Debian FATAL:zygote_host_impl_linux.cc(124)] No usable sandbox! Update your kernel

[r4nd0m123]

Hi,

I'm using the Ubuntu/Debian repo and I just upgraded Iridium to the latest version and I now get the stack trace below when trying to run the application.

$ iridium-browser
[5377:5377:0529/181219.022652:FATAL:zygote_host_impl_linux.cc(124)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x55727067686c
#1 0x55727068e39e
#2 0x55726f423619
#3 0x55727027dc0d
#4 0x557270287999
#5 0x55727027c364
#6 0x55726e5b51d3 ChromeMain
#7 0x7f7f7a55ba87 __libc_start_main
#8 0x55726e5b5049 _start

Received signal 6
#0 0x55727067686c
#1 0x5572706763c1
#2 0x7f7f811a5f50
#3 0x7f7f7a56ee7b gsignal
#4 0x7f7f7a570231 abort
#5 0x557270674ad5
#6 0x55727068e68c
#7 0x55726f423619
#8 0x55727027dc0d
#9 0x557270287999
#10 0x55727027c364
#11 0x55726e5b51d3 ChromeMain
#12 0x7f7f7a55ba87 __libc_start_main
#13 0x55726e5b5049 _start
r8: 0000000000000000 r9: 00007ffe31d558c0 r10: 0000000000000008 r11: 0000000000000246
r12: 00007f7f7ae90060 r13: 00007ffe31d55fd8 r14: 000000000000016b r15: 00007ffe31d55fd0
di: 0000000000000002 si: 00007ffe31d558c0 bp: 00007ffe31d55b10 bx: 0000000000000006
dx: 0000000000000000 ax: 0000000000000000 cx: 00007f7f7a56ee7b sp: 00007ffe31d558c0
ip: 00007f7f7a56ee7b efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

$ uname -sorv
Linux 4.16.0-1-amd64 #1 SMP Debian 4.16.5-1 (2018-04-29) GNU/Linux

$ cat /etc/debian_version
buster/sid

Any ideas?

[longsleep]

Thanks for the feedback. Not sure what happens - will try to reproduce on Debian 10.

[longsleep]

What Kernel is this. Have you built it yourself?

Most possible it lacks support for unprivileged namespaces which has been introduced as sandboxing solution of chose in https://bugs.chromium.org/p/chromium/issues/detail?id=312380.

Upstream Chromium and now also Iridium are no longer shipping the older suid sandbox and thus Iridium refuses to start on your system. If you cannot or do not want to enable proper namespace support for your kernel, you have to run Iridium with the --no-sandbox command line parameter to let it start.

Please update this ticket with information about your Kernel. For example

cat /boot/config-$(uname -r)|grep USER_NS  
CONFIG_USER_NS=y

For reference on sandboxing in Chromium and thus also in Iridium see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md

[r4nd0m123]

Thanks for investigating so quickly!

I'm not sure whether PureOS compile their own kernel or reuse Debian's. It looks like this kernel supports unprivileged namespaces.

$ cat /boot/config-$(uname -r)|grep USER_NS
CONFIG_USER_NS=y

[longsleep]

So in PureOS it seems that the default user is already running in some kind of restricted namespace / sandbox / caps and thus that user cannot spawn additional sandboxes.

This is more a PureOS problem - maybe you can ask the folks there what do do?

You can check with

unshare -U lala

to create a user namespace. This will probably fail with an Operation not permitted error. Unfortunately there is nothing we can do.

[n8w8]

I had the same issue with stock Debian Stretch, the (Debian-specific) fix is:

echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/00-local-userns.conf
service procps restart

Which I learnt from:
https://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel#1122977

[longsleep]

I had the same issue with stock Debian Stretch, the (Debian-specific) fix is:

echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/00-local-userns.conf
service procps restart

OK cool thanks for the info. This is rather unfortunate - i guess we should check how Chrome/Chromium upstream handles this or do those also not start without enabling this?

[choelzl]

i guess we should check how Chrome/Chromium upstream handles this or do those also not start without enabling this?

Tried with Chromium62.0.3202.89-1, Works with no issue under
Linux 4.16.0-1-amd64 #1 SMP Debian 4.16.5-1 (2018-04-29) GNU/Linux

[longsleep]

Tried with Chromium62.0.3202.89-1,

Right that is too old and is probably using the old SUID Sandbox. Check with chrome://sandbox/` and compare.

