FS#54321 - [linux] enable namespaces sandbox

Attached to Project: Arch Linux
Opened by krisko (krisko) - Tuesday, 06 June 2017, 06:46 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 06 June 2017, 13:26 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Hi,
when running e.g. Brave browser, you have to add --no-sandbox to be able to start. There are native ways of supporting sandboxing directly in kernel, which should be enabled in kernel config.
See discussion https://github.com/brave/browser-laptop/issues/6902, namely the parameters
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_SECCOMP_FILTER=y

More info about namespaces sandbox https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md#User-namespaces-sandbox

Additional info:
* package version(s) - 4.11.2
* config and/or log files etc.


Steps to reproduce:
download brave https://github.com/brave/browser-laptop/releases
unpack and try to run ./brave

you get:
[25980:25980:0606/084338.897070:FATAL:zygote_host_impl_linux.cc(107)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

This task depends upon

Closed by  Doug Newgard (Scimmia)
Tuesday, 06 June 2017, 13:26 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#36969 
Comment by loqs (loqs) - Tuesday, 06 June 2017, 13:13 GMT

Loading...