Bug ID 1163588
Summary AUDIT-FIND: chromium: chrome_sandbox shouldn't be packaged any more
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee tchvatal@suse.com
Reporter matthias.gerstner@suse.com
QA Contact qa-bugs@suse.de
CC security-team@suse.de
Found By ---
Blocker --- 

I just noticed that on openSUSE we're shipping the chromium browser still with
the setuid-root sandbox in /usr/lib/chrome_sandbox.

This should NOT be necessary any more, since chromium uses Linux namespaces
these days for sandboxing. The chome_sandbox binary should not need to be
built and shipped at all.

Upstream worked for years on making this possible:

https://bugs.chromium.org/p/chromium/issues/detail?id=312380

By now it is possible for a longer time already to run without this
setuid-root binary.

Since openSUSE kernels should all support namespaces there should be no
compelling reason to keep this setuid program around.

Please adjust the packaging accordingly. Afterwards the security team can
remove the entry from the permissions package. Thank you.

You are receiving this mail because: