non-setuid chrome-sandbox fails without sysctl kernel.unprivileged_userns_clone=1

Bug #1914786 reported by Chris Patterson
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Samuele Pedroni

Bug Description

The browser-sandbox interface is intended to allow for sandboxed applications to run.

On Debian 10, and perhaps other distros where sysctl kernel.unprivileged_userns_clone=0 by default, chrome-sandbox exits with an error about it not being the correct chmod (4755).

Specifically, the following system call will fail:
clone(child_stack=0x7ffc0ea30060, flags=CLONE_NEWUSER|SIGCHLD) = -1 EPERM (Operation not permitted)

The `teams` snap is a good example of this. As a user, there is no obvious indication what happened when the application fails to launch on Debian 10. Running sysctl kernel.unprivileged_userns_clone=1 allows it to run as expected.

Related branches

Changed in snapd:
assignee: nobody → Samuele Pedroni (pedronis)
Changed in snapd:
status: New → Triaged
importance: Undecided → Medium
importance: Medium → High
Changed in snapd:
importance: High → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.