snapd

non-setuid chrome-sandbox fails without sysctl kernel.unprivileged_userns_clone=1

Bug #1914786 reported by Chris Patterson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Triaged
Medium
Samuele Pedroni

Bug Description

The browser-sandbox interface is intended to allow for sandboxed applications to run.

On Debian 10, and perhaps other distros where sysctl kernel.unprivileged_userns_clone=0 by default, chrome-sandbox exits with an error about it not being the correct chmod (4755).

Specifically, the following system call will fail:
clone(child_stack=0x7ffc0ea30060, flags=CLONE_NEWUSER|SIGCHLD) = -1 EPERM (Operation not permitted)

The `teams` snap is a good example of this. As a user, there is no obvious indication what happened when the application fails to launch on Debian 10. Running sysctl kernel.unprivileged_userns_clone=1 allows it to run as expected.

Related branches

~emitorino/review-tools:sec_mode_overrides_for_skype
Alex Murray: Approve
Samuele Pedroni: Pending requested
Diff: 12 lines (+1/-0)
1 file modified
reviewtools/overrides.py (+1/-0)
Samuele Pedroni (pedronis)
Changed in snapd:
assignee: nobody → Samuele Pedroni (pedronis)
Samuele Pedroni (pedronis)
Changed in snapd:
status: New → Triaged
importance: Undecided → Medium
importance: Medium → High
Samuele Pedroni (pedronis)
Changed in snapd:
importance: High → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.