Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664992 - www-client/chromium[-suid]: FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! [...]
Summary: www-client/chromium[-suid]: FATAL:zygote_host_impl_linux.cc(116)] No usable s...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Chromium Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-31 20:17 UTC by Michał Górny
Modified: 2018-11-21 13:55 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
chromium-bt.txt (chromium-bt.txt,2.24 KB, text/plain)
2018-08-31 20:17 UTC, Michał Górny
Details
www-client:chromium-69.0.3497.57:20180827-131531.log.xz (www-client:chromium-69.0.3497.57:20180827-131531.log.xz,847.25 KB, application/x-xz)
2018-08-31 20:21 UTC, Michał Górny
Details
kernel-config.txt (kernel-config.txt,116.43 KB, text/plain)
2018-08-31 20:21 UTC, Michał Górny
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-31 20:17:40 UTC
Created attachment 545666 [details]
chromium-bt.txt

[25283:25283:0831/220915.428210:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

(followed by useless stacktrace)

I'm getting this for a while now.  I certainly have namespaces on this system.  I also have another system with similar config where it works just fine.  I'm sorry but I didn't write down which version was the first to fail (but if I were to guess, I would say the first one using new sandbox).

I'll attach the full (useless) backtrace, last build log and kernel config.  I'd appreciate any suggestions on resolving this because I'm going --no-sandbox for 2-3 months now.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-31 20:21:09 UTC
Created attachment 545668 [details]
www-client:chromium-69.0.3497.57:20180827-131531.log.xz

(beware: it decompresses to 120 MiB)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-31 20:21:50 UTC
Created attachment 545670 [details]
kernel-config.txt
Comment 3 Mike Gilbert gentoo-dev 2018-09-10 19:23:30 UTC
Maybe strace -f might reveal a failing syscall?
Comment 4 Mike Gilbert gentoo-dev 2018-09-10 19:26:10 UTC
Also, if you have the memory, building with debug symbols might be useful.

Even if you can't enable full debug symbols, enabling FEATURES="nostrip" might give us a function name to look at.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-11-21 13:22:25 UTC
Ok, finally figured it out.  It turns out you need to manually set /proc/sys/kernel/unprivileged_userns_clone to 1.  Maybe we should install sysctl.d for it when USE=-suid?
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-11-21 13:55:09 UTC
Hmm, I see that this is not present in mainline kernel but is a Debian patch that's also included in -pf kernels.  I suppose some documentation on this might be helpful but feel free to reject.