Chromium Sandbox security flag??

Discussion in 'all things UNIX' started by s23, Feb 18, 2012.

Thread Status:
Not open for further replies.
  1. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi All,
    I was installing chromium today in my new OpenSUSE install, and in the process, I not remembered the flag to always start chromium in incognito mode. Searching about the flags, I found this:
    http://peter.sh/experiments/chromium-command-line-switches/
    And reading it, i found this flag:

    --enable-seccomp-sandbox = Enable the seccomp sandbox (Linux only).

    Searching about, I found:
    http://en.wikipedia.org/wiki/Seccomp
    http://code.google.com/p/seccompsandbox/

    Anyone can give more insights in its inner-workings and some explanation about how it can prevent exploits (java, flash..)?

    Thanks!
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I drift between Windows and Linux so I may be off on some of this.

    Typically Chromium runs in a chroot sandbox.

    Basically this is a locked down sandbox. As the wikipedia link shows the program would be completely unable to do anything to the system other than a few simple calls. The Chrome team actually wants to expand it so that they can choose exactly what calls can and can not be made.

    There are also apparmor profiles for Chromium (but not Chrome? I'm not sure.) and there's an SELinux based sandbox as well iirc.
     
    Last edited: Feb 18, 2012
  3. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    App Armor profiles for Chromium are available from Ubuntu 10.10 and up, none for 10.04.
     
  4. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    So the sandbox in chromium is already implemented? I remember reading somewhere that chromium not have sandbox in linux.. maybe wrong information. Nice.
    The selinux sandbox I already used in SL6.1 sometime ago... but how I'm using OpenSUSE now, I will search the profile for apparmor and use it. Thank you!
     
  5. tlu

    tlu Guest

    Yes, but it seems that the Chromium ppa's are no longer updated ... :doubt:
     
  6. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Thats true, for some strange reason, they are no longer being updated after January's last update.
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The Linux sandbox is "partially" implemented already.
     
  9. tlu

    tlu Guest

  10. tlu

    tlu Guest

    Sorry, Hungry, what do you mean by that? According to this site the sandbox is implemented in Chromium at least under Ubuntu and Gentoo.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  12. tlu

    tlu Guest

  13. x942

    x942 Guest

    When I enable this and check it via chrome://sandbox/

    It still shows:

    How do you use this? I haven't found much of anything about SecComp besides the above articles.

    For the record I am using the Dev channel and latest build.
     
  14. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    @x942
    Sorry for the delay. I just added the option in the properties of the shortcut:
    It looks like this:

    "chromium %u --incognito --enable-seccomp-sandbox"

    zypper info chromium

    Information for package chromium:

    Repository: openSUSE-12.1-Update
    Name: chromium
    Version: 18.0.1022.0-1.7.2
    Arch: x86_64
    Vendor: openSUSE
    Installed: Yes
    Status: out-of-date (version 18.0.972.0-1.5.2 installed)
    Installed Size: 95.1 MiB
    Summary: Google's opens source browser project
    Description:
    Chromium is the open-source project behind Google Chrome. We invite you to join us in our effort to help build a safer, faster, and more stable way for all Internet users to experience the web, and to create a powerful platform for developing a new generation of web applications.



    When I check it via chrome://sandbox/ :
     

    Attached Files:

  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Which distro is that?
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    openSUSE?
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep....
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol right... that makes sense
     
Loading...
Thread Status:
Not open for further replies.