http://bugzilla.suse.com/show_bug.cgi?id=1163588 Bug ID: 1163588 Summary: AUDIT-FIND: chromium: chrome_sandbox shouldn't be packaged any more Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: tchvatal@suse.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: --- Blocker: --- I just noticed that on openSUSE we're shipping the chromium browser still with the setuid-root sandbox in /usr/lib/chrome_sandbox. This should NOT be necessary any more, since chromium uses Linux namespaces these days for sandboxing. The chome_sandbox binary should not need to be built and shipped at all. Upstream worked for years on making this possible: https://bugs.chromium.org/p/chromium/issues/detail?id=312380 By now it is possible for a longer time already to run without this setuid-root binary. Since openSUSE kernels should all support namespaces there should be no compelling reason to keep this setuid program around. Please adjust the packaging accordingly. Afterwards the security team can remove the entry from the permissions package. Thank you. -- You are receiving this mail because: You are on the CC list for the bug.