Ubuntu
chromium-browser package

Sandboxing Chromium Snap without FireJail

Bug #1847092 reported by Lonnie Lee Best
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Triaged
Low
Unassigned

Bug Description

I'm a Firefox user who uses Chromium for certain google websites.

I like to run Chromium in a sandbox so that the "Downloads" folder is the only file system location Chromium can see.

In Ubuntu 19.04, I could achieve this with:
sudo apt install chromium-browser firejail ; firejail chromium-browser

In Ubuntu 19.10, Chromium is only offered as a snap package:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1847092

Firejail, doesn't work with Chromium's snap package installation:
https://askubuntu.com/questions/1178995

The snap installation's degree of isolation seems to be controlled by the developer of snap package.

Since firejail no longer works for achieving this degree of isolation, I'm requesting that the Snap Package Maintainer (of Chromium), provide an alternative installation that only gives Chromium access to the "Downloads" folder exclusively.

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: chromium-browser (not installed)
ProcVersionSignature: Ubuntu 5.3.0-13.14-generic 5.3.0
Uname: Linux 5.3.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu7
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 7 08:15:38 2019
InstallationDate: Installed on 2019-10-06 (0 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Beta amd64 (20191001.2)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: chromium-browser
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :
description: updated
Lonnie Lee Best (launchpad-startport)
description: updated
Lonnie Lee Best (launchpad-startport)
description: updated
description: updated
Revision history for this message
Olivier Tilloy (osomon) wrote :

As suggested by user ajgringo619 on askubuntu, disconnecting the home interface would get you close to what you're after. However to my knowledge there's no way to selectively connect certain folders in the home directory, such as ~/Downloads.

Note that if you disconnect the home interface, you will need to tell chromium where to store downloaded files, by configuring this in chrome://settings/downloads.

Changed in chromium-browser (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Lonnie Lee Best (launchpad-startport) wrote :

If you disconnect home, what portions of the file system does Chromium have access to?

description: updated
Revision history for this message
Olivier Tilloy (osomon) wrote :

The root filesystem that the chromium snap sees is the one provided by the core18 snap.

Exceptions granted by the connected interfaces can be inspected by reading the generated apparmor profile, stored at /var/lib/snapd/apparmor/profiles/snap.chromium.chromium.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.