# Easiest sandboxing for Chromium & Skype

## jago25_98

I notice Chromium runs as root, ostentatiously in order to setup it's own sandbox. 

Is there anything we can do about that? I'd like to make full use of Chromium apps but, same as on Android, you know at some point you're going to want to use something with big permissions. It would be nice to put it in a sandbox.

 Other than running a heavy QEMU or VMWare instance, what's the easiest way to do this? 

 I've tried:

- apparmor: succeeded by seLinux, now investigating that but the selinux Chromium policy is masked; should I be worried? It seems overly complicated:

http://archives.gentoo.org/gentoo-hardened/msg_c006f5768549ecdda53ef213f0a0b373.xml

- setting up a new user. I'm not sure this works since Chromium runs as root? Also I can't seem to get the syntax right with /etc/sudoers so I have to enter the users password everytime:

```

root    ALL=(ALL) ALL

#Added by Sabayon Installer

%wheel  ALL=ALL

#this is for skype but I'd adapt it for Chromium if I thought it might help

%wheel ALL=(skype) NOPASSWD: /opt/bin/skype

```

- lxc just confuses me:

```

I jjj # /etc/init.d/lxc start

 * You have to create an init script for each container:

 *  ln -s lxc /etc/init.d/lxc.container

 * ERROR: lxc failed to start

I jjj # ln -s lxc /etc/init.d/lxc.container

ln: failed to create symbolic link ���/etc/init.d/lxc.container���: File exists

I jjj # 

```

- and rainbow doesn't seem to work:

```

jjj@I ~ $ rainbow-

rainbow-easy      rainbow-run       rainbow-sugarize  rainbow-xify      

jjj@I ~ $ rainbow-run chromium

Traceback (most recent call last):

  File "/usr/bin/rainbow-run", line 140, in <module>

    main()

  File "/usr/bin/rainbow-run", line 109, in main

    uid, gid, home = check_owner(opts)

  File "/usr/bin/rainbow-run", line 72, in check_owner

    p = pwd.getpwnam(opts.user)

TypeError: must be string, not None

jjj@I ~ $ rainbow-easy chromium

sudo /usr/bin/rainbow-easy ID /path/to/program

ex: sudo /usr/bin/rainbow-easy banking /bin/bash

jjj@I ~ $ sudo rainbow-easy skype chromium

Password: 

Sorry, try again.

Password: 

sudo: 1 incorrect password attempt

jjj@I ~ $ 

```

----------

## cach0rr0

out of curiosity, where are you seeing chromium running anything as root? 

running it here, everything running as my logged on user. 

chromium's own built-in sandboxing uses kernel namespaces, though for me that's always been a touch shaky

If you desperately want to run it in some sort of jail, I guess you could always just make a chroot. mkdir /mnt/chroot, untar a stage3 to this chroot, chroot, emerge chromium, done and done, chroot and use the chroot'd chromium. 

but, if you're going through that based on the premise that chromium runs as root, i would re-check that premise, as I've found nothing indicating that's the case. In fact, last i looked, chromium is coded specifically to prevent people from trying to run it as root. Remember, only listening on a privileged port requires root, initiating a connection outbound to a privileged port does not.

----------

## phajdan.jr

 *jago25_98 wrote:*   

> I notice Chromium runs as root, ostentatiously in order to setup it's own sandbox.

 

Sandbox is SETUID root, that's true. Note however it drops the privileges as soon as namespaces / chroot / other security mechanisms only root has access to are set up, and certainly before processing any untrusted input.

 *jago25_98 wrote:*   

> - apparmor: succeeded by seLinux, now investigating that but the selinux Chromium policy is masked; should I be worried? It seems overly complicated:
> 
> http://archives.gentoo.org/gentoo-hardened/msg_c006f5768549ecdda53ef213f0a0b373.xml

 

What do you mean by Chromium SELinux policy being masked? It's not masked, but you need to set up a SELinux profile. And it's not overly complicated, it's generally as simple as it can be. The post you linked to is about an older version of the policy by the way. Please let me know how your testing of SELinux-enabled Chromium goes.

If you have any other questions I'd be happy to answer, I'm co-maintaing the Chromium packages in Gentoo, and I'm also upstream developer.

----------

## Ant P.

 *cach0rr0 wrote:*   

> chromium's own built-in sandboxing uses kernel namespaces, though for me that's always been a touch shaky

 

It also uses seccomp-bpf as of kernel 3.5 (chrome://sandbox/). That's an order of magnitude more safe than a flimsy chroot — which isn't real security in the first place if a process inside can get root — and is about on par with SELinux with less overhead.

----------

## jago25_98

Ah it's not running as root anymore. Sorry, I'm out of date. It's something I noticed ages ago and read about again recently which is now wrong.  

My Chromium is still running as my main user though with access to all my main files. I'm reliant on the Chromium sandbox to sandbox itself and apps. I'm not too familiar with the apps and how the permissions there work. 

The other thing I wanted to sandbox though was Skype. Basically I want to sandbox and closed source online apps especially.

----------

## cach0rr0

 *Ant P. wrote:*   

>  *cach0rr0 wrote:*   chromium's own built-in sandboxing uses kernel namespaces, though for me that's always been a touch shaky 
> 
> It also uses seccomp-bpf as of kernel 3.5 (chrome://sandbox/). That's an order of magnitude more safe than a flimsy chroot — which isn't real security in the first place if a process inside can get root — and is about on par with SELinux with less overhead.

 

apparently, i have this enabled. apparently, as well, i havent been paying attention, and am on 3.6 now. I wish i could remember how long I've been on 3.6, because i havent the foggiest clue when my sandbox instability popped up, but it could well be related.

----------

