What is the difference between --no-sandbox and --disable-setuid-sandbox

[Pierre Masci]

What is the difference between these two command line options?

Either of these options let me run Chromium in Docker, which is what I want. I am just curious about the differences.

[Julien]

Some of it is explained at https://code.google.com/p/chromium/wiki/LinuxSandboxing, I'll update it today to include our new "namespace sandbox" (introduced in M-42).

The short answer to your question: --disable-setuid-sandbox is strictly better than --no-sandbox since you'll at least get the seccomp sandbox. However, it's not a supported configuration.

Starting with M-42, --disable-setuid-sandbox may become a no-op, depending on your kernel version, configuration and the environment in which you run Chrome.

The easiest is to go to chrome://sandbox to see what's engaged for you and whether or not it's a supported configuration ("adequately sandboxed").

Julien