Created attachment 545666 [details]
[25283:25283:0831/220915.428210:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
(followed by useless stacktrace)
I'm getting this for a while now. I certainly have namespaces on this system. I also have another system with similar config where it works just fine. I'm sorry but I didn't write down which version was the first to fail (but if I were to guess, I would say the first one using new sandbox).
I'll attach the full (useless) backtrace, last build log and kernel config. I'd appreciate any suggestions on resolving this because I'm going --no-sandbox for 2-3 months now.
Created attachment 545668 [details]
(beware: it decompresses to 120 MiB)
Created attachment 545670 [details]
Maybe strace -f might reveal a failing syscall?
Also, if you have the memory, building with debug symbols might be useful.
Even if you can't enable full debug symbols, enabling FEATURES="nostrip" might give us a function name to look at.
Ok, finally figured it out. It turns out you need to manually set /proc/sys/kernel/unprivileged_userns_clone to 1. Maybe we should install sysctl.d for it when USE=-suid?
Hmm, I see that this is not present in mainline kernel but is a Debian patch that's also included in -pf kernels. I suppose some documentation on this might be helpful but feel free to reject.