[arch-dev-public] Packaging Chromium for [extra]

Pierre Schmitz pierre at archlinux.de
Sun Dec 13 18:52:22 EST 2009

On Fri, 11 Dec 2009 09:21:39 +0100, Thomas Bächler <thomas at archlinux.org>
> Pierre Schmitz schrieb:
>> Am Freitag 11 Dezember 2009 01:02:34 schrieb Thomas Bächler:
>>> If you just want chroot, "setcap cap_sys_chroot +ep /usr/bin/whatever"

>>> is sufficient.
>> The point is that it does not work. See 
>> At least I didn't get it working; but it might be possible. A good
>> starting
>> point is http://code.google.com/p/chromium/wiki/LinuxSandboxing
> It checks explicitly whether the "sandbox binary" is setuid, which is as

> stupid as using a setuid binary in the first place. What does the 
> "sandbox binary" even do exactly? If you really need setuid for it, it's

> certainly a stupid design.

Using a suid helper binary is just used as a fallback on systems where you
don't have apparmor, selinux and such. They are working on a seccomp
implementation though and if I read our kernel config correctly we have
supprot for that. So hacking up a sandbox implementation which uses
capabilities to chroot wont be worth the effort as the suid sansbox is a
temporary solution anyway.

Fun fact: due to its design netscape plugins cannot be sandboxed; so you
could simply compromise chromium by a flashplugin exploit I guess. Another
reason why we should get rid of flash soon.

Pierre Schmitz, https://users.archlinux.de/~pierre

More information about the arch-dev-public mailing list