Hi All, I was installing chromium today in my new OpenSUSE install, and in the process, I not remembered the flag to always start chromium in incognito mode. Searching about the flags, I found this: http://peter.sh/experiments/chromium-command-line-switches/ And reading it, i found this flag: --enable-seccomp-sandbox = Enable the seccomp sandbox (Linux only). Searching about, I found: http://en.wikipedia.org/wiki/Seccomp http://code.google.com/p/seccompsandbox/ Anyone can give more insights in its inner-workings and some explanation about how it can prevent exploits (java, flash..)? Thanks!
I drift between Windows and Linux so I may be off on some of this. Typically Chromium runs in a chroot sandbox. Basically this is a locked down sandbox. As the wikipedia link shows the program would be completely unable to do anything to the system other than a few simple calls. The Chrome team actually wants to expand it so that they can choose exactly what calls can and can not be made. There are also apparmor profiles for Chromium (but not Chrome? I'm not sure.) and there's an SELinux based sandbox as well iirc.
So the sandbox in chromium is already implemented? I remember reading somewhere that chromium not have sandbox in linux.. maybe wrong information. Nice. The selinux sandbox I already used in SL6.1 sometime ago... but how I'm using OpenSUSE now, I will search the profile for apparmor and use it. Thank you!
Sorry, Hungry, what do you mean by that? According to this site the sandbox is implemented in Chromium at least under Ubuntu and Gentoo.
http://www.chromium.org/developers/design-documents/sandbox https://code.google.com/p/chromium/wiki/LinuxSandboxing
When I enable this and check it via chrome://sandbox/ It still shows: How do you use this? I haven't found much of anything about SecComp besides the above articles. For the record I am using the Dev channel and latest build.
@x942 Sorry for the delay. I just added the option in the properties of the shortcut: It looks like this: "chromium %u --incognito --enable-seccomp-sandbox" zypper info chromium Information for package chromium: Repository: openSUSE-12.1-Update Name: chromium Version: 18.0.1022.0-1.7.2 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: out-of-date (version 18.0.972.0-1.5.2 installed) Installed Size: 95.1 MiB Summary: Google's opens source browser project Description: Chromium is the open-source project behind Google Chrome. We invite you to join us in our effort to help build a safer, faster, and more stable way for all Internet users to experience the web, and to create a powerful platform for developing a new generation of web applications. When I check it via chrome://sandbox/ :