[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: chromium-browser (Ubuntu) Assignee: Chad Miller (cmiller) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.22 => branch-1.23 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.21 => branch-1.22 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: evince (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.20 => branch-1.21 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.19 => branch-1.20 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
Same here with Evince not being able to lauch the browser when you clic on a link inside a PDF: apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=16137 comm="chromium- browse" capability=21 capname="sys_admin" ** Also affects: evince (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Status in evince package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.18 => branch-1.19 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
I can confirm that chromium-browser does not start, syslog shows: apparmor="DENIED" operation="capable" profile="/usr/lib/chromium-browser /chromium-browser" pid=27954 comm="chromium-browse" capability=21 capname="sys_admin" Apparmor profile enforce mode. Trusty 14.04.5 chromium-browser 51.0.2704.79 apparmor-profiles 2.8.95-2430 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.17 => branch-1.18 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.16 => branch-1.17 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.15 => branch-1.16 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: chromium-browser (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
Anyway to fix this? >apparmor="ALLOWED" operation="capable" >profile="/usr/lib/chromium-browser/chromium-browser" pid=2129 >comm="chromium-browse" capability=21 capname="sys_admin" -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: Confirmed Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.13 => branch-1.15 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: oxide Milestone: branch-1.12 => branch-1.13 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
There have been reports that chromium-browser in Ubuntu now doesn't start under its apparmor profile because of: apparmor="ALLOWED" operation="capable" profile="/usr/lib/chromium-browser/chromium-browser" pid=2129 comm="chromium-browse" capability=21 capname="sys_admin" ** Also affects: chromium-browser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1447345] Re: Support the unprivileged namespace sandbox
** Changed in: chromium-browser (Ubuntu) Assignee: (unassigned) => Chad Miller (cmiller) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1447345 Title: Support the unprivileged namespace sandbox Status in Oxide: Triaged Status in chromium-browser package in Ubuntu: New Bug description: Chromium has a new layer 1 sandbox which replaces the suid sandbox on systems with CLONE_NEWUSER. However, it's currently incompatible with application confinement. To summarize, the sandbox mechanism does something like this: 1) Browser launches zygote process: - clones with CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET and then exec() 2) Zygote initializes sandbox: - unshare(CLONE_NEWUSER) - clones a new process with CLONE_FS and then does waitpid(). The child chroots to /proc/self/fdinfo - Enables CAP_SYS_ADMIN (see below) 3) Zygote forks - Parent becomes init - Child continues as zygote 4) Zygote waits for requests from the browser to create render processes 5) On each request: - Zygote clones a new process with CLONE_NEWPID (this is why it needs CAP_SYS_ADMIN) - New process drops all privileges and becomes a renderer This produces the following denial on the device: type=1400 audit(1429733985.487:153): apparmor="DENIED" operation="capable" profile="com.zeptolab.cuttherope.full_cuttherope_0.5.2" pid=7195 comm="qmlscene" capability=21 capname="sys_admin" The oxide_helper profile already allows sys_admin, but this is coming from the browser process, just here: 7229 clone(child_stack=0, flags=CLONE_NEWUSER|SIGCHLD) = 7246 <-- Test that the new sandbox can be used 7246 exit_group(0) = ? 7229 wait4(7246, 7246 +++ exited with 0 +++ 7229 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7246 7229 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7246, si_status=0, si_utime=0, si_stime=0} --- 7229 write(13, "\0", 1)= 1 7229 rt_sigreturn()= 7246 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/pid", F_OK) = 0 7229 access("/proc/self/ns/user", F_OK) = 0 7229 access("/proc/self/ns/net", F_OK) = 0 7229 getuid32()= 32011 7229 getgid32()= 32011 7229 access("/proc/self/setgroups", F_OK) = -1 ENOENT (No such file or directory) 7229 rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0 7229 clone(child_stack=0xbe8518d4, flags=CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = -1 EPERM (Operation not permitted) It fails in step 1) above, because it needs CAP_SYS_ADMIN before it's able to transition to the oxide_helper profile (which allows it) To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1447345/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp