With r20110, Chromium on Linux can now sandbox its renderers using a SUID helper binary. This is one of our layer-1 sandboxing solutions.
The SUID helper binary is called ‘chrome_sandbox’ and you must build it separately from the main ‘chrome’ target. To use this sandbox, you have to specify its path in the linux_sandbox_path
GYP variable. When spawning the zygote process (LinuxZygote), if the suid sandbox is enabled, Chromium will check for the sandbox binary at the location specified by linux_sandbox_path
. For Google Chrome, this is set to /opt/google/chrome/chrome-sandbox, and early version had this value hard coded in chrome/browser/zygote_host_linux.cc.
In order for the sandbox to be used, the following conditions must be met:
If these conditions are met then the sandbox binary is used to launch the zygote process. Once the zygote has started, it asks a helper process to chroot it to a temp directory.
The sandbox does three things to restrict the authority of a sandboxed process. The SUID helper is responsible for the first two:
In addition:
--allow-sandbox-debugging
option.Limitations:
This is an alternative to the CLONE_NEWPID method; it is not currently implemented in the Chromium codebase.
Instead of using CLONE_NEWPID, the SUID helper can use setuid() to put the process into a currently-unused UID, which is allocated out of a range of UIDs. In order to ensure that the UID has not been allocated for another sandbox, the SUID helper uses getrlimit() to set RLIMIT_NPROC temporarily to a soft limit of 1. (Note that the docs specify that setuid() returns EAGAIN if RLIMIT_NPROC is exceeded.) We can reset RLIMIT_NPROC afterwards in order to allow the sandboxed process to fork child processes.
As before, the SUID helper chroots the process.
As before, LinuxZygote can set itself to be undumpable to stop processes in the sandbox from being able to ptrace() each other.
Limitations:
--allow-sandbox-debugging
other than turning the sandbox off with --no-sandbox
.The SUID helper uses CLONE_NEWNET to restrict network access.
We are splitting the SUID sandbox into a separate project which will support both the CLONE_NEWNS and setuid() methods: http://code.google.com/p/setuid-sandbox/
Having the SUID helper as a separate project should make it easier for distributions to review and package.
Older versions of the sandbox helper process will only run /opt/google/chrome/chrome. This string is hard coded (sandbox/linux/suid/sandbox.cc). If your package is going to place the Chromium binary somewhere else you need to modify this string.