help debugging a sandbox issue (sandbox::Credentials::MoveToNewUserNS)

[Paweł Hajdan, Jr.]

I'm one of Gentoo Linux Chromium packagers, and would like to ask for help debugging a sandbox issue https://bugs.gentoo.org/show_bug.cgi?id=622164 .

Please see above bug for details. The summary is that the browser exits with the following error:

[1:1:0618/220214.398445:FATAL:sandbox_linux.cc(180)] Check failed: sandbox::Credentials::MoveToNewUserNS().

Paweł

[Patricia Aas]

Hi Paweł,

I don't work on the Linux sandbox mechanism, but I did study it quite a bit for a talk I did recently at NDC Oslo. Unfortunately the video isn't up yet, but my slides are: 

Long version with no code: https://www.slideshare.net/PatriciaAas/linux-security-and-how-web-browser-sandboxes-really-work-ndc-oslo-2017?from_m_app=ios

Shorter with only some elements, but with code: 

https://www.slideshare.net/PatriciaAas/linux-security-and-how-web-browser-sandboxes-really-work-security-researchers-meetup-0x05-2017?from_m_app=ios

Short answer to your question is that for the built in sandboxing in chromium to work (that is NOT using the setuid sandbox binary) it is necessary for the kernel to support the ability to create a user namespace without privilege. This is done by passing the flag CLONE_NEWUSER to the call to clone when creating the parent zygote when the browser process starts up. I am not sure how common supporting unprivileged user namespace creation is in distributions today, but it is supported in Ubuntu at least. 

I am not sure if it was intentional to drop support for the setuid sandbox, someone from the sandbox team would have to answer that.

Kind regards,

Patricia Aas 

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

[Patricia Aas]

FYI a mail on this issue also came to this list from Arch a week or so ago.

Patricia Aas

Vivaldi browser 

[Paweł Hajdan, Jr.]

We now have an strace log, see https://bugs.gentoo.org/show_bug.cgi?id=622164#c15 . Direct link: https://622164.bugs.gentoo.org/attachment.cgi?id=478274

Looks like all "clone" calls complete successfully. However, there seems to be something else:

write(2, "[21680:21680:0628/134140.157325:"..., 175[21680:21680:0628/134140.157325:FATAL:zygote_host_impl_linux.cc(196)] Check failed: ReceiveFixedMessage(fds[0], kZygoteHelloMessage, sizeof(kZygoteHelloMessage), &real_pid). 

) = 175

Or is that just a symptom of the earlier error?

Paweł

[Greg Kerr]

Pawel,

I've looked into the issue and it appears that there is a problem with the namespace sandbox. In particular, the bug reporter indicates that Chrome and Chromium run fine if the namespace sandbox is disabled. This can be particularly difficult to diagnose on Gentoo since users build their own configurations of the kernel, headers and libraries.

Unfortunately, the best assistance I can provide is to say that I agree with comment #10 (https://bugs.gentoo.org/show_bug.cgi?id=622164#c10) and that the user should confirm that their kernel supports the relevant namespaces.

Regards,

Greg

[hex...@gmail.com]

Look here.
https://forums.gentoo.org/viewtopic-p-8224754.html?sid=d55e556ca163118f7cf471e9a18659cb#8224754

It seems you have to disable kernel option USER_NS or compile ffmpeg or mesa without opencl.