On Sun, 20 Dec 2020 at 11:08:18 +0000, Patrick Schleizer wrote:
> as already reported upstream, org.chromium.Chromium does not work out of
> the box in Debian buster.
>
> https://github.com/flathub/org.chromium.Chromium/issues/31
>
> As the ticket mentions, sysctl kernel.unprivileged_userns_clone=1 is
> required, which is already the case in Debian testing.
Really? My understanding is that the default in testing's kernel is
kernel.unprivileged_userns_clone=0, but the default will change to
kernel.unprivileged_userns_clone=1 with the 5.10.x kernel (for which
there are initial versions in experimental). See #898446.
> But it also required "chmod -s $(which bwrap)" which I don't know is
> currently the case in Debian testing or how that situation is going to
> develop.
This is not something that Debian's flatpak or bwrap packages can
necessarily fix unilaterally, because dropping the setuid bit would make
Flatpak non-functional on older kernels (not just for the minority of
apps like Chromium that have special sandboxing requirements, but also
for the other apps that do not have special requirements).
There are a few possible ways to avoid this situation, and I'll try to
get it resolved before the freeze, but none of them are really ideal.
(Ideally I want to get rid of the setuid bit on bwrap anyway, one way
or another, because having it setuid makes it a security boundary, and
I don't want to maintain security-sensitive code if I don't have to.)
smcv
