No SUID-sandbox

  • Hi.

    I have asked this question at Google Product Forums › Google Chrome Help Forum, but did not get a real answer, so I try here as well.

    Using Opera 31.0.1857.0 developer on Ubuntu 15.04 64-bit, browser://sandbox/ reports:

    Sandbox Status

    SUID Sandbox Nej

    Namespace Sandbox Ja

    PID namespaces Ja

    Network namespaces Ja

    Seccomp-BPF sandbox Ja

    Seccomp-BPF sandbox supports TSYNC Ja

    Yama LSM enforcing Ja

    You are adequately sandboxed.

    This is new with Chromium 42: SUID Sandbox disabled and Namespace Sandbox added. Is Namespace Sandbox supposed to replace SUID Sandbox, or why is SUID disabled?

    Thanks. 🐧

  • The key point is

    You are adequately sandboxed.

    SUID sandbox is not needed if your kernel supports the other required features (kernels of 3.17 or newer almost always will and some older kernels if they have been suitably patched by your distro).

    P.S. The sandbox is still SUID in post install of packaging because not everyone has a suitable kernel.

    P.P.S. It seems that I still have an employee badge but I have left Opera now, following the shut down of the Desktop team in Olso.

  • Hi and thank you for the reply. 🙂

    It said “You are adequately sandboxed.” also when there was only SUID, PID namespaces and Network namespaces, before Seccomp-BPF (when legacy Seccomp was disabled by default) and before Yama. 😉

    So Namespace Sandbox can be seen as a replacement for SUID?

    The changelog¹ for Chromium (where SUID is called “setuid”) isn’t very clear (to me), and the documentation² is outdated.

    ¹ https://chromium.googlesource.com/chromium/src/+log/41.0.2272.0..42.0.2311.0?pretty=fuller&n=10000

    ² https://code.google.com/p/chromium/wiki/LinuxSandboxing

    Sorry to read the P.P.S. 😞

  • LinuxSandboxing was updated 12 May. The new version of the document adds:

    “The namespace sandbox aims to replace the setuid sandbox. It has the advantage of not requiring a setuid binary. It's based on (unprivileged) user namespaces in the Linux kernel. It generally requires a kernel >= 3.10, although it may work with 3.8 if certain patches are backported.

    Starting with M-43, if the kernel supports it, unprivileged namespaces are used instead of the setuid sandbox. Starting with M-44, certain processes run in their own PID namespace, which isolates them better.”

    So the answer is that SUID is disabled because the new Namespace Sandbox replaces it (if possible).

    🐧

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.