-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chromium: child processes escape the network namespace sandbox #4087
Comments
I guess that's because of chromiums sandbox. What happens if you start chromium with EDIT: Does slackwares kernel support unprivileged userns clone? ( |
Does what I expect it to do. Every child is in
|
This sysctl is a debian patch (used by debian and arch). Mainline does not have it. So unprivileged_userns_clone is supported on your system if userns is supported at all (
Chromium has it's own sandbox (surprise 😎 ) with a suid-helper in So it can run code as root in the default users with NO_NEW_PRIVS=0 and CAP_SYS_ADMIN. In general that's are good starting point to:
You can also |
Any progress here? |
I'm closing here due to inactivity, please fell free to request to reopen if you have more questions. |
Write clear, concise and in textual form.
Bug and expected behavior
I am running Chromium in a custom netns:
firejail --netns=for_wg chromium --user-data-dir="/home/lockywolf/.config/chromium" --disable-async-dns
Then I am finding firejail's pid:
pgrep firejail => 31669
(I actually do this by looking at the process tree, as there are two firejails.)Then I look at the process tree:
Huh? PID 31708 escaped the sandbox? Checking:
Nothing!
I expected all Chromium's children to be in the for_wg netns.
No profile and disabling firejail
firejail --noprofile /path/to/program
in a terminal?Nothing, same behaviour.
which <program>
orfirejail --list
while the sandbox is running)?I do not understand the question.
Reproduce
See above.
Environment
lsb_release -a
,screenfetch
orcat /etc/os-release
)Slackware 15.0 alpha1, kernel 5.10.21, glibc 2.33, chromium 89.0.4389.72 (Developer Build) (64-bit)
firejail --version
) exclusive or used git commit (git rev-parse HEAD
)0.9.64.4
Additional context
Other context about the problem like related errors to understand the problem.
Exactly the same behaviour happens if I run chromium with
ip netns exec chromium ...
Checklist
https://github.com/netblue30/firejail/issues/1139
)--profile=PROFILENAME
is used to set the right profile. : Not an appimage.LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM
to get english error-messages.browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.: yes, but I do not use U2F and do not keep chrome executables in ~/debug output
attaching stdout and stderr
firejail.chrome.debug.stderr.txt
firejail.chrome.debug.stdout.txt
The result of children being in a different namespace results in that different tabs of the browser are getting different routes and dns servers.
The text was updated successfully, but these errors were encountered: