Chrome 20 On Linux Gets Flash Seccomp Filter

Chrome 20 seemed really unexciting and this particular Linux release got overlooked so here you go.
http://scarybeastsecurity.blogspot.com/2012/07/chrome-20-on-linux-and-flash-sandboxing.html

tl;dr:

PPAPI Flash now runs in a Chroot, PID namespace, and has seccomp filters applied. The combination of these makes for a seriously secure Flash plugin.

 

I wrote an explanation of seccomp filters on as low a level as I could. If one of the programmers wants to look at it and tell me where I messed up I'd be really happy to hear about it. I basically just explained what the kernel is, what least privilege is, what a system call is, and why they're dangerous.

Here's the article.

 

As noted on your blog, the seccomp sandbox is NOT enabled for Chrome v. [FONT=Ubuntu, Arial, sans-serif]21.0.1180.41 beta [/FONT]if the --enable-seccomp-sandbox switch is removed (although it should be enabled by default). Perhaps a regression.

 

Potentially a UI fault of the chrome://sandbox page. I assume that's what you're using to confirm.

 

Yes. Is there another way to check that?

 

Not that I know of. I would file a feature request for better Linux documentation as the current documentation is 2 years old and severely out of date.

 

Thanks. I reported that bug.

 

BTW: Not related to Chrome but to seccomp:

Systemd: Sandbox for background services