non-setuid chrome-sandbox fails without sysctl kernel.unprivileged_userns_clone=1

Bug #1914786 reported by Chris Patterson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Medium
Samuele Pedroni

Bug Description

The browser-sandbox interface is intended to allow for sandboxed applications to run.

On Debian 10, and perhaps other distros where sysctl kernel.unprivileged_userns_clone=0 by default, chrome-sandbox exits with an error about it not being the correct chmod (4755).

Specifically, the following system call will fail:
clone(child_stack=0x7ffc0ea30060, flags=CLONE_NEWUSER|SIGCHLD) = -1 EPERM (Operation not permitted)

The `teams` snap is a good example of this. As a user, there is no obvious indication what happened when the application fails to launch on Debian 10. Running sysctl kernel.unprivileged_userns_clone=1 allows it to run as expected.

Related branches

Changed in snapd:
assignee: nobody → Samuele Pedroni (pedronis)
Changed in snapd:
status: New → Triaged
importance: Undecided → Medium
importance: Medium → High
Changed in snapd:
importance: High → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers