Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Requires TSYNC Support Under Linux

Posted by timothy on from the what-you-gotta-do dept.

An anonymous reader writes Google's Chrome/Chromium web browser does not support slightly older versions of the Linux kernel anymore. Linux 3.17 is now the minimum requirement. According to a thread on the Debian mailing list, a kernel feature called TSYNC is what makes the difference. When a backported patch for the Debian 8 kernel was requested, there were hostile replies about not wanting to support "Google spyware."

28 of 338 comments (clear)

  1. Doesn't smell right by Enry · · Score: 4, Insightful

    This doesn't pass the sniff test. This 'bug' has apparently been around for months (October/November) and it's just now that people are noticing? And the fix is patching the kernel rather than regressing whatever change was in Chrome that added this?

    1. Re:Doesn't smell right by Anonymous Coward · · Score: 5, Informative

      It's not a bug. Google's Chromium team decided the Linux kernel seccomp API wasn't meeting their needs, so they added the TSYNC feature (which makes applying seccomp sandboxing to child threads easier to do securely) to the kernel so they could use it in their code. They just aren't caring about the fact that not a lot of users have good reasons to be running older kernels. And it's complicated by the fact that they didn't get the kernel feature in before Debian jessie's feature freeze. Once again because they don't seem to care about other people's software lifecycles.

    2. Re:Doesn't smell right by Runaway1956 · · Score: 4, Informative

      No, you're not SOL - there is a thriving community of Chrome hackers who change anything and everything they don't like about Chrome.

      http://www.srware.net/en/softw...

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    3. Re:Doesn't smell right by Anonymous Coward · · Score: 5, Insightful

      People are only noticing now because Google recently announced that future versions of Chromium (and thus Chrome) will only work with kernels that have this flag. It's a silly controversy because a Debian kernel maintainer just categorically rejected adding the patch not on any technical merit, but simply because he doesn't like Google. And as far as rejecting the patch because the freeze, well, that doesn't really fly since this patch was offered back in October of last year. In fact, Ubuntu already backported the patch for 12.04 lts kernel (3.13) and higher. So its not as if Debian couldn't have added the patch before the freeze. Apparently, this patch is simply being rejected because of a pathetic personal animosity towards the developer of patch, or the company he works for (Google).

  2. Re:It's not even all of T'SYNC by Anonymous Coward · · Score: 5, Funny

    I thought T'Sync was Spock's aunt.

  3. What's TSYNC ? by itzly · · Score: 4, Interesting

    Would have been nice if TFS had included an explanation of what the TSYNC feature is.

    1. Re:What's TSYNC ? by Eunuchswear · · Score: 5, Informative

      It's not the "TSYNC feature", it's SECCOMP_FILTER_FLAG_TSYNC

      http://lkml.iu.edu/hypermail/linux/kernel/1406.1/01964.html

      (Buggered if I know what it's for, however).

      --
      Watch this Heartland Institute video
    2. Re:What's TSYNC ? by vadim_t · · Score: 5, Informative

      Digging around a bit this is what I gathered:

      TSYNC is some flag added to seccomp to aid in something relating to thread synchronization: http://patchwork.linux-mips.or...

      And seccomp is a security mechanism of the Linux kernel used to implement the sandbox in Google Chrome, which it uses for instance to run the Flash plugin in such a way that it doesn't compromise the system if one of its many security weaknesses: http://lwn.net/Articles/347547...

      None of this seems to have any relation to spyware, in fact it would seem to have the exact contrary purpose: protecting the system from potentially malicious code and security exploits.

      Unless I'm missing something obvious, it sounds like Ben Hutchins (the Debian mailing list guy who made the comment on spyware) just dislikes Chrome for whatever reason unrelated to TSYNC and decided that it would be a fine way to ensure new versions of Chrome don't run.

