OLD | NEW |
1 (For context see [LinuxSUIDSandbox](http://code.google.com/p/chromium/wiki/Linux
SUIDSandbox)) | 1 # Linux SUID Sandbox Development |
2 | 2 |
| 3 For context see [LinuxSUIDSandbox](linux_suid_sandbox.md) |
| 4 |
3 We need a SUID helper binary to turn on the sandbox on Linux. | 5 We need a SUID helper binary to turn on the sandbox on Linux. |
4 | 6 |
5 In most cases, you can run **build/update-linux-sandbox.sh** and it'll install t
he proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc
if needed. | 7 In most cases, you can run `build/update-linux-sandbox.sh` and it'll install |
| 8 the proper sandbox for you in `/usr/local/sbin` and tell you to update your |
| 9 `.bashrc` if needed. |
6 | 10 |
7 ### Installation instructions for developers | 11 ## Installation instructions for developers |
8 | 12 |
9 * If you have no setuid sandbox at all, you will see a message such as: | 13 * If you have no setuid sandbox at all, you will see a message such as: |
10 ``` | 14 |
11 Running without the SUID sandbox! | 15 ``` |
12 ``` | 16 Running without the SUID sandbox! |
13 * If your setuid binary is out of date, you will get messages such as: | 17 ``` |
14 ``` | 18 |
15 The setuid sandbox provides API version X, but you need Y | 19 * If your setuid binary is out of date, you will get messages such as: |
16 ``` | 20 |
17 ``` | 21 ``` |
18 You are using a wrong version of the setuid binary! | 22 The setuid sandbox provides API version X, but you need Y |
19 ``` | 23 You are using a wrong version of the setuid binary! |
| 24 ``` |
20 | 25 |
21 Run the script mentioned above, or do something such as: | 26 Run the script mentioned above, or do something such as: |
22 | 27 |
23 * Build chrome\_sandbox whenever you build chrome ("ninja -C xxx chrome chrome
\_sandbox" instead of "ninja -C xxx chrome") | 28 * Build `chrome_sandbox` whenever you build chrome |
24 * After building, run something similar to (or use the provided update-linux-s
andbox.sh): | 29 (`ninja -C xxx chrome chrome_sandbox` instead of `ninja -C xxx chrome`) |
25 ``` | 30 * After building, run something similar to (or use the provided |
26 sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox #needed if
you build on NFS! | 31 `update-linux-sandbox.sh`): |
27 sudo chown root:root /usr/local/sbin/chrome-devel-sandbox | |
28 sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox | |
29 ``` | |
30 | 32 |
31 * Put this line in your ~/.bashrc (or .zshenv etc): | 33 ```shell |
32 ``` | 34 # needed if you build on NFS! |
33 export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox | 35 sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox |
34 ``` | 36 sudo chown root:root /usr/local/sbin/chrome-devel-sandbox |
| 37 sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox |
| 38 ``` |
35 | 39 |
36 ### Try bots and waterfall | 40 * Put this line in your `~/.bashrc` (or `.zshenv` etc): |
37 | 41 |
38 If you're installing a new bot, always install the setuid sandbox (the instructi
ons are different than for developers, contact the Chrome troopers). If somethi
ng does need to run without the setuid sandbox, use the --disable-setuid-sandbox
command line flag. | 42 ``` |
| 43 export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox |
| 44 ``` |
39 | 45 |
40 The SUID sandbox must be enabled on the try bots and the waterfall. If you don't
use it locally, things might appear to work for you, but break on the bots. | 46 ## Try bots and waterfall |
41 | 47 |
42 (Note: as a temporary, stop gap measure, setting CHROME\_DEVEL\_SANDBOX to an em
pty string is equivalent to --disable-setuid-sandbox) | 48 If you're installing a new bot, always install the setuid sandbox (the |
| 49 instructions are different than for developers, contact the Chrome troopers). If |
| 50 something does need to run without the setuid sandbox, use the |
| 51 `--disable-setuid-sandbox` command line flag. |
43 | 52 |
44 ### Disabling the sandbox | 53 The `SUID` sandbox must be enabled on the try bots and the waterfall. If you |
| 54 don't use it locally, things might appear to work for you, but break on the |
| 55 bots. |
45 | 56 |
46 If you are certain that you don't want the setuid sandbox, use --disable-setuid-
sandbox. There should be very few cases like this. | 57 (Note: as a temporary, stop gap measure, setting `CHROME_DEVEL_SANDBOX` to an |
47 So if you're not absolutely sure, run with the setuid sandbox. | 58 empty string is equivalent to `--disable-setuid-sandbox`) |
48 | 59 |
49 ### Installation instructions for "[Raw builds of Chromium](https://commondatast
orage.googleapis.com/chromium-browser-continuous/index.html)" | 60 ## Disabling the sandbox |
| 61 |
| 62 If you are certain that you don't want the setuid sandbox, use |
| 63 `--disable-setuid-sandbox`. There should be very few cases like this. So if |
| 64 you're not absolutely sure, run with the setuid sandbox. |
| 65 |
| 66 ## Installation instructions for "[Raw builds of Chromium](https://commondatasto
rage.googleapis.com/chromium-browser-continuous/index.html)" |
50 | 67 |
51 If you're using a "raw" build of Chromium, do the following: | 68 If you're using a "raw" build of Chromium, do the following: |
52 ``` | |
53 sudo chown root:root chrome_sandbox && sudo chmod 4755 chrome_sandbox && export
CHROME_DEVEL_SANDBOX="$PWD/chrome_sandbox" | |
54 ./chrome | |
55 ``` | |
56 | 69 |
57 You can also make such an installation more permanent by following the [steps ab
ove](#Installation_instructions_for_developers.md) and installing chrome\_sandbo
x to a more permanent location. | 70 sudo chown root:root chrome_sandbox && sudo chmod 4755 chrome_sandbox && \ |
| 71 export CHROME_DEVEL_SANDBOX="$PWD/chrome_sandbox" |
| 72 ./chrome |
58 | 73 |
59 ### System-wide installations of Chromium | 74 You can also make such an installation more permanent by following the |
| 75 [steps above](#Installation-Instructions-for-developers) and installing |
| 76 `chrome_sandbox` to a more permanent location. |
60 | 77 |
61 The CHROME\_DEVEL\_SANDBOX variable is intended for developers and won't work fo
r a system-wide installation of Chromium. Package maintainers should make sure t
he setuid binary is installed and defined in GYP as linux\_sandbox\_path. | 78 ## System-wide installations of Chromium |
| 79 |
| 80 The `CHROME_DEVEL_SANDBOX` variable is intended for developers and won't work |
| 81 for a system-wide installation of Chromium. Package maintainers should make sure |
| 82 the `setuid` binary is installed and defined in GYP as `linux_sandbox_path`. |
OLD | NEW |