Chrome Sandboxing

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
Koss98
White ninja
White ninja
Posts: 10
Joined: 28 Apr 2017, 18:36
Distribution: 3.2.2
Location: Canada

Chrome Sandboxing

Post#1 by Koss98 » 28 Apr 2017, 19:11

Hi, new here.

I installed the Chrome module but discovered that the sandbox isn't running properly...

Code: Select all

(about://sandbox)

Sandbox Status

SUID Sandbox	Yes
Namespace Sandbox	No
PID namespaces	No
Network namespaces	Nohttps://forum.porteus.org/posting.php?mode=post&f=113#
Seccomp-BPF sandbox	Yes
Seccomp-BPF sandbox supports TSYNC	Yes
Yama LSM enforcing	No
You are not adequately sandboxed!
On Ubuntu this wasn't an issue. Google itself recommends using other browsers in case Chrome's sandbox feature isn't working, but I like Chrome and I want to fix this on Porteus if possible.

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Chrome Sandboxing

Post#2 by francois » 29 Apr 2017, 00:46

Are you working guest or root mode? What version of porteus are you using? What desktop are you using? I am using google-chrome under kde5 (plasma) with no sandbox problem under porteus 3.2.2.
Prendre son temps, profiter de celui qui passe.

Koss98
White ninja
White ninja
Posts: 10
Joined: 28 Apr 2017, 18:36
Distribution: 3.2.2
Location: Canada

Re: Chrome Sandboxing

Post#3 by Koss98 » 29 Apr 2017, 05:17

Chrome is run without admin privilege, so under guest. Porteus version is 3.2.2 running XFCE. Opera browser, which like Chrome is also based on Webkit, has this issue as well. Have you verified that your installation's sandbox is working using the chrome://sandbox command? because that's the readout I got.

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: Chrome Sandboxing

Post#4 by Evan » 30 Apr 2017, 08:44

It might be worth searching each line that says <No> at google for some clues...

Namespace Sandbox No - for example comes back as chrome needing " user namespaces support " at kernel level , so i'm not sure how that would be enabled for Porteus.

Koss98
White ninja
White ninja
Posts: 10
Joined: 28 Apr 2017, 18:36
Distribution: 3.2.2
Location: Canada

Re: Chrome Sandboxing

Post#5 by Koss98 » 01 May 2017, 08:04

Oh... if sandboxing is kernel-dependent then there isn't much that I can do, being the amateur that I am. I saw a screenshot of Chrome running on Ubuntu, with Sandbox properly enabled, but the article mentioned that it doesn't work on every distribution. In any case I have the no-script extension which should prevent malicious scripts from being run.

On a side note, do the update-chrome/firefox/etc. commands utilize a secure network connection and/or perform file verifications? I'm pretty paranoid about security, since I'm usually on unsecured wifi networks throughout the day.

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Chrome Sandboxing

Post#6 by francois » 02 May 2017, 17:56

Please try latest version of chrome:
http://forum.porteus.org/viewtopic.php?f=35&t=6520

Code: Select all

root@porteus:~# update-chromium
 Starting checks ... 
[OK] User is root.
[OK] Distro is Porteus
[OK] libbfd was found
[OK] libbfd was found
...

...

 Would you like to download the porteus server version? [y/n] 
n
 Would you like to build the latest version? [y/n]
y
And report.
Prendre son temps, profiter de celui qui passe.

Koss98
White ninja
White ninja
Posts: 10
Joined: 28 Apr 2017, 18:36
Distribution: 3.2.2
Location: Canada

Re: Chrome Sandboxing

Post#7 by Koss98 » 02 May 2017, 21:14

Nope, the output remained the same as before, and in any case I was already on the latest version. However, trying to build the package, as you seemed to have done, failed and produced errors, so I'm using the pre-built version from the server.

Here is the output, it's the same as before.

Code: Select all

Sandbox Status

SUID Sandbox	Yes
Namespace Sandbox	No
PID namespaces	No
Network namespaces	No
Seccomp-BPF sandbox	Yes
Seccomp-BPF sandbox supports TSYNC	Yes
Yama LSM enforcing	No
You are not adequately sandboxed!