[longsleep]

Also seems like current Chromium 66 build from Debian still ships with the old sandbox https://packages.debian.org/stretch/amd64/chromium/filelist

[choelzl]

Chromium 62:

SUID Sandbox | Yes
Namespace Sandbox | No
PID namespaces | Yes
Network namespaces | Yes
Seccomp-BPF sandbox | Yes
Seccomp-BPF sandbox supports TSYNC | Yes
Yama LSM Enforcing | No

Iridium-browser 2018.5 with

echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/00-local-userns.conf
service procps restart

SUID Sandbox | No
Namespace Sandbox | Yes
PID namespaces | Yes
Network namespaces | Yes
Seccomp-BPF sandbox | Yes
Seccomp-BPF sandbox supports TSYNC | Yes
Yama LSM Enforcing | No

[longsleep]

I guess it would be best to ship with the SUID sandbox even if it is deprecated. Google chrome does this too.

[sezio]

Hello,

For your information, I had the same problem on debian stretch and the solution provided by n8w8 fix the problem.

Thanks @n8w8 and by the way, thanks to the iridium team for your impressive work

[Necklaces]

Both Arch and Manjaro, and probably more Arch based distros, are affected by this as well (via a PKGBUILD that uses the current ubuntu release). Same error message. The same PKGBUILD worked fine with the last ubuntu release.

[HellishINC]

I have fixed this on Arch.

sudo echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/00-local-userns.conf
sudo sysctl --system

SUID Sandbox No
Namespace Sandbox Yes
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Yama LSM Enforcing Yes

[steviefaulkner]

Thanks @n8w8 . Your fix works on Debian Buster running Linux Kernel version 4.16.0-2-amd64.

Before entering the commands you gave, I needed to create the file: /etc/sysctl.d/00-local-userns.conf

[hovancik]

can we expect any fix here? I am not sure if I wanna add flags to configs that I do not understand.

I am on Debian Sid

[19684:19684:1230/171232.526740:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
#0 0x55d8f0b1e07f <unknown>
#1 0x55d8f0a957ee <unknown>
#2 0x55d8f1d9a7d9 <unknown>
#3 0x55d8f059ecc9 <unknown>
#4 0x55d8f05a60e8 <unknown>
#5 0x55d8f059d831 <unknown>
#6 0x55d8ee303293 ChromeMain
#7 0x7fc7448ee09b __libc_start_main
#8 0x55d8ee303109 _start

Received signal 6
#0 0x55d8f0b1e07f <unknown>
#1 0x55d8f0b1dbe1 <unknown>
#2 0x7fc747179670 <unknown>
#3 0x7fc74490185b gsignal
#4 0x7fc7448ec535 abort
#5 0x55d8f0b1c945 <unknown>
#6 0x55d8f0a95af4 <unknown>
#7 0x55d8f1d9a7d9 <unknown>
#8 0x55d8f059ecc9 <unknown>
#9 0x55d8f05a60e8 <unknown>
#10 0x55d8f059d831 <unknown>
#11 0x55d8ee303293 ChromeMain
#12 0x7fc7448ee09b __libc_start_main
#13 0x55d8ee303109 _start
  r8: 0000000000000000  r9: 00007ffd062f76a0 r10: 0000000000000008 r11: 0000000000000246
 r12: 00007ffd062f8318 r13: 000000000000016d r14: 00007fc744c29080 r15: 00007ffd062f8310
  di: 0000000000000002  si: 00007ffd062f76a0  bp: 00007ffd062f78f0  bx: 0000000000000006
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007fc74490185b  sp: 00007ffd062f76a0
  ip: 00007fc74490185b efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

[longsleep]

For now you have to enable user namespaces on distros which do not have this enabled by default.

Something like

echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/00-local-userns.conf
service procps restart

[longsleep]

Closing since currently there are no plans to change this.

[narcisgarcia]

Please patch postinst script in GNU/Linux packages by adding this code:

echo '# procps workaround for iridium-browser issue #208' | tee /etc/sysctl.d/00-local-userns.conf
echo '# https://github.com/iridium-browser/tracker/issues/208' >> /etc/sysctl.d/00-local-userns.conf
echo 'kernel.unprivileged_userns_clone=1' >> /etc/sysctl.d/00-local-userns.conf
if [ "$(which systemctl)" != "" ] ; then
	systemctl restart procps
else
	service procps restart
fi

• Please patch prerm script in GNU/Linux packages by adding this code:

rm -f /etc/sysctl.d/00-local-userns.conf
if [ "$(which systemctl)" != "" ] ; then
	systemctl restart procps
else
	service procps restart
fi

iridium is not usable by any GNU/Linux user with only following website download instructions.