search

linuxserver / docker-chromium

Web accessible Chromium inside an Debian Container
GNU General Public License v3.0
122 stars 40 forks source link

[BUG] chromium-browser script always runs in --no-sandbox mode #11

Closed Lan-Hekary closed 1 year ago

Lan-Hekary commented 1 year ago

Is there an existing issue for this?

Current Behavior

no matter whether you set seccomp=unconfined or not in the docker compose chromium-browser script always run the process with --no-sandbox flag you can check by openning chrome://sandbox in the browser.

Expected Behavior

By setting in docker seccomp=unconfined the value in /proc/1/status is set to Seccomp:\t0, Notice the tab char. But the script is checking grep -q 'Seccomp: 0' /proc/1/status with 4 spaces. This check fails and the process starts in the else condition with --no-sandbox flag.

Steps To Reproduce

  1. Open chrome://sandbox in the browser. while passing --security-opt seccomp=unconfined in docker cli or adding the following in you docker-compose file : 
    security_opt:
  - seccomp:unconfined
  2. Start the container.
  3. navigate to chrome://sandbox inside the chromium instance.
  4. You will find no sandboxing whatsoever.

Environment

- OS: linux aarch64 Ubuntu 22.04.2 LTS
- How docker service was installed:

CPU architecture

arm64

Docker creation

version: "2.1"
services:
  chromium:
    image: lscr.io/linuxserver/chromium:latest
    container_name: chromium
    hostname: chromium
    network_mode: bridge
    security_opt:
      - seccomp:unconfined
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Etc/UTC
      - CUSTOM_PORT=9001
      - CHROME_CLI=https://www.google.com/
    volumes:
      - /home/ubuntu/portainer/chromium_config:/config
    ports:
      - 9001:9001
    shm_size: "4gb"
    restart: unless-stopped

Container logs

██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝ 
   Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1001
User GID:    1001
───────────────────────────────────────
[custom-init] No custom files found, skipping...
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Xvnc KasmVNC 1.1.0 - built Jul 22 2023 18:49:38
Copyright (C) 1999-2018 KasmVNC Team and many others (see README.me)
See http://kasmweb.com for information on KasmVNC.
Underlying X server release 12014000, The X.Org Foundation
Obt-Message: Xinerama extension is not present on the server
[ls.io-init] done.
github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

LinuxServer-CI commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

thelamer commented 1 year ago

new code merged thanks again @Lan-Hekary

Lan-Hekary commented 1 year ago

Thanks @thelamer , Please Note that this issue is present in many of the Images, not only this one. I don't have an complete list of the images that have the same dependacy, can you check on the rest of the images ??