Arch Linux: Timeframe on removing the SUID sandbox

[Harry Gindi]

Hi there,

I'm a member of the Arch Linux community, and right now, because Arch's kernel is compiled without User Namespace support, Arch still uses the SUID sandbox for chromium.  

I saw a message on the Wiki today that seemed to imply the imminent removal of the SUID sandbox and using the new sandbox based on user namespaces exclusively:

MPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed. See https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page is mostly out-of-date.

https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox.md

I'd like to know if you have a timeframe on removing the SUID sandbox so the Arch team can smoothly decide how they'd like to proceed with enabling User Namespaces in their kernel packages.

Cheers,

Harry 

[Robert Sesek]

Hi Harry,

Sorry for the delay -- it took a few days to get a complete answer for your question.

The SUID sandbox is not used anymore by any official Chrome distributions. ChromeOS does still make use of the setuid binary to perform some system tasks (e.g., setting the oom_score_adj), so it won't be removed imminently. Note, though, that since the SUID sandbox is no longer tested as part of Chrome, there is a non-zero chance that support for it could break. However, we would accept patches to fix any breakages.

At this time we have no concrete plans nor timeline to remove the SUID sandbox binary. But from a code maintenance perspective, we will likely remove it at some indeterminate point in the future. We recommend that distributions switch to the user namespace sandbox, but that is not something that need be rushed.

Best,

Robert

rsesek / @chromium.org