[Linux x64] Why is there no chrome_sandbox despite being in build_cromite.yaml ?

[SyntheticBird45]

Preliminary checklist

• [X] I have read the README.
• [X] I have searched the existing issues for my problem. This is a new ticket, NOT a duplicate or related to another open issue.
• [X] I have updated Cromite to the latest version. The bug is reproducible on this latest version.
• [X] This is a bug report about the Cromite browser; not the website nor F-Droid nor anything else.

Can the bug be reproduced with corresponding Chromium version?

No

Are you sure?

Yes

Cromite version

127.0.6533.103

Device architecture

x64

Platform version

I prefer not to write it/No matter

Android Device model

None

Is the device rooted?

I prefer not to write it

Changed flags

no flags changed

Is this bug happening in an incognito tab?

Yes

Is this bug caused by the adblocker?

No

Is this bug a crash?

No

Describe the bug

Latest version of cromite (in release tab) do not contian the chrome_sandbox utility for sandboxing chromium. Despite being in linux workflow:

https://github.com/uazo/cromite/blob/888b4cfc7e6def136183313354b8794bce2ada9b/.github/workflows/build_cromite.yaml#L400

Added by this commit: https://github.com/uazo/cromite/commit/754f4cb92e3eb051730f95e2ac45db8f94df5e75

This result in an infamous:

FATAL:zygote_host_impl_linux.cc(126)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

This is surely what caused: https://github.com/uazo/cromite/issues/1241 Worth noting that Ubuntu's apparmor profile isn't equivalent to chrome-sandbox several protection mechanisms.

Tested on Arch Linux.

Steps to reproduce the bug

• Download latest release
• Try launching chrome binary

Expected behavior

Should launch without warning and have chrome://sandbox setup correctly

Screenshots

No response

[uazo]

from what I know, that file should only be used for flatpak. are you using that mode?

[SyntheticBird45]

I'm not using flatpak. I've first tried to use it by downloading github actions release. Then downloaded through AUR repository (but there is no difference its just a script downloading the latest CI release and placing it in a corresponding folder).

It's odd, it isn't meant to be only used for flatpak. I've (official) chromium, ungoogled chromium, brave an other electron apps installed on my linux and all of them come with chrome-sandbox SUID binary out of the box. Chrome have two way of sandboxing on linux:

1. Without SUID binary, chromium will try to use user namespace to isolate its processes.
2. Without user namespace, chromium will try to use chrome-sandbox to change user id of processes, in order to isolate them.

In our case, my kernel do not have user namespaces enabled (for security reasons) and since the SUID binary isn't present, it can't isolate, thus requiring me to run without sandbox.

[SyntheticBird45]

Just for confirmation I just tested copying the /usr/lib/chromium/chrome-sandbox utility in cromite directory and after giving it root:4755 cromite now start correctly and sandboxed

[SyntheticBird45]

Workaround I found at the moment is:

# Copy chromium's chrome-sandbox to cromite directory
$ sudo cp /usr/lib/chromium/chrome-sandbox /usr/lib/cromite/
# Give it required permissions and ownership
$ sudo chown root:root /usr/lib/cromite/chrome-sandbox && sudo chmod 4755 /usr/lib/cromite/chrome-sandbox