If you want to run developer builds of Chromium/Chrome on Ubuntu 23.10+ (or possibly other Linux distros in the future), you'll need to either globally or selectively disable an Ubuntu security feature.
The easiest way is to disable Ubuntu's security feature globally by running these commands in a terminal:
echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
but note that this disables a useful Ubuntu security feature.
To make this setting persist across reboots, create a new file in /etc/sysctl.d, for example:
echo kernel.apparmor_restrict_unprivileged_userns=0 | sudo tee /etc/sysctl.d/60-apparmor-namespace.conf
A slightly safer way is to write an AppArmor profile that allows running any binary named “chrome” under your chromium build directory:
export CHROMIUM_BUILD_PATH=/@{HOME}/chromium/src/out/**/chrome
cat | sudo tee /etc/apparmor.d/chrome-dev-builds <<EOF
abi <abi/4.0>,
include <tunables/global>
profile chrome $CHROMIUM_BUILD_PATH flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/chrome>
}
EOF
sudo service apparmor reload # reload AppArmor profiles to include the new one
Note that an attacker with the ability to create an executable called chrome anywhere in the above directory will be able to bypass Ubuntu's security mechanism.
You can change CHROMIUM_BUILD_PATH to anything you like. ** matches any part of a path, * matches one component of a path. Other options of described in man apparmor.d under the GLOBBING section.
If you have installed Google Chrome, the setuid sandbox helper (the old version of the sandbox) is available at /opt/google/chrome/chrome-sandbox. You can tell developer builds to use it by putting the following in your ~/.bashrc:
export CHROME_DEVEL_SANDBOX=/opt/google/chrome/chrome-sandbox
Ubuntu‘s packaged version of chromium will not install the setuid sandbox helper (it’s a snap package that disables the ubuntu security feature at runtime for its installed version of chromium).
If you have not installed Google Chrome, but you do have a chromium source checkout, you can build the SUID sandbox helper yourself and install it. This is the old version of the sandbox, but should work without disabling any Ubuntu security features. See [Linux SUID Sandbox Development] (https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md) for instructions. This should work permanently.
The older version of the sandbox may be slightly weaker, and involves installing a setuid binary.
Ubuntu ships with an AppArmor profile that applies to Chrome stable binaries installed at /opt/google/chrome/chrome (the default installation path). This policy is stored at /etc/apparmor.d/chrome.
You will need to run developer builds with the --no-sandbox command line flag, but be aware that this disables critical security features of Chromium and should never be used when browsing the open web.
Our primary sandbox no longer works on developer builds on some Linux distributions, namely Ubuntu, due to a security feature that restricts access to a powerful kernel feature, user namespaces. User namespaces are used by Chromium (and many containerization applications) to restrict access to the filesystem without requiring root privileges or a setuid binary. For a while, user namespaces have been available to unprivileged (e.g. non-root) users on most Linux distros, but they exposed a lot of extra kernel attack sruface. For more details, see Ubuntu's announcement at https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces.
Individual binaries can be allowlisted by filepath using root-owned AppArmor profiles stored in /etc/apparmor.d/. Ubuntu ships with an AppArmor profile that applies to Chrome stable binaries installed at /opt/google/chrome/chrome (the default installation path). Ubuntu's packaged version of Chromium is a snap package, and snap generates an AppArmor profile at runtime that allows usage of user namespaces.