Stop checking for the setuid sanbox binary on desktop Linux |
||||||
Issue descriptionAs per bug 312380 , we should no longer need the setuid binary sandbox on most if not all supported versions of desktop Linux. However, Chrome still checks for it on startup and complains if it's not there. We should stop doing that.
,
Mar 28 2016
Ricky, do you want to take this?
,
Mar 28 2016
Actually, this might be a good bug for thomasanderson@ to try ...
,
Mar 28 2016
I attempted this as a first bug fix by removing the SetupSandbox() calls in browser_main_loop.cc and am currently recompiling and testing to see if it fixed the issue.
,
May 11 2016
Tom, want to take a look at this now?
,
May 11 2016
,
Jun 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96 commit 5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96 Author: mdempsky <mdempsky@chromium.org> Date: Sat Jun 11 03:39:45 2016 Fix logic for checking chrome-sandbox setuid binary We only need to check for chrome-sandbox if we plan on launching zygotes with the setuid sandbox or we need it to adjust OOM scores. Also, the error only needs to be fatal when we want the setuid sandbox. BUG= 598454 Review-Url: https://codereview.chromium.org/1976403002 Cr-Commit-Position: refs/heads/master@{#399361} [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/browser_main_loop.cc [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_communication_linux.cc [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_communication_linux.h [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_host_impl_linux.cc [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_host_impl_linux.h
,
Jun 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96 commit 5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96 Author: mdempsky <mdempsky@chromium.org> Date: Sat Jun 11 03:39:45 2016 Fix logic for checking chrome-sandbox setuid binary We only need to check for chrome-sandbox if we plan on launching zygotes with the setuid sandbox or we need it to adjust OOM scores. Also, the error only needs to be fatal when we want the setuid sandbox. BUG= 598454 Review-Url: https://codereview.chromium.org/1976403002 Cr-Commit-Position: refs/heads/master@{#399361} [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/browser_main_loop.cc [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_communication_linux.cc [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_communication_linux.h [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_host_impl_linux.cc [modify] https://crrev.com/5ba7c75f39ad5e4f6bf67efb9f8d0b84355d4c96/content/browser/zygote_host/zygote_host_impl_linux.h
,
Jun 21 2016
,
Jun 21 2016
With this change there is only one use of kDisableSetuidSandbox remaining as far as I can see (apart from some forwarding)- and if control ever reaches the one point where it's checked and it is enabled then we LOG(FATAL). kDisableSetuidSandbox therefore seems to be useless- should it be removed?
,
Jun 21 2016
The LOG(FATAL) is the use. :) The intention is if you want to run Chrome and only use the namespace sandbox, you can set --disable-setuid-sandbox. But if you do so on a host without appropriate kernel support for the namespace sandbox, Chrome will loudly refuse to run.
,
Jun 21 2016
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dpranke@chromium.org
, Mar 28 2016Components: Security