Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 664992

Summary: www-client/chromium[-suid]: FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! [...]
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: Chromium Project <chromium>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: chromium-bt.txt
www-client:chromium-69.0.3497.57:20180827-131531.log.xz
kernel-config.txt

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-31 20:17:40 UTC 
Created attachment 545666 [details]
chromium-bt.txt

[25283:25283:0831/220915.428210:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

(followed by useless stacktrace)

I'm getting this for a while now.  I certainly have namespaces on this system.  I also have another system with similar config where it works just fine.  I'm sorry but I didn't write down which version was the first to fail (but if I were to guess, I would say the first one using new sandbox).

I'll attach the full (useless) backtrace, last build log and kernel config.  I'd appreciate any suggestions on resolving this because I'm going --no-sandbox for 2-3 months now.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-31 20:21:09 UTC 
Created attachment 545668 [details]
www-client:chromium-69.0.3497.57:20180827-131531.log.xz

(beware: it decompresses to 120 MiB)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-31 20:21:50 UTC 
Created attachment 545670 [details]
kernel-config.txt
Comment 3 Mike Gilbert gentoo-dev 2018-09-10 19:23:30 UTC 
Maybe strace -f might reveal a failing syscall?
Comment 4 Mike Gilbert gentoo-dev 2018-09-10 19:26:10 UTC 
Also, if you have the memory, building with debug symbols might be useful.

Even if you can't enable full debug symbols, enabling FEATURES="nostrip" might give us a function name to look at.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-11-21 13:22:25 UTC 
Ok, finally figured it out.  It turns out you need to manually set /proc/sys/kernel/unprivileged_userns_clone to 1.  Maybe we should install sysctl.d for it when USE=-suid?
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-11-21 13:55:09 UTC 
Hmm, I see that this is not present in mainline kernel but is a Debian patch that's also included in -pf kernels.  I suppose some documentation on this might be helpful but feel free to reject.