Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-12 22:06:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

permission hardener: disable SUID for chrome-sandbox

Browse Source
This commit is contained in:
Patrick Schleizer 2025-01-14 04:09:57 -05:00
parent 7a5f8b87af
commit 466308e4f9
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf
View File

@ -5,4 +5,13 @@
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
chrome-sandbox matchwhitelist
## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID
## sandbox for most use cases, and while the SUID sandbox is still technically
## supported [1], it's also virtually unused [2]. Chromium still works fine
## when it is stripped of its SUID bit and rendered no longer executable,
## and opening `chrome://sandbox` while in this state shows that sandboxing is
## still working perfectly fine.
##
## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md
## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md
#chrome-sandbox matchwhitelist