Restricting packages in the linux environment

Skip to first unread message

Reed Porter

Oct 8, 2021, 9:46:37 AM10/8/21
to Chromium OS Development

An organization I do business with is not allowing us to install anything on our chromebook that isn't from the Google Play store for security reasons. I'm trying to discuss with them allowing the linux dev environment so we can install linux packages, but they say that once enabled there is no way to restrict what is installed, is this true? Is there really no control over which packages can or cannot be installed?

Is there any way to enable the linux environment but disallow package installation? This way the organization could use an MDM software to distribute the packages they allow directly?

I'm trying to work something out with them so I'm hoping somebody here will be able to identify a middle ground or share how their organization worked around what this org sees as huge security concerns.

Thank you,


Oct 8, 2021, 11:24:32 AM10/8/21
to Reed Porter, Chromium OS Development
There is no way to limit what packages are installed in the Linux environment because the user created by the ChromeOS device's user is given sudo access which gives them root privileges. You could request the user immediately install something like Crowdstrike or Zenworks or similar to be able to monitor what software is installed and produce an inventory, but I think trying to prevent software installations within Linux is a non-starter.

I would go back to your business and ask them what exactly is the reasoning behind this trust of Google Play Store (which has had many many instances of malware in apps) and mistrust of the Linux software ecosystem where malware via Linux package managers is very very uncommon to my knowledge.

Understanding the WHY instead of focusing on the HOW will probably get you to a better result.

Ask them if you used the Parallels for Chromebook to install a Windows VM if they would have issues with users installing software obtained from the web or if they need it all to go through Microsoft SCCM or InTune or something similar?

Chromium OS Developers mailing list:
View archives, change email options, or unsubscribe:
To unsubscribe from this group and stop receiving emails from it, send an email to

Mike Frysinger

Oct 8, 2021, 3:54:19 PM10/8/21
to Reed Porter, Chromium OS Development
currently, no.  we have very coarse knobs (allow/disallow Crostini), but that's it atm.

we're kicking around different ideas & approaches, but there's nothing available right now or "soon" that would help you here.

i'd note that, once you have a command line shell, even if you didn't have root access, nothing is stopping you from downloading code into your $HOME and just running it from there.  pip and npm and similar tools make this very trivial to do.
(i'm ignoring noexec $HOME and SELinux and IMA style enforcement mechanisms on the assumption that you'd be doing local development already e.g. `make && ./hello-world` stuff.)


Keith I Myers

Oct 8, 2021, 4:07:37 PM10/8/21
to Mike Frysinger, Reed Porter, Chromium OS Development
Just a idea for future development on a "Managed Linux" setup. Allow the device administrator to create a managed LXC container that can be pushed to managed Chrome OS devices. Have a toggle in Workspace Admin to disallow Shell Access which would disallow users to easily bypass the security restrictions. I assume you would also need to disallow the vmc command in crosh as it could be used to bypass the restrictions. 

Reply all
Reply to author
0 new messages