On Fri, 11 Dec 2009 09:21:39 +0100, Thomas Bächler <[email protected]> wrote: > Pierre Schmitz schrieb: >> Am Freitag 11 Dezember 2009 01:02:34 schrieb Thomas Bächler: >>> If you just want chroot, "setcap cap_sys_chroot +ep /usr/bin/whatever"
>>> is sufficient. >> >> The point is that it does not work. See >> http://src.chromium.org/svn/releases/4.0.267.0/src/chrome/browser/zygote_host_linux.cc >> >> At least I didn't get it working; but it might be possible. A good >> starting >> point is http://code.google.com/p/chromium/wiki/LinuxSandboxing > > It checks explicitly whether the "sandbox binary" is setuid, which is as > stupid as using a setuid binary in the first place. What does the > "sandbox binary" even do exactly? If you really need setuid for it, it's > certainly a stupid design. Using a suid helper binary is just used as a fallback on systems where you don't have apparmor, selinux and such. They are working on a seccomp implementation though and if I read our kernel config correctly we have supprot for that. So hacking up a sandbox implementation which uses capabilities to chroot wont be worth the effort as the suid sansbox is a temporary solution anyway. Fun fact: due to its design netscape plugins cannot be sandboxed; so you could simply compromise chromium by a flashplugin exploit I guess. Another reason why we should get rid of flash soon. -- Pierre Schmitz, https://users.archlinux.de/~pierre
