Chromium browsers sandboxing status with "Ptrace Protection" = "No", how dangerous is it?

I just noticed that both the Ptrace Protection with Yama LSM sandboxing statuses in Brave are showing as No (brave://sandbox). This is because openSUSE doesn’t enable ptrace_scope by default, even though its kernel is built with CONFIG_SECURITY_YAMA=y. See more about this kernel feature here.

ptrace_scope is enabled on Ubuntu since 10.10, though.

On openSUSE, running cat /proc/sys/kernel/yama/ptrace_scope will return 0 since ptrace_scope is not enabled yet. Therefore, by enabling ptrace_scope, the sandboxing status Ptrace Protection with Yama LSM (Broker) in Brave or any Chromium-based browsers will be showing as Yes.

However, the Ptrace Protection with Yama LSM (Non-broker) is still showing as No unless I also setcap the cap_sys_ptrace capability to eip on Brave by:

sudo setcap cap_sys_ptrace=eip /opt/

But doing so will make Layer 1 Sandbox sandboxing status turning to SUID with the yellow color marked (it’s green by default with Namespace as its value). I believe it’s not a good thing, so I cleared the setcap on Brave.

I have 2 questions:

  1. Is Ptrace Protection very important? If so, why some distros haven’t enabled it by default?
  2. How can I make all the sandboxing statuses green in Chromium-based browsers? If it’s impossible, which one should have to be green, Ptrace Protection with Yama LSM (Non-broker) or Layer 1 Sandbox?
1 Like

From my brief finding, it seems Layer 1 Sandbox should stay the way it’s, Namespace. Only when namespaces aren’t available, Yama LSM Enforcing/Ptrace Protection with Yama LSM (Non-broker) is available as an alternative mode, see here1, and here2.

Basically, only Ptrace Protection with Yama LSM (Broker) should be enabled as an additional security feature. Anyone can enable this feature by copying the yama.conf file from /usr/lib/sysctl.d/ to /etc/sysctl.d/. Then, change kernel.yama.ptrace_scope value inside the file from 0 to 1 (the default value on Ubuntu).

EDIT: my current brave://sandbox on openSUSE with Ptrace Protection enabled:

Feature Value
Layer 1 Sandbox Namespace
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Ptrace Protection with Yama LSM (Broker) Yes
Ptrace Protection with Yama LSM (Non-broker) No

Interestingly, brave includes /usr/lib/sysctl.d/53-brave.conf
which have these contents:

Recommended kernel settings for the Chromium sandbox (see chrome://sandbox)

#kernel.yama.ptrace_scope = 1

but it’s commented out for some reason… who knows why

1 Like

I would assume the reason it’s commented out is that this setting would affect not only Brave, but also all others Chromium-based browsers and how the system work in this regard.

Nevertheless, it’s a good setting and should be enabled regardless. I also open a request to have this enable by default on openSUSE, see SUSE Bug 1217051.

EDIT: ptrace_scope=1 request has been merged upstream, see Restrict ptrace with Yama LSM by default by jsegitz · Pull Request #138 · openSUSE/aaa_base · GitHub

1 Like