Google Chrome v. 42: Namespace-Sandbox not supported?

Discussion in 'all things UNIX' started by tlu, Apr 15, 2015.

  1. tlu

    tlu Guest

    I noticed that in Chrome v. 42 chrome://sandbox/ shows a new 7th entry:

    I'm a bit surprised that this is obviously not supported by my kernel 3.19.3 in Arch Linux. I searched for some details but couldn't find anything enlightening.

    How does it look on your system?
     
  2. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Hey tlu,

    On my system...

    SUID Sandbox No
    Namespace Sandbox Yes
    PID namespaces Yes
    Network namespaces Yes
    Seccomp-BPF sandbox Yes
    Seccomp-BPF sandbox supports TSYNC Yes
    Yama LSM enforcing Yes
    You are adequately sandboxed.

    This is with kernel 3.13 64 bit in trusty.

    Chrome stable 42 totally screwed my apparmor profile. I finally got it going again but only after having to add capability sys_admin and capability sys_chroot to my opt.google.chrome.chrome profile. I finally got fed up and switched to firejail (at least for now). BTW, the --seccomp switch works with chrome in firejail. I figured it wouldn't.

    Later...

    Bob
     
  3. tlu

    tlu Guest

    Funny - for me it's just the other way round ...
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    for me on Chrome v42.0.2311.90

    Sandbox Status

    SUID Sandbox Yes
    Namespace Sandbox No
    PID namespaces Yes
    Network namespaces Yes
    Seccomp-BPF sandbox Yes
    Seccomp-BPF sandbox supports TSYNC Yes
    Yama LSM enforcing Yes
    You are adequately sandboxed.

    it still doesn't work for me even on chrome 42?? I'm waiting for Chromium v42 to be available in the repositories, but I doubt the --seccomp switch will work on it either.
     
  5. tlu

    tlu Guest

    Yes, that's how it looks on my system.

    Same here. Chrome/Chromium already uses seccomp-bpf. There is a reason why the Chromium profile that comes with Firejail doesn't contain that switch.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    That's right, I guess it doesn't make sense to double up on the seccomp sandboxing, especially if it would cause problems.
     
  7. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Sandbox Status
    SUID Sandbox No
    Namespace Sandbox Yes
    PID namespaces Yes
    Network namespaces Yes
    Seccomp-BPF sandbox Yes
    Seccomp-BPF sandbox supports TSYNC Yes
    Yama LSM enforcing Yes
    You are adequately sandboxed.

    Version 43.0.2357.18 beta (64-bit)

    Running on Mint.
     
Loading...