Chromium enable seccomp-BPF sandbox on Debian 7

Question

I discovered that my version of Chromium (Version 29.0.1547.57 Debian 7.1 (217859)) does not have all the sandbox features turned on by default. Navigating to chrome://sandbox/ gives results:

Sandbox Status
  SUID Sandbox  Yes
  PID name spaces   Yes
  Network namespaces    Yes
  Seccomp-BPF sandbox   No
You are not adequately sandboxed!

Can I turn on the Seccomp-BPF sandbox? My OS stats are:

$ uname -a
Linux compname 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux

And since I have uninstalled my desktop manager, I normally start Chromium from the commandline like so:

nohup chromium >> /tmp/chromium.nohupout &

However, I have also tried starting Chromium with the --enable-seccomp-sandbox flag, and the sandbox still remains off. When I do this, I get the warning message in stderr:

ATTENTION: default value of option force_s3tc_enable overridden by environment.

Solutions which do not involve me recompiling chromium from source are preferable.

score 1 · Answer 1 · answered Nov 21 '13 at 22:28

1

Sandbox of that type aren't supported on kernel 3.4 or lower; you can use the debian backport to obtain a more recent kernel but keep in mind it'll be less stable.

answered Nov 21 '13 at 22:28

G-Known

11

Chromium enable seccomp-BPF sandbox on Debian 7

1 Answers1