LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Tinnes: Introducing Chrome's next-generation Linux sandbox

Tinnes: Introducing Chrome's next-generation Linux sandbox

Posted Sep 10, 2012 6:16 UTC (Mon) by mezcalero (subscriber, #45103)
In reply to: Tinnes: Introducing Chrome's next-generation Linux sandbox by hibiscus
Parent article: Tinnes: Introducing Chrome's next-generation Linux sandbox

Well, it's a good idea for modern code not to use chroot() anymore for these kind of things, but simply overmount /.

And the RLIMIT_NPROC thing is completely useless as it will only protect you from UID clashes with running processes. But there are many services that run only temporarily or are started stopped at any time. The RLIMIT_NPROC check is entirely mislead and wrong.

(Log in to post comments)

Tinnes: Introducing Chrome's next-generation Linux sandbox

Posted Sep 10, 2012 17:42 UTC (Mon) by hibiscus (subscriber, #86633) [Link]

- Yeah, CLONE_NEWNS + mount should work too, but I think there were unwanted side effects. Perhaps problems with clean-up ? There shouldn't, it should be cleaned up when the last process dies. Maybe we didn't want to rely on namespaces, which were quite new for the main functionality.

- As I tried to explain before, the UID ranges need to be administratively defined, exclusively for the purpose of the sandbox, in the same way that uids are allocated to given users or daemon. I've always been adamant about that.

Also note that uid collisions (from sandboxed processes) are not a big issue, the ptrace check won't pass on uid-only match, and the processes are marked non dumpable. Signals would be the biggest issue with collisions.

But anyway, nowadays setuid() doesn't fail anymore, and uid ranges have stayed at the level of POC, deprecated in favor of PID namespaces.

Tinnes: Introducing Chrome's next-generation Linux sandbox

Posted Sep 10, 2012 21:40 UTC (Mon) by hibiscus (subscriber, #86633) [Link]

Small additional note: one issue with CLONE_NEWNS was with Ubuntu's automounter. See https://codereview.chromium.org/3146044.

I don't know if this is fixed in automount yet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds