:: Re: [DNG] Kernel SUID sandbox
Top Page
Delete this message
Reply to this message
Author: Alessandro Selli
Date:  
To: dng
Subject: Re: [DNG] Kernel SUID sandbox
On 15/10/18 at 10:55, Lars Noodén wrote:
> I notice that in Ascii with both the stock kernel and the one from
> backports (4.17.0-0.bpo.1-amd64) some applications cannot run. For
> example the web browser Brave fails with this message:
>
> [9394:9394:1015/111632.363017:FATAL:zygote_host_impl_linux.cc(116)]
> No usable sandbox! Update your kernel or see
> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md
> for more information on developing with the SUID sandbox. If you want to
> live dangerously and need an immediate workaround, you can try using
> --no-sandbox.
> Trace/breakpoint trap



  Reading the bug report turns out the issue is lack of an appropriate
namespace sandbox:


https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md

«Linux SUID Sandbox Development»

"IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely
removed. See
https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page
is mostly out-of-date.

For context see LinuxSUIDSandbox

We need a SUID helper binary to turn on the sandbox on Linux."


https://bugs.chromium.org/p/chromium/issues/detail?id=598454 says:

«Stop checking for the setuid sanbox binary on desktop Linux»

"As per  bug 312380 , we should no longer need the setuid binary sandbox
on most if not all supported versions of desktop Linux. However, Chrome
still checks for it on startup and complains if it's not there. We
should stop doing that."

"The intention is if you want to run Chrome and only use the namespace
sandbox, you can set --disable-setuid-sandbox.  But if you do so on a
host without appropriate kernel support for the namespace sandbox,
Chrome will loudly refuse to run."


  Namespaces have been available in Linux for a long time:

https://lwn.net/Articles/528078/

«User namespaces progress»

"The first pieces of the implementation started appearing when Linux
2.6.23 (released in late 2007)"

there's no doubt 4.17 kernels have it. There's something in your system
setup that is missing or not adequately configured (Apparmor, maybe?).


Alessandro


--
Alessandro Selli <alessandroselli@???>
VOIP SIP: dhatarattha@???
Chiave firma e cifratura PGP/GPG signing and encoding key:
BA651E4050DDFC31E17384BABCE7BD1A1B0DF2AE