-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/20/2011 03:46 AM, GSO wrote:
I've posted over on chromium-discuss https://groups.google.com/a/chromium.org/group/chromium-discuss/browse_threa...
- no reply so far though
The main wiki page on the subject seems to be here... https://code.google.com/p/chromium/wiki/LinuxSandboxing There seem to be various sandbox compiling options, might one of these be an option!
Chromium seems to work OK in the sandbox with the --no-sandbox chromium option, though with the obvious caveats... https://groups.google.com/group/google-chrome-help-troubleshooting/browse_th...
On 19 June 2011 17:53, Dominick Grift <domg472@gmail.com mailto:domg472@gmail.com> wrote:
On Sun, 2011-06-19 at 13:57 +0100, GSO wrote: > The default build using the google repos results in chromium grinding to a > halt with a black window when run in a sandbox. Is it technically possible > to run chrome in a sandbox, would building from source fix this at all? I do not think it will work since both sandbox an chrome use namespace and chrome cant run if sandbox already runs in a namespace (or something along those lines is my understanding if this issue) > -- > selinux mailing list > selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
We have been looking into this issue, and are not sure what is causing the problem. It is definitely related to namespace. If you run in permissive mode and run
sandbox -X xterm
Then run chrome you will see it complain about the namespace. One issue we saw was we were removing the Capabilities bounding set and thought chrome could not get capabilities, but we changed seunshare to not modify the bounding set, so now we do not believe it is caused by capabilities.
I believe it is something to do with namespace interaction.