=y CONFIG_NET_NS=y
(In reply to comment #6) Thanks for pointing that out. Please file a separate bug for this.
(In reply to comment #7) > (In reply to comment #6) > Thanks for pointing that out. Please file a separate bug for this. bug #389517 created