New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Available
Owner: ----
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug

Sign in to add a comment

Issue 729690: chromeos-kernel-3.8 lacks support for cgroup namespace

Reported by, Jun 5 2017 Project Member

Issue description

chromeos-kernel-3.8 lacks support for cgroup namespace, which means `miniajail0 -N` will abort at runtime. We should consider a few potential actions:

1. Audit existing usages of cgroup namespace in Chrome OS to see if they run on kernel 3.8 and are affected by this issue
2. Backport cgroup namespace support to 3.8, where the benefit may or may not justify the effort
3. Modify minijail to handle lack of cgroup namespace more gracefully
4. Document the disparities in namespace support (and other security features) among different kernel versions
5. Explicitly specify security features in the build process (e.g. using USE flags and conditional RDEPENDs   cgroup_namespace? (>=chromeos-kernel-3.14))

It also raises an interesting question on how we should tackle disparities of security features among different versions of kernel in a long run. The disparities may exist for practical reasons, so we may need to live with that. However, it'd be crucial to have some mechanisms to identify and catch inappropriate assumptions on security features available on a system.

Comment 1 by, Jun 6 2017

I've filed b/62356702 for (3).

Comment 2 Deleted

Comment 3 by, Jun 6 2018

Labels: -Restrict-View-SecurityTeam -Hotlist-Recharge-Cold
Status: Available (was: Untriaged)
i think we've decided to just wait this one out ?  in a year or two, all linux-3.8 devices should be EOL.

Comment 4 by, Jun 21 2018

Components: OS>Systems>Minijail

Comment 5 by, Aug 8

According to, the last device with 3.8 kernel is the LG monroe chromebook whose update support ends in 2020-06-30.

Comment 6 by, Aug 8

We should probably go back through the services running with minijail at that time and add the -N flag where it makes sense.

Comment 7 by, Aug 8


Comment 8 by, Aug 8

Labels: -Pri-2 Pri-3
yes, the plan would be, once we no longer ship 3.8, we'll go through all the services and drop in -N.  i'm not sure we have any services that wouldn't use it tbh as our cgroup utilization has been quite low.

Comment 9 by, Aug 8

3.10 does not have cgroup namespaces either and we will not backport them there, the effort would be too much.

Sign in to add a comment