I noticed that in Chrome v. 42 chrome://sandbox/ shows a new 7th entry: I'm a bit surprised that this is obviously not supported by my kernel 3.19.3 in Arch Linux. I searched for some details but couldn't find anything enlightening. How does it look on your system?
Hey tlu, On my system... SUID Sandbox No Namespace Sandbox Yes PID namespaces Yes Network namespaces Yes Seccomp-BPF sandbox Yes Seccomp-BPF sandbox supports TSYNC Yes Yama LSM enforcing Yes You are adequately sandboxed. This is with kernel 3.13 64 bit in trusty. Chrome stable 42 totally screwed my apparmor profile. I finally got it going again but only after having to add capability sys_admin and capability sys_chroot to my opt.google.chrome.chrome profile. I finally got fed up and switched to firejail (at least for now). BTW, the --seccomp switch works with chrome in firejail. I figured it wouldn't. Later... Bob
for me on Chrome v42.0.2311.90 Sandbox Status SUID Sandbox Yes Namespace Sandbox No PID namespaces Yes Network namespaces Yes Seccomp-BPF sandbox Yes Seccomp-BPF sandbox supports TSYNC Yes Yama LSM enforcing Yes You are adequately sandboxed. it still doesn't work for me even on chrome 42?? I'm waiting for Chromium v42 to be available in the repositories, but I doubt the --seccomp switch will work on it either.
Yes, that's how it looks on my system. Same here. Chrome/Chromium already uses seccomp-bpf. There is a reason why the Chromium profile that comes with Firejail doesn't contain that switch.
That's right, I guess it doesn't make sense to double up on the seccomp sandboxing, especially if it would cause problems.
Sandbox Status SUID Sandbox No Namespace Sandbox Yes PID namespaces Yes Network namespaces Yes Seccomp-BPF sandbox Yes Seccomp-BPF sandbox supports TSYNC Yes Yama LSM enforcing Yes You are adequately sandboxed. Version 43.0.2357.18 beta (64-bit) Running on Mint.