Question: is this still needed?

Question

Question: is this still needed?

Jimbassfisher opened this issue a year ago · 4 comments

This might sound a bit weird, but does the sandbox lf chromium, electron, etc work wothout zypak? In about://sandbox cjromium reports that the sandbox wprks fine when running in a bubblewrapped environment (not flatpak, manual bubblewrap). Moreover, there are not errors in reported in stderr.

So does chromium's sandbox now work inside of bubblewrap?

Answer 1 · 2023-08-04T10:52:29.000Z

bubblewrap blocks only what you tell it to do. Flatpak tells it to block unshare syscall which prevents chromium from creating its sandbox. If you didn't do the same then chromium can work inside bubblewrap as is.

Answer 2 · 2023-08-04T15:42:00.000Z

Thank you very mucj for the answer. I have a small wrapper, where --disable-userns was misspelled, but instead of failing, my script would silently continue.
I now see chromium failing to stat as expected.

One more question, how viable is it to bubblewrap chromium and still have userns enabled? Is this still valid or does it negatively impact security?

Answer 3 · 2023-08-04T18:13:20.000Z

since chromium uses userns to crate strict sandbox the availability of it tightens its security overall. Except if you don't trust chromium itself doing its job you should allow it for using userns.

Answer 4 · 2023-08-04T19:08:08.000Z

I trust chromium's sandbox, it was more if having it run inside of bubblewrap somehow had negative impacts on how well chromium's sandbox performed, or if it open other security issues, but if I understand your comment correctly, it seems it doesn't. If I've misunderstood you, please correct me.

Thank you very much