FS#54321 - [linux] enable namespaces sandbox
Attached to Project:
Arch Linux
Opened by krisko (krisko) - Tuesday, 06 June 2017, 06:46 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 06 June 2017, 13:26 GMT
Opened by krisko (krisko) - Tuesday, 06 June 2017, 06:46 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 06 June 2017, 13:26 GMT
|
Details
Description:
Hi, when running e.g. Brave browser, you have to add --no-sandbox to be able to start. There are native ways of supporting sandboxing directly in kernel, which should be enabled in kernel config. See discussion https://github.com/brave/browser-laptop/issues/6902, namely the parameters CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_SECCOMP_FILTER=y More info about namespaces sandbox https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md#User-namespaces-sandbox Additional info: * package version(s) - 4.11.2 * config and/or log files etc. Steps to reproduce: download brave https://github.com/brave/browser-laptop/releases unpack and try to run ./brave you get: [25980:25980:0606/084338.897070:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox. |
This task depends upon
Closed by Doug Newgard (Scimmia)
Tuesday, 06 June 2017, 13:26 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#36969
Tuesday, 06 June 2017, 13:26 GMT
Reason for closing: Duplicate
Additional comments about closing:
Comment by loqs (loqs) - Tuesday,
06 June 2017, 13:13 GMT
Duplicate of
https://bugs.archlinux.org/task/36969