#Bubblewrap and linux-hardened kernel

I have been having problems on Arch with the hardened kernel and bubblewrap.

I created a post a while back and the solution was to install bubblewrap-suid, which I did. But when I install and attempt to run some applications that (I believe) require something called chrome-sandbox, I get an error like this:

[123456:1234/123456.123456:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /something/chrome-sandbox is owned by root and has mode 4755.

"something" is usually /tmp/ or /opt/. I was able to successfully workaround this by doing as instructed for some apps, but other apps (where the file is in /tmp/), there is no file in the specified location to set the necessary permissions. In any case, this would be a workaround. How do I fix this problem?

Here is my last issue: https://discord.com/channels/399812551963049995/1127571333702762547

This error message is from chromium https://github.com/chromium/chromium/blob/30f1c3bb346b39e90849ea6663801dad900f1b8a/sandbox/linux/suid/client/setuid_sandbox_host.cc#L156

okay...

Or programm that use Chromium code, such as electron

You can either run them with --no-sandbox (probably not a good idea),
or

sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

or

sysctl kernel.unprivileged_userns_clone=1

I did this

the second thing, I did, but someone said it's not recommended for security reasons

their advice was to install bubblewrap-suid, which I did, but I get the above errors (for some things)

If security is a concern, unrestricted use of namespaces is not recommended either, as it significantly increases the attack surface.

https://bugs.archlinux.org/task/36969

okay so what is the solution

I am using hardened kernel and bubblewrap, two things that increase security

but any solution reduces the security

so what do I do? is there a way to fix this without the workarounds, while maintaining security? or do I have to uninstall the kernel (properly of course)

The sysctl kernel.unprivileged_userns_clone defeats the purpose of using the Linux hardened kernel.

i see

so that option is out

--no-sandbox obviously makes that specific app run without a sandbox, which is better but not ideal

--no-sandbox is probably the only workaround for now.

what about chmod u+s /usr/bin/bwrap

Aren't you already using bubblewrap-suid?

The reason for using suid with bubblewrap is to avoid unprivileged_userns_clone.

Chromium code uses its own sandbox, which normally uses the unprivileged user namespace.

yes

oh

so unprivileged_userns_clone is system-wide, tldr it disables the hardened kernel security protections

chmod u+s /usr/bin/bwrap makes bubblewrap run as suid?

but installing bubblewrap-suid does the same thing?

That command set setuid bit

not sure what that means

i apologize, I know I am missing a lot of computer science here

Bubblewrap without setuid won't work on a hardened kernel. https://bugs.archlinux.org/task/63316
Sacrifices must be made and you must use setuid,

okay

thank you

are there any other possibilities here

keeping the hardened kernel, and bubblewrap

In the future I want to develop a hardened arch installation

eventually I'm gonna want to get into the weeds, and this seems like a major flaw

You have been told no sereral time. It is not possible without sacrifices, either setuid bit or unprivileged namespace is required, there is no middle ground now.

ah, alright

Thanks anyway.

The setuid privilege or bit allows a file to temporarily grant the executing user the privileges of the file's owner.

This alllows the executing user to access the privileges and resource of owner of executable.

It is safe as long as the program with setuid is robust

e.g. sudo has the setuid bit set to allow you to become root or someone else

okay

thanks, I will revisit this another day because eventually I'm gonna run into this problem again and I'm gonna want to find a way. Whether it's tweaking the kernel, or installing a different sandboxing framework...I don't know.

@blazing dragonwait, what if you ran the program in a different sandbox, one that doesn't use suid?

firejail?

or maybe tweak apparmor?

I don't know enough about these tools to really know how to mitigate this problem.

This is a negative, all these sandboxes use either setuid or the unprivileged user namespace.

apparmor is not the same as sandboxing

yes, though I'm sure it acts to restrict what a program can do

You can migrate it with setuid

and if a program is not sandboxed then apparmor should be able to help

But the --no-sandbox argument bypasses the sandbox, doesn't it?

meaning no sandbox protections

Chromium uses its own sandbox, which normally uses the unprivileged user namespace.

Isn't that obvious?

yeah, but you did say "you can mitig...oh, you said migrate

I thought you said mitigate

a typo, I said you can mitigate it with setuid.

okay but no sandbox is not a mitigation

sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox

no sandbox is 0, no protection

what's this

recommended steps?

If you read this thread earlier, I did not say no sandbox when I said setuid.

Sorry for the confusion

I apologize but I don't understand.

It's not your fault. I just haven't done a whole lot of research on suid or setuid or namespaces or anything of this.

I'm still learning linux, despite using it for 4 years

setuid is required for Sandbox to work on hardened kernel

okay..

I'm afraid I'm just gonna bug you with more questions because although you say x is required for x to work on x...I don't know what x is.

so feel free to not answer any more of my questions if you don't want to

If you don't understand these concepts yet, why not just use the regular kernel for now and understand them later in an environment more conducive to learning by trial and error, such as a virtual machine?

that is a good method, though, I already have.

Please feel free to ask

I've tested the hardened kernel already, with arch, with apparmor, firejail too

I did this maybe a year ago

been using arch since nov 2022

done plenty of research but always more to learn

Eventually I want to learn arch in depth. I want to learn to harden it.

I'm gonna install Qubes soon (not my first time), keep arch on a VM to test with

it does seem that experimenting on bare metal, especially my main system, probably not a good idea

Qubes
This is a rabbit hole

I would ask what setuid means, and what you mean when you say "sandbox" (are you referring to bubblewrap itself, or the framework that bubblewrap uses), but I feel like I could google these things.

I've gone down that rabbithole myself a few times

Previously answered

see this

what is "setuid privilege" and "bit"?

firstly, what does setuid stand for

Does uid refer to PID? for example, user runs on 1000

The setuid privilege or bit allows a file to temporarily grant the executing user the privileges of the file's owner.
This alllows the executing user to access the privileges and resource of owner of executable.
It is safe as long as the program with setuid is robust
e.g. sudo has the setuid bit set to allow you to become root or someone else

It sands for temporarily grant the executing user the privileges of the file's owner

even if the owner is root?

short for set user identity

.Why don't you read the Wikipedia article about it? It's comprehensive and should answer most of your questions.

https://en.wikipedia.org/wiki/Setuid

well that's what I meant about bugging you with questions, I could google all of this. But that would be a lot of research.

I can't devote enough time to read about setuid and relevant stuff

just needed to fix a problem, now that I know --no-sandbox is the solution I'll go with that

Asking me is almost like doing your own research.

some would argue with that, people just say RTFM

because you might get confused by some concepts or terms and start to asking about them too.

why do I get the feeling you're a bot that knows everything

I don't think it's any different from reading wikis.

yes, I agree

Ha, Nein. Ich bin kein Bot, ich bin ganz Mensch

at the moment, I don't even know enough to ask any relevant questions about this topic

hey, I'm learning german

Moreover, Wiki is written by many (experienced) people. It would certainly be more reliable than me.

God you sound so much like a bot

There is also a talk page on the Arch wiki, so if you don't understand something, just ask the author. We will answer if time allows.

you're either a bot or you use some stylometry tool like https://github.com/spencermwoo/anonymouth

alright, thanks

memchr received a thank you cookie!

gonna head off now.

member of the openAI server...hm