On Thu, Dec 01, 2011 at 02:32:48PM -0500, Christian Jaeger wrote:
> Hello
> I'm successfully (and maybe even securely) using Xorg in a
> vserver guest (I'll add more details to the wiki about X soon).
looking forward to the wiki improvements ...
> The one problem I haven't found a solution so far is running
> chromium.
> $ chromium-browser
> Failed to move to new PID namespace: Operation not permitted
> ^C
> $ chromium-browser --no-sandbox
> [12306:12306:699047412629:ERROR:renderer_main.cc(213)] Running
> without renderer sandbox
> # works but that's obviously suboptimal
> Now I've read that chrome/chromium has been and still is using
> seccomp for their sandbox on Linux [1][2], at least in some
> configuration or part of its sandboxing; now for the part where
> it does indeed use seccomp, to my understanding there would
> be no use for PID namespaces (seccomp would inhibit access
> to syscalls concerning PIDs), so that leaves me to suspect
> they either use namespaces in the part outside the seccomp'ed
> thread, or that chromium from Debian stable and testing
> are relying on something else than seccomp.
> I can't verify whether seccomp is being used with strace on a
> non-vserver machine, as that too makes it run into the "Failed
> to move to new PID namespace: Operation not permitted" error.
what kernel/patch versions are we talking about and
why does it fail on the non-vserver machine?
> Does anyone know more, or has found a solution to running chromium
> with sandboxing?
best,
Herbert
> Christian.
> [1] http://www.imperialviolet.org/2009/08/26/seccomp.html
> [2] http://code.google.com/p/chromium/issues/detail?id=104084
Received on Thu Dec 1 20:06:04 2011