Chrome Sandboxing

[Koss98]

Hi, new here.

I installed the Chrome module but discovered that the sandbox isn't running properly...

Code: Select all

(about://sandbox)

Sandbox Status

SUID Sandbox	Yes
Namespace Sandbox	No
PID namespaces	No
Network namespaces	Nohttps://forum.porteus.org/posting.php?mode=post&f=113#
Seccomp-BPF sandbox	Yes
Seccomp-BPF sandbox supports TSYNC	Yes
Yama LSM enforcing	No
You are not adequately sandboxed!

On Ubuntu this wasn't an issue. Google itself recommends using other browsers in case Chrome's sandbox feature isn't working, but I like Chrome and I want to fix this on Porteus if possible.

[francois]

Are you working guest or root mode? What version of porteus are you using? What desktop are you using? I am using google-chrome under kde5 (plasma) with no sandbox problem under porteus 3.2.2.

[Koss98]

Chrome is run without admin privilege, so under guest. Porteus version is 3.2.2 running XFCE. Opera browser, which like Chrome is also based on Webkit, has this issue as well. Have you verified that your installation's sandbox is working using the chrome://sandbox command? because that's the readout I got.

[Evan]

It might be worth searching each line that says <No> at google for some clues...

Namespace Sandbox No - for example comes back as chrome needing " user namespaces support " at kernel level , so i'm not sure how that would be enabled for Porteus.

[Koss98]

Oh... if sandboxing is kernel-dependent then there isn't much that I can do, being the amateur that I am. I saw a screenshot of Chrome running on Ubuntu, with Sandbox properly enabled, but the article mentioned that it doesn't work on every distribution. In any case I have the no-script extension which should prevent malicious scripts from being run.

On a side note, do the update-chrome/firefox/etc. commands utilize a secure network connection and/or perform file verifications? I'm pretty paranoid about security, since I'm usually on unsecured wifi networks throughout the day.

[francois]

Please try latest version of chrome:
http://forum.porteus.org/viewtopic.php?f=35&t=6520

Code: Select all

root@porteus:~# update-chromium
 Starting checks ... 
[OK] User is root.
[OK] Distro is Porteus
[OK] libbfd was found
[OK] libbfd was found
...

...

 Would you like to download the porteus server version? [y/n] 
n
 Would you like to build the latest version? [y/n]
y

And report.

[Koss98]

Nope, the output remained the same as before, and in any case I was already on the latest version. However, trying to build the package, as you seemed to have done, failed and produced errors, so I'm using the pre-built version from the server.

Here is the output, it's the same as before.

Code: Select all

Sandbox Status

SUID Sandbox	Yes
Namespace Sandbox	No
PID namespaces	No
Network namespaces	No
Seccomp-BPF sandbox	Yes
Seccomp-BPF sandbox supports TSYNC	Yes
Yama LSM enforcing	No
You are not adequately sandboxed!

[Evan]

then there isn't much that I can do, being the amateur that I am..

Well you are doing better than a amateur like me as the last time i tried Chrome on Linux i couldn't even get it to start without using the no-sandbox command and as soon as i saw at google what was involved for Namespace i ran away .

[francois]

@koss:
I have been able to build google-chrome under xfce guest mode:
Creating /tmp/google-chrome-58.0.3029.96-x86_64-1.xzm
It works for me.

Usually when sandox does not work it issues an error message for me, for example in root mode.

You gave outputs about sandbox. How do you get sandbox status?

[Koss98]

Usually when sandox does not work it issues an error message for me, for example in root mode.

You gave outputs about sandbox. How do you get sandbox status?

Chrome's sandbox seems to work but not in its entirety, so maybe that's why I haven't seen any error messages. Sandbox status can be found by entering "about:sandbox" or "chrome://sandbox" into the address bar. It's not a deal breaker though since the issue doesn't affect performance or functionality. I'm just more cautious about which sites I visit and I've installed a script blocker extension as another precaution.

[francois]

@koss:
And what is the use of the sandbox? According to some theories it is related more to the indexing than to protecting you from dangerous websites. Itt seems that google does not want to reveal the role of the sandbox.
Sandbox effect

Maybe someone has a more accurate definition! 8)

If google does not want to explain the utility of the sandbox. How does someone get to know the use and the right set of the parameters of the sandbox? The answer is no one except some google employees.

It would be like you trying to guess the color of my girlfriend underpants on the 1rst of april.
I might be better placed than you to answer to the question, but some days not.

[wread]

I do not like sandboxing because I do not know exactly how it works. I disable it with the --no-sandbox parameter.
I prefer using Tor with chromium instead. I know exactly how it works...Don't be afraid. This is linux.

Cheers

[Koss98]

From what I could gather, "sandboxing" is a form of software compartmentalization for the purpose of containing the effects of malicious or otherwise harmful code executions, and every major modern operating system (and browsers) implements this technique to some degree. Maybe Chrome's sandbox is more refined and comprehensive? In any case, I read (Stackexchange I think) that the point is to have two layers of security, that of the browser itself and that of a discrete sandbox, so that malicious behavior can be safely confined within that isolated environment, and breaching both layers would be incredibly difficult. I don't know how well this works on Porteus, so I decided to just go with Firefox in the end.

[Evan]

Application Sandboxing is completely different to Sandbox effect.

Sandbox effect refers to how Google search is manipulated both for the user searching and webpage rankings in those results.

Sanboxed applications contain and control the application to a single place both in ram and on the hardrive so it only has virtual interaction with the Host operating system and is never fully integrated the same as VirtualBox or VirtualMachine would be used to sandbox a second operating system.

Two of the most common Sandboxes for Applications are Sandboxie for Windows and FireJail for Linux.

https://www.sandboxie.com/index.php?HowItWorks
https://firejail.wordpress.com/

How Chrome uses it's own sandbox
https://chromium.googlesource.com/chrom ... dboxing.md
https://chromium.googlesource.com/chrom ... box_ipc.md
https://chromium.googlesource.com/nativ ... sandbox.md

[neko]

@Koss98
If you need the kernel that was built on "CONFIG_NAMESPACES=y",
the kernel of Porteus ISO can be replaced easily with the "CONFIG_NAMESPACES=y" one.
http://forum.porteus.org/viewtopic.php? ... =60#p54605


Thanks.