diff --git a/docs/docker/README.md b/docs/docker/README.md index 5379ba5581..92244ccbb5 100644 --- a/docs/docker/README.md +++ b/docs/docker/README.md @@ -31,13 +31,30 @@ $ docker pull mcr.microsoft.com/playwright:bionic ### Run the image ``` -$ docker container run -it --rm --ipc=host --security-opt seccomp=chrome.json mcr.microsoft.com/playwright:bionic /bin/bash +$ docker container run -it --rm --ipc=host --security-opt seccomp=seccomp_profile.json mcr.microsoft.com/playwright:bionic /bin/bash ``` -Note that: +[`seccomp_profile.json`](seccomp_profile.json) is needed to run Chromium with sandbox. This is +a [default Docker seccomp profile](https://github.com/docker/engine/blob/d0d99b04cf6e00ed3fc27e81fc3d94e7eda70af3/profiles/seccomp/default.json) with extra user namespace cloning permissions: -* The seccomp profile is required to run Chrome without sandbox. Thanks to [Jessie Frazelle](https://github.com/jessfraz/dotfiles/blob/master/etc/docker/seccomp/chrome.json). -* Using `--ipc=host` is also recommended when using Chrome ([Docker docs](https://docs.docker.com/engine/reference/run/#ipc-settings---ipc)). Chrome can run out of memory without this flag. +```json +[ + { + "comment": "Allow create user namespaces", + "names": [ + "clone", + "setns", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "includes": {}, + "excludes": {} + } +] +``` + +> **NOTE**: Using `--ipc=host` is recommended when using Chrome ([Docker docs](https://docs.docker.com/engine/reference/run/#ipc-settings---ipc)). Chrome can run out of memory without this flag. ### Using on CI diff --git a/docs/docker/chrome.json b/docs/docker/chrome.json deleted file mode 100644 index e5b0f2d685..0000000000 --- a/docs/docker/chrome.json +++ /dev/null @@ -1,1535 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ERRNO", - "syscalls": [ - { - "name": "accept", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "accept4", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "access", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "alarm", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "arch_prctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "bind", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "brk", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "capget", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "capset", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "chdir", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "chmod", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "chown", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "chown32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "chroot", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "clock_getres", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "clock_gettime", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "clock_nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "clone", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "close", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "connect", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "creat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "dup", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "dup2", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "dup3", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_create", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_create1", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_ctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_ctl_old", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_pwait", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_wait", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "epoll_wait_old", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "eventfd", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "eventfd2", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "execve", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "execveat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "exit", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "exit_group", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "faccessat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fadvise64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fadvise64_64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fallocate", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fanotify_init", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fanotify_mark", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fchdir", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fchmod", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fchmodat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fchown32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fchownat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fcntl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fcntl64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fdatasync", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fgetxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "flistxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "flock", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fork", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fremovexattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fsetxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fstat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fstat64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fstatat64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fstatfs", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fstatfs64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "fsync", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ftruncate", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ftruncate64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "futex", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "futimesat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getcpu", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getcwd", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getdents", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getdents64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getegid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getegid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "geteuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "geteuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getgid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getgroups", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getgroups32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getitimer", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getpeername", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getpgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getpgrp", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getpid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getppid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getpriority", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getrandom", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getresgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getresgid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getresuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getresuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getrlimit", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "get_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getrusage", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getsid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getsockname", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getsockopt", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "get_thread_area", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "gettid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "gettimeofday", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "getxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "inotify_add_watch", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "inotify_init", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "inotify_init1", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "inotify_rm_watch", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "io_cancel", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ioctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "io_destroy", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "io_getevents", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ioprio_get", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ioprio_set", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "io_setup", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "io_submit", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "kill", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lchown", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lchown32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lgetxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "link", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "linkat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "listen", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "listxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "llistxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "_llseek", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lremovexattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lseek", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lsetxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lstat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "lstat64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "madvise", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "memfd_create", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mincore", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mkdir", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mkdirat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mknod", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mknodat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mlock", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mlockall", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mmap", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mmap2", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mprotect", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mq_getsetattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mq_notify", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mq_open", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mq_timedreceive", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mq_timedsend", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mq_unlink", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "mremap", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "msgctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "msgget", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "msgrcv", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "msgsnd", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "msync", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "munlock", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "munlockall", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "munmap", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "name_to_handle_at", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "newfstatat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "_newselect", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "open", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "open_by_handle_at", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "openat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pause", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pipe", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pipe2", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "poll", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ppoll", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "prctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pread64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "preadv", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "prlimit64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pselect6", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pwrite64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "pwritev", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "read", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "readahead", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "readlink", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "readlinkat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "readv", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "recvfrom", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "recvmmsg", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "recvmsg", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "remap_file_pages", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "removexattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rename", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "renameat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "renameat2", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rmdir", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigaction", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigpending", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigprocmask", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigreturn", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigsuspend", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_sigtimedwait", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "rt_tgsigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_getaffinity", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_getattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_getparam", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_get_priority_max", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_get_priority_min", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_getscheduler", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_rr_get_interval", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_setaffinity", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_setattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_setparam", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_setscheduler", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sched_yield", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "seccomp", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "select", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "semctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "semget", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "semop", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "semtimedop", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sendfile", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sendfile64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sendmmsg", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sendmsg", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sendto", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setdomainname", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setfsgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setfsgid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setfsuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setfsuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setgid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setgroups", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setgroups32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sethostname", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setitimer", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setns", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setpgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setpriority", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setregid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setregid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setresgid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setresgid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setresuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setresuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setreuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setreuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setrlimit", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "set_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setsid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setsockopt", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "set_thread_area", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "set_tid_address", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setuid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setuid32", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "setxattr", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "shmat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "shmctl", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "shmdt", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "shmget", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "shutdown", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sigaltstack", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "signalfd", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "signalfd4", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "socket", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "socketpair", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "splice", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "stat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "stat64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "statfs", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "statfs64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "symlink", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "symlinkat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sync", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sync_file_range", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "syncfs", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "sysinfo", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "syslog", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "tee", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "tgkill", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "time", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timer_create", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timer_delete", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timerfd_create", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timerfd_gettime", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timerfd_settime", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timer_getoverrun", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timer_gettime", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "timer_settime", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "times", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "tkill", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "truncate", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "truncate64", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "ugetrlimit", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "umask", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "uname", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "unlink", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "unlinkat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "unshare", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "utime", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "utimensat", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "utimes", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "vfork", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "vhangup", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "vmsplice", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "wait4", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "waitid", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "write", - "action": "SCMP_ACT_ALLOW", - "args": null - }, - { - "name": "writev", - "action": "SCMP_ACT_ALLOW", - "args": null - } - ] -} diff --git a/docs/docker/seccomp_profile.json b/docs/docker/seccomp_profile.json new file mode 100644 index 0000000000..fddc05fb52 --- /dev/null +++ b/docs/docker/seccomp_profile.json @@ -0,0 +1,831 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "comment": "Allow create user namespaces", + "names": [ + "clone", + "setns", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "includes": {}, + "excludes": {} + }, + { + "names": [ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_adjtime", + "clock_adjtime64", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "clock_nanosleep", + "clock_nanosleep_time64", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "io_cancel", + "ioctl", + "io_destroy", + "io_getevents", + "io_pgetevents", + "io_pgetevents_time64", + "ioprio_get", + "ioprio_set", + "io_setup", + "io_submit", + "io_uring_enter", + "io_uring_register", + "io_uring_setup", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "membarrier", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mq_getsetattr", + "mq_notify", + "mq_open", + "mq_timedreceive", + "mq_timedreceive_time64", + "mq_timedsend", + "mq_timedsend_time64", + "mq_unlink", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "pause", + "pipe", + "pipe2", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pselect6_time64", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": null, + "comment": "", + "includes": { + "minKernel": "4.8" + }, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131072, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 131080, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "personality" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "sync_file_range2" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "ppc64le" + ] + }, + "excludes": {} + }, + { + "names": [ + "arm_fadvise64_64", + "arm_sync_file_range", + "sync_file_range2", + "breakpoint", + "cacheflush", + "set_tls" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "arm", + "arm64" + ] + }, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "modify_ldt" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32", + "x86" + ] + }, + "excludes": {} + }, + { + "names": [ + "s390_pci_mmio_read", + "s390_pci_mmio_write", + "s390_runtime_instr" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": {} + }, + { + "names": [ + "open_by_handle_at" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_DAC_READ_SEARCH" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "clone", + "fanotify_init", + "lookup_dcookie", + "mount", + "name_to_handle_at", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2114060288, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 2114060288, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "s390 parameter ordering for clone is different", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "reboot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_BOOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "chroot" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_CHROOT" + ] + }, + "excludes": {} + }, + { + "names": [ + "delete_module", + "init_module", + "finit_module" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_MODULE" + ] + }, + "excludes": {} + }, + { + "names": [ + "acct" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PACCT" + ] + }, + "excludes": {} + }, + { + "names": [ + "kcmp", + "process_vm_readv", + "process_vm_writev", + "ptrace" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_PTRACE" + ] + }, + "excludes": {} + }, + { + "names": [ + "iopl", + "ioperm" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_RAWIO" + ] + }, + "excludes": {} + }, + { + "names": [ + "settimeofday", + "stime", + "clock_settime" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TIME" + ] + }, + "excludes": {} + }, + { + "names": [ + "vhangup" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_TTY_CONFIG" + ] + }, + "excludes": {} + }, + { + "names": [ + "get_mempolicy", + "mbind", + "set_mempolicy" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_NICE" + ] + }, + "excludes": {} + }, + { + "names": [ + "syslog" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYSLOG" + ] + }, + "excludes": {} + } + ] +} diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 057fc6b1b8..377484be24 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -5,8 +5,6 @@ * [Chrome headless doesn't launch on Windows](#chrome-headless-doesnt-launch-on-windows) * [Chrome headless doesn't launch on Linux/WSL](#chrome-headless-doesnt-launch-on-linuxwsl) * [Setting Up Chrome Linux Sandbox](#setting-up-chrome-linux-sandbox) - - [[recommended] Enable user namespace cloning](#recommended-enable-user-namespace-cloning) - - [[alternative] Setup setuid sandbox](#alternative-setup-setuid-sandbox) - [Firefox](#firefox) * [Firefox headless doesn't launch on Linux/WSL](#firefox-headless-doesnt-launch-on-linuxwsl) - [WebKit](#webkit) @@ -148,41 +146,28 @@ const browser = await playwright.chromium.launch({ chromiumSandbox: false }); > **NOTE**: Running without a sandbox is **strongly discouraged**. Consider configuring a sandbox instead. -There are 2 ways to configure a sandbox in Chromium. +To enable Chromium sandbox, you should enable [user namespace cloning](http://man7.org/linux/man-pages/man7/user_namespaces.7.html). -#### [recommended] Enable [user namespace cloning](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) +User namespace cloning is only supported by modern kernels. Unprivileged user +namespaces are generally fine to enable, but in some cases they open up more +kernel attack surface for (unsandboxed) non-root processes to elevate to kernel +privileges. -User namespace cloning is only supported by modern kernels. Unprivileged user namespaces are generally fine to enable, -but in some cases they open up more kernel attack surface for (unsandboxed) non-root processes to elevate to -kernel privileges. +In general, user namespace cloning can be enabled with the following command: ```bash sudo sysctl -w kernel.unprivileged_userns_clone=1 ``` -#### [alternative] Setup [setuid sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_suid_sandbox_development.md) +In case of Docker, containers need to be run with a custom [security profile](https://docs.docker.com/engine/security/seccomp/) that enables +user namespace cloning. You can download this profile here: [`seccomp_profile.json`](docker/seccomp_profile.json) -The setuid sandbox comes as a standalone executable and is located next to the Chromium that Playwright downloads. It is -fine to re-use the same sandbox executable for different Chromium versions, so the following could be -done only once per host environment: +With the downloaded profile, docker container could be run like this: -```bash -# cd to the downloaded instance -cd /node_modules/playwright/.local-browsers/chromium-/ -sudo chown root:root chrome_sandbox -sudo chmod 4755 chrome_sandbox -# copy sandbox executable to a shared location -sudo cp -p chrome_sandbox /usr/local/sbin/chrome-devel-sandbox -# export CHROME_DEVEL_SANDBOX env variable -export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox +```sh +docker run --rm --security-opt seccomp=/path/to/seccomp/profile.json -it my-image-name ``` -You might want to export the `CHROME_DEVEL_SANDBOX` env variable by default. In this case, add the following to the `~/.bashrc` -or `.zshenv`: - -```bash -export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox -``` ## Firefox