613668 – www-client/chromium[-suid] doesn't work properly on kernels with GRSEC enabled

Bug 613668 - www-client/chromium[-suid] doesn't work properly on kernels with GRSEC enabled

Summary: www-client/chromium[-suid] doesn't work properly on kernels with GRSEC enabled

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Chromium Project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-23 18:44 UTC by Rasmus Thomsen
Modified:	2017-08-28 14:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rasmus Thomsen 2017-03-23 18:44:53 UTC

Hello,
Chromium with USE=-suid can't initialise it's sandbox on kernels with GRSEC enabled, as it doesn't expose user namespace to unprivileged users[1], hence chromium isn't able to use it. Using chromium isn't possible without starting it with --no-sandbox, which is both insecure and can affect performance. Would it be possible to note this in the description for the SUID use flag?

[1]https://github.com/NixOS/nixpkgs/issues/17460#issuecomment-237601115

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2017-03-27 14:41:25 UTC

Could you identify a specific kernel .config option responsible for this? We should probably add it to https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/chromium-2.eclass?id=61b861acd7b49083dab687e133f30f3331cb7480#n25 .

Comment 2 Mike Gilbert gentoo-dev

2017-03-27 15:45:14 UTC

Here's the relevant section from the grsecurity kernel patch.

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 86b7854..0c3cfe2 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -76,6 +76,21 @@ int create_user_ns(struct cred *new)
 	struct ucounts *ucounts;
 	int ret, i;
 
+#ifdef CONFIG_GRKERNSEC
+	/*
+	 * This doesn't really inspire confidence:
+	 * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
+	 * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
+	 * Increases kernel attack surface in areas developers
+	 * previously cared little about ("low importance due
+	 * to requiring "root" capability")
+	 * To be removed when this code receives *proper* review
+	 */
+	if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+			!capable(CAP_SETGID))
+		return -EPERM;
+#endif
+
 	ret = -ENOSPC;
 	if (parent_ns->level > 32)
 		goto fail;


We could probably warn if CONFIG_GRKERNSEC is enabled and suid is disabled.

Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2017-05-24 16:29:18 UTC

Added a check for this to chromium-2.eclass .

Comment 4 Anton Bolshakov 2017-08-28 03:58:52 UTC

Guys, can you clarify if google-chrome is affected by this bug?
I'm getting the same warning with it as well because chromium-2.eclass is inherited. 

if yes, how one should configure it (there is no suid USE flag with google-chrome).

Comment 5 Mike Gilbert gentoo-dev

2017-08-28 14:35:19 UTC

(In reply to Anton Bolshakov from comment #4)
> Guys, can you clarify if google-chrome is affected by this bug?
> I'm getting the same warning with it as well because chromium-2.eclass is
> inherited. 

google-chrome always installs chrome-sandbox with the suid bit set, so you do not need to enable any USE flag for it.

grsec still breaks the user namespace sandbox, so the warning message is valid.