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: Chrome Sandboxing

Post#8 by Evan » 02 May 2017, 23:09

Koss98 wrote:then there isn't much that I can do, being the amateur that I am..
Well you are doing better than a amateur like me as the last time i tried Chrome on Linux i couldn't even get it to start without using the no-sandbox command and as soon as i saw at google what was involved for Namespace i ran away . :D

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Chrome Sandboxing

Post#9 by francois » 03 May 2017, 01:08

@koss:
I have been able to build google-chrome under xfce guest mode:
Creating /tmp/google-chrome-58.0.3029.96-x86_64-1.xzm
It works for me.

Usually when sandox does not work it issues an error message for me, for example in root mode.

You gave outputs about sandbox. How do you get sandbox status?
Prendre son temps, profiter de celui qui passe.

Koss98
White ninja
White ninja
Posts: 10
Joined: 28 Apr 2017, 18:36
Distribution: 3.2.2
Location: Canada

Re: Chrome Sandboxing

Post#10 by Koss98 » 03 May 2017, 02:29

Usually when sandox does not work it issues an error message for me, for example in root mode.

You gave outputs about sandbox. How do you get sandbox status?
Chrome's sandbox seems to work but not in its entirety, so maybe that's why I haven't seen any error messages. Sandbox status can be found by entering "about:sandbox" or "chrome://sandbox" into the address bar. It's not a deal breaker though since the issue doesn't affect performance or functionality. I'm just more cautious about which sites I visit and I've installed a script blocker extension as another precaution.

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Chrome Sandboxing

Post#11 by francois » 03 May 2017, 23:41

@koss:
And what is the use of the sandbox? According to some theories it is related more to the indexing than to protecting you from dangerous websites. Itt seems that google does not want to reveal the role of the sandbox.
Sandbox effect

Maybe someone has a more accurate definition! 8)

If google does not want to explain the utility of the sandbox. How does someone get to know the use and the right set of the parameters of the sandbox? The answer is no one except some google employees.

It would be like you trying to guess the color of my girlfriend underpants on the 1rst of april.
I might be better placed than you to answer to the question, but some days not.:wink:
Prendre son temps, profiter de celui qui passe.

User avatar
wread
Module Guard
Module Guard
Posts: 1255
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v5.0-kde-64 bits
Location: Santo Domingo
Contact:

Re: Chrome Sandboxing

Post#12 by wread » 04 May 2017, 21:50

I do not like sandboxing because I do not know exactly how it works. I disable it with the --no-sandbox parameter.
I prefer using Tor with chromium instead. I know exactly how it works...Don't be afraid. This is linux.

Cheers
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

Koss98
White ninja
White ninja
Posts: 10
Joined: 28 Apr 2017, 18:36
Distribution: 3.2.2
Location: Canada

Re: Chrome Sandboxing

Post#13 by Koss98 » 04 May 2017, 21:58

From what I could gather, "sandboxing" is a form of software compartmentalization for the purpose of containing the effects of malicious or otherwise harmful code executions, and every major modern operating system (and browsers) implements this technique to some degree. Maybe Chrome's sandbox is more refined and comprehensive? In any case, I read (Stackexchange I think) that the point is to have two layers of security, that of the browser itself and that of a discrete sandbox, so that malicious behavior can be safely confined within that isolated environment, and breaching both layers would be incredibly difficult. I don't know how well this works on Porteus, so I decided to just go with Firefox in the end. :D

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: Chrome Sandboxing

Post#14 by Evan » 04 May 2017, 23:36

Application Sandboxing is completely different to Sandbox effect.

Sandbox effect refers to how Google search is manipulated both for the user searching and webpage rankings in those results.

Sanboxed applications contain and control the application to a single place both in ram and on the hardrive so it only has virtual interaction with the Host operating system and is never fully integrated the same as VirtualBox or VirtualMachine would be used to sandbox a second operating system.

Two of the most common Sandboxes for Applications are Sandboxie for Windows and FireJail for Linux.

https://www.sandboxie.com/index.php?HowItWorks
https://firejail.wordpress.com/

How Chrome uses it's own sandbox
https://chromium.googlesource.com/chrom ... dboxing.md
https://chromium.googlesource.com/chrom ... box_ipc.md
https://chromium.googlesource.com/nativ ... sandbox.md

neko
DEV Team
DEV Team
Posts: 2109
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Re: Chrome Sandboxing

Post#15 by neko » 05 May 2017, 05:14

@Koss98
If you need the kernel that was built on "CONFIG_NAMESPACES=y",
the kernel of Porteus ISO can be replaced easily with the "CONFIG_NAMESPACES=y" one.
http://forum.porteus.org/viewtopic.php? ... =60#p54605


Thanks.

Post Reply