No SUID-sandbox
-
A Former User last edited by
Hi.
I have asked this question at Google Product Forums › Google Chrome Help Forum, but did not get a real answer, so I try here as well.
Using Opera 31.0.1857.0 developer on Ubuntu 15.04 64-bit, browser://sandbox/ reports:
Sandbox Status
SUID Sandbox Nej
Namespace Sandbox Ja
PID namespaces Ja
Network namespaces Ja
Seccomp-BPF sandbox Ja
Seccomp-BPF sandbox supports TSYNC Ja
Yama LSM enforcing Ja
You are adequately sandboxed.
This is new with Chromium 42: SUID Sandbox disabled and Namespace Sandbox added. Is Namespace Sandbox supposed to replace SUID Sandbox, or why is SUID disabled?
Thanks.
-
ruario last edited by
The key point is
You are adequately sandboxed.
SUID sandbox is not needed if your kernel supports the other required features (kernels of 3.17 or newer almost always will and some older kernels if they have been suitably patched by your distro).
P.S. The sandbox is still SUID in post install of packaging because not everyone has a suitable kernel.
P.P.S. It seems that I still have an employee badge but I have left Opera now, following the shut down of the Desktop team in Olso.
-
A Former User last edited by
Hi and thank you for the reply.
It said “You are adequately sandboxed.” also when there was only SUID, PID namespaces and Network namespaces, before Seccomp-BPF (when legacy Seccomp was disabled by default) and before Yama.
So Namespace Sandbox can be seen as a replacement for SUID?
The changelog¹ for Chromium (where SUID is called “setuid”) isn’t very clear (to me), and the documentation² is outdated.
¹ https://chromium.googlesource.com/chromium/src/+log/41.0.2272.0..42.0.2311.0?pretty=fuller&n=10000
² https://code.google.com/p/chromium/wiki/LinuxSandboxing
Sorry to read the P.P.S.
-
A Former User last edited by
LinuxSandboxing was updated 12 May. The new version of the document adds:
“The namespace sandbox aims to replace the setuid sandbox. It has the advantage of not requiring a setuid binary. It's based on (unprivileged) user namespaces in the Linux kernel. It generally requires a kernel >= 3.10, although it may work with 3.8 if certain patches are backported.
Starting with M-43, if the kernel supports it, unprivileged namespaces are used instead of the setuid sandbox. Starting with M-44, certain processes run in their own PID namespace, which isolates them better.”
So the answer is that SUID is disabled because the new Namespace Sandbox replaces it (if possible).