    3. Re:What's TSYNC ? by Anonymous Coward · · Score: 5, Informative

      It's part of the "sandboxing" mechanism in Linux which allows processes to limit their interactions with the kernel to a subset of API calls by installing filter programs. The purpose of this limitation is known as the concept of least privilege: A process should not have more power to do anything than it needs to do its job. If it has more power, then an attacker can use that power in case he achieves control over that process. That's why you don't run your web server as the root user, for example. Server processes often start as high-privilege processes (for example to be able to attach to network ports lower than 1024), and then shed their privileges by switching to a limited user. Seccomp is a more fine-grained way of limiting the powers of processes. If a process tries to use a kernel API that it has previously denied itself access to, the kernel kills the process. For example, a process which in its normal operation never needs to access the file system can install a filter program which denies it all access to the file system API of the kernel. If an attacker injects code into the process to access the file system, the API call will then get the process killed instead of accessing the file system. The TSYNC feature enables a process to refine (limit more) whatever limited access a group of threads previously had (TSYNC stands for thread synchronization).

    4. Re:What's TSYNC ? by vadim_t · · Score: 5, Informative

      Right, so here is seems how things are:

      1. Google seems to have little regard for long term backwards compatibility, at least on the timeframes Debian wants it. Kernel 3.17 came out in October 2014. Fedora has a new enough kernel, but also doesn't have Chromium officially apparently because Google likes to clone various libraries and do API changes, rather than trying to work with the original developers, distributions, etc. So it seems Google mostly does its own thing and lets other people to deal with it.

      2. So Google is now releasing browsers that require kernel 3.17 to work properly. Users want to run it on their systems.

      3. But Jessie is frozen and so changes only happen for good reasons. The question is then whether to backport the TSYNC feature. On one hand, it's a new feature and it doesn't go in frozen releases, on the other hand it stops new versions of Chrome from running, which is a security concern. Ubuntu seems to have went with the later logic.

      4. Ben's reaction is "1. I don't like Chrome, so no", and "2. Distro is in freeze, there needs to be a formal proposal explaining exactly what patch to merge, and a sympathetic maintainer, which I am not".

      So really what's going on is a conflict between organizations. Google wants to move faster than Debian does, and Debian (or at least Ben) doesn't want to give Google special concessions.

    5. Re:What's TSYNC ? by Cley+Faye · · Score: 4, Insightful

      they were able to survive without TSYNC and make it 'safe' but suddenly they can't

      Geez, improving their software's security by taking advantage of better kernel support, Google really are deadbeat stupid. Better drop the sandboxing idea, have everything in the same process, preferably run as root. We'll be all safe with this old, not up-to-date version of openssl with brand new SSL3.0 support.

    6. Re:What's TSYNC ? by Ben+Hutchings · · Score: 5, Informative

      I do dislike Chrome and I'm not going to pretend otherwise. Aside from its being spyware (in its default configuration), the Chrome/Chromium developers have previously added requirements that make Chromium unsupportable in Debian 7. We could add this kernel feature now, but I strongly doubt that will be sufficient to keep Chrome/Chromium running on Debian 8 until its EOL.

      Please note that I am not NAKing the change, but I'm also not going to be the one to make it happen.

  4. Re:So much for Debian 8, then... by Eunuchswear · · Score: 5, Insightful

    Not that I was going to use a system that kowtows to RMS by calling itself GNU/Linux anyway, but the OS is there to support the software I use, and I use Chrome on Linux. If the OS won't support it, then I won't use it.

    So, you tell us you are not going to use a system that you weren't going to use.

    And we should give a fuck, why?

    --
    Watch this Heartland Institute video
  5. Debian 8 was already a lost cause. by Anonymous Coward · · Score: 5, Interesting

    Debian 8 was a lost cause long before this nonsense. It will be the first "stable" version of Debian to include systemd. Systemd was forced upon Debian users thanks to some dirty politics, and has generally been unwanted by most of the Debian community. It already caused numerous problems for those running the unstable and testing versions of Debian, including systems that would no longer boot. The fact that systemd is still under very heavily development additionally means that it has no place in a stable Linux distro release, especially a Debian stable release. Many Debian users, especially those running servers, have realized that they need to discard Debian in order to maintain the stability of their systems. We've seen lots of these people move to the BSDs, in fact. All of that aside, Debian 8 is shaping up to be one of the most disappointing Debian releases ever, if not the worst, and it's all thanks to the bad decision to include systemd.

