Hi Paweł,
I don't work on the Linux sandbox mechanism, but I did study it quite a bit for a talk I did recently at NDC Oslo. Unfortunately the video isn't up yet, but my slides are:
Shorter with only some elements, but with code:
Short answer to your question is that for the built in sandboxing in chromium to work (that is NOT using the setuid sandbox binary) it is necessary for the kernel to support the ability to create a user namespace without privilege. This is done by passing the flag CLONE_NEWUSER to the call to clone when creating the parent zygote when the browser process starts up. I am not sure how common supporting unprivileged user namespace creation is in distributions today, but it is supported in Ubuntu at least.
I am not sure if it was intentional to drop support for the setuid sandbox, someone from the sandbox team would have to answer that.
Kind regards,
Patricia Aas