Regarding https://bugs.meego.com/show_bug.cgi?id=16284 Chromium browser sandbox feature is not working in MeeGo builds ..................... In investigating why even the latest google-chrome emits "you are not adequately sandboxed" message on MeeGo 1.2, I believe I've discovered a kernel-shortcoming in MeeGo 1.2 as distributed on the ExoPC's at 2011 MeeGo SF conference, and on latest http://download.meego.com/live/MeeGo:/1.2 (for which repos on both netbook and tablet have updated w/ "zypper dup --from 'MeeGo:1.2:non-oss (MeeGo_1.2)' --from 'MeeGo:1.2:oss (standard)'") ... and yes this egregious security flaw still exists, along with this new-found related problem in the build of the MeeGo 1.2 pinetrail kernel:
http://phajdan-jr.blogspot.com/2011/05/chromium-linux-kernel-configuration.html ("Chromium: Linux kernel configuration options needed for SUID sandbox") suggests the following kernel configuration options which are apparently missing in MeeGo 1.2 ( kernel-adaptation-pinetrail-2.6.38.2-8.12.i586 ): General setup ---> -*- Namespaces support ---> [*] PID Namespaces [*] Network namespace Here's my test script with detailed comments: $ diff /usr/bin/meego-app-browser /usr/local/bin/meego-sandboxed-browser 8a9,48 > ## NPM: per > ## http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment > ## chrome-sandbox binary taken from > ## > https://dl-ssl.google.com/linux/direct/google-chrome-stable_current_i386.rpm > ## which installs at: > ## ROOT-meegotab-108-~> ll /opt/google/chrome/chrome-sandbox > ## -rwsr-xr-x 1 root root 10420 2011-05-19 18:10 > /opt/google/chrome/chrome-sandbox* > ## Note that it must be SUID. See below also where > "--enable-seccomp-sandbox" added to launch > ## suggested by http://bugs.gentoo.org/363907 ... > ## checking that this isn't bullshit: > ## $ strings meego-app-browser | grep SANDBOX > ## CHROME_DEVEL_SANDBOX > ## However, it appears MeeGo kernel not config'd correctly per > ## > http://phajdan-jr.blogspot.com/2011/05/chromium-linux-kernel-configuration.html > ## on Fedora the equivalent (google-chrome-stable-11.0.696.71-86024.x86_64) > version of google-chrome > ## reports: > #### ## Sandbox Status > #### ## SUID Sandbox Yes > #### ## PID namespaces Yes > #### ## Network namespaces Yes > #### ## Seccomp sandbox No > #### ## You are adequately sandboxed. > ## On MeeGo 1.2, google-chrome-stable-11.0.696.71-86024.i386, about:sandbox > reports: > #### Sandbox Status > #### > #### SUID Sandbox Yes > #### Seccomp sandbox No > #### You are not adequately sandboxed! > ## The reason for the inadequate sandbox is hidden, but suggested in the > ## blogpost link above: > ## > ## It turned out that to make the SUID sandbox fully effective, the kernel > ## must support PID (process id) and network namespaces. Adding to the > ## confusion, when the kernel supports them, about:sandbox displays entries > ## for "PID namespaces" and "network namespaces" and a green "yes" next to > ## them. But if the kernel doesn't support those features, nothing is > ## displayed, which makes it difficult to diagnose what's wrong with the > ## sandbox. > ## > export CHROME_DEVEL_SANDBOX=/opt/google/chrome/chrome-sandbox > 151c191 < exec $LIBDIR/$APPNAME "--fullscreen" "--opengl" "--disable-accelerated-compositing" "--enable-click-to-play" "--tabs-limit=8" "$@" --- > exec $LIBDIR/$APPNAME "--fullscreen" "--opengl" > "--disable-accelerated-compositing" "--enable-seccomp-sandbox" > "--tabs-limit=8" "$@" 152a193,194 > > ........................... -- Niels http://nielsmayer.com PS: my test script failed to deliver an adequately sandboxed browser on my ExoPC tablet, which is why I started investigating what was going on with my "reference" software and sandbox, the latest stable chrome browser from google.com . PPS: On the ExoPC MeeGo Tablet UX, I'm happily using using http://wiki.meego.com/MeeGo-Lem-Firefox4 which runs everything in its own version of the sandbox. Perhaps one not vulnerable to the same class of attack as http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php https://threatpost.com/en_us/blogs/researchers-say-new-bugs-can-bypass-google-chrome-sandbox-050911 _______________________________________________ MeeGo-dev mailing list MeeGo-dev@meego.com http://lists.meego.com/listinfo/meego-dev http://wiki.meego.com/Mailing_list_guidelines
