On 15/10/18 at 10:55, Lars Noodén wrote: > I notice that in Ascii with both the stock kernel and the one from > backports (4.17.0-0.bpo.1-amd64) some applications cannot run. For > example the web browser Brave fails with this message: > > [9394:9394:1015/111632.363017:FATAL:zygote_host_impl_linux.cc(116)] > No usable sandbox! Update your kernel or see > https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md > for more information on developing with the SUID sandbox. If you want to > live dangerously and need an immediate workaround, you can try using > --no-sandbox. > Trace/breakpoint trap
Reading the bug report turns out the issue is lack of an appropriate namespace sandbox: https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md «Linux SUID Sandbox Development» "IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed. See https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page is mostly out-of-date. For context see LinuxSUIDSandbox We need a SUID helper binary to turn on the sandbox on Linux." https://bugs.chromium.org/p/chromium/issues/detail?id=598454 says: «Stop checking for the setuid sanbox binary on desktop Linux» "As per bug 312380 , we should no longer need the setuid binary sandbox on most if not all supported versions of desktop Linux. However, Chrome still checks for it on startup and complains if it's not there. We should stop doing that." "The intention is if you want to run Chrome and only use the namespace sandbox, you can set --disable-setuid-sandbox. But if you do so on a host without appropriate kernel support for the namespace sandbox, Chrome will loudly refuse to run." Namespaces have been available in Linux for a long time: https://lwn.net/Articles/528078/ «User namespaces progress» "The first pieces of the implementation started appearing when Linux 2.6.23 (released in late 2007)" there's no doubt 4.17 kernels have it. There's something in your system setup that is missing or not adequately configured (Apparmor, maybe?). Alessandro -- Alessandro Selli <[email protected]> VOIP SIP: [email protected] Chiave firma e cifratura PGP/GPG signing and encoding key: BA651E4050DDFC31E17384BABCE7BD1A1B0DF2AE
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
