Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 613668

Summary: www-client/chromium[-suid] doesn't work properly on kernels with GRSEC enabled
Product: Gentoo Linux Reporter: Rasmus Thomsen <Rasmus.thomsen>
Component: Current packagesAssignee: Chromium Project <chromium>
Status: RESOLVED FIXED    
Severity: normal CC: anton.bugs, sandino
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Rasmus Thomsen 2017-03-23 18:44:53 UTC 
Hello,
Chromium with USE=-suid can't initialise it's sandbox on kernels with GRSEC enabled, as it doesn't expose user namespace to unprivileged users[1], hence chromium isn't able to use it. Using chromium isn't possible without starting it with --no-sandbox, which is both insecure and can affect performance. Would it be possible to note this in the description for the SUID use flag?

[1]https://github.com/NixOS/nixpkgs/issues/17460#issuecomment-237601115
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2017-03-27 14:41:25 UTC 
Could you identify a specific kernel .config option responsible for this? We should probably add it to https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/chromium-2.eclass?id=61b861acd7b49083dab687e133f30f3331cb7480#n25 .
Comment 2 Mike Gilbert gentoo-dev 2017-03-27 15:45:14 UTC 
Here's the relevant section from the grsecurity kernel patch.

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 86b7854..0c3cfe2 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -76,6 +76,21 @@ int create_user_ns(struct cred *new)
 	struct ucounts *ucounts;
 	int ret, i;
 
+#ifdef CONFIG_GRKERNSEC
+	/*
+	 * This doesn't really inspire confidence:
+	 * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
+	 * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
+	 * Increases kernel attack surface in areas developers
+	 * previously cared little about ("low importance due
+	 * to requiring "root" capability")
+	 * To be removed when this code receives *proper* review
+	 */
+	if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+			!capable(CAP_SETGID))
+		return -EPERM;
+#endif
+
 	ret = -ENOSPC;
 	if (parent_ns->level > 32)
 		goto fail;


We could probably warn if CONFIG_GRKERNSEC is enabled and suid is disabled.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2017-05-24 16:29:18 UTC 
Added a check for this to chromium-2.eclass .
Comment 4 Anton Bolshakov 2017-08-28 03:58:52 UTC 
Guys, can you clarify if google-chrome is affected by this bug?
I'm getting the same warning with it as well because chromium-2.eclass is inherited. 

if yes, how one should configure it (there is no suid USE flag with google-chrome).
Comment 5 Mike Gilbert gentoo-dev 2017-08-28 14:35:19 UTC 
(In reply to Anton Bolshakov from comment #4)
> Guys, can you clarify if google-chrome is affected by this bug?
> I'm getting the same warning with it as well because chromium-2.eclass is
> inherited. 

google-chrome always installs chrome-sandbox with the suid bit set, so you do not need to enable any USE flag for it.

grsec still breaks the user namespace sandbox, so the warning message is valid.