    1. Re:Debian 8 was already a lost cause. by rubycodez · · Score: 4, Informative

      No systemd is not production ready. I've Debian testing systems in vm, and find systemd is buggy garbage.

  6. People are correctly annoyed by this by Anonymous Coward · · Score: 5, Insightful

    The general issue here is that running a fairly large, popular application now requires a kernel patch that was authored by the same organization that wrote the application. Moreover, the kernel version including this patch is well newer than what's shipped by most mainstream distributions, AND the application vendor is fairly hostile to running older versions of the application software (that wouldn't require this patch).

    So,

    1. Vendor isn't willing to think about distribution support timelines
    2. Vendor doesn't seem to care about kernel/userspace boundaries and very happily writes code on both sides to an interface they've designed themselves, for themselves.
    3. Profit?

    Yes, doing it this way is notably easier for Google. This is generally considered one of the selling points of a closed ecosystem: you don't have to care about little things like public interfaces and what's already in the field (and going to be there for a decade): just "move fast and break stuff" because it all works in the environment that you're testing in, and you don't much care about anything else.

    1. Re:People are correctly annoyed by this by hazeii · · Score: 4, Informative

      That'll be https://www.mozilla.org/en-US/firefox/organizations/all/.

      Sadly, despite being a long-term FF user, it pains me to say it's far easier is to switch to Palemoon; it's a minimal effort and the result is firefox without all the BS (Palemoon being a firefox fork/tracker that values functionality over hipster cool)

      --
      All your ghosts are just false positives.
  7. Re:How the fuck does Chrome handle other platforms by Anonymous Coward · · Score: 5, Informative

    It's a detail of how sandboxing works on Linux. Other OSes have theirmown sandbox mechanisms. Microsoft cares about Windows having the necessary features because they use a sandbox in IE. The Linux sandbox mechanism that Chrome/Chromium uses appears to be an API at least partially developed by Google. TSYNC is a feature Google recently added to the sandboxing API in Linux because they intended to use it in Chrome.

  8. Google Chrome is fast moving... by gbcox · · Score: 5, Insightful

    This is really a non-issue. Chrome decided to use a recent feature in the kernel. This happens all the time. Most distributions that are using the older kernel have patched. If Debian doesn't want to patch, move to another distribution or switch to Firefox. Both Fedora 20 and 21 are on 3.17 - so it isn't an issue there. Debian is notorious for using old stuff, so it may be the kernel they are using requires a multitude of changes and because of their policies they don't want to move to a more recent version. You buy into that logic when you choose to use Debian - so expect this stuff to happen. This has nothing to do with RMS or Google; rather the mismatch of using a slow to update distribution with a browser that is on the fast track.

    1. Re:Google Chrome is fast moving... by gbcox · · Score: 4, Insightful

      Oh for pete sake... It doesn't matter who created the feature... it was viewed as relevant and worthwhile otherwise Linus wouldn't have allowed it in the kernel. You'll have the kernel feature if it is backported. This appears to be all about Debian. If they choose not to backport either switch distributions or use another browser. Most people aren't going to be impacted by this. It's kinda of silly... it's the feigned internet outrage of the day.

    2. Re:Google Chrome is fast moving... by Rich0 · · Score: 4, Insightful

      The application dropped support for production kernels ... because it wants a patch that isn't yet in production kernels.

      The feature is in several stable kernel branches. Your distro might just not support them, so either don't use Chrome, or don't use that distro, or figure out how to use a newer kernel on your distro. :)

    3. Re:Google Chrome is fast moving... by thegarbz · · Score: 5, Insightful

      THAT THE CHROME DEVS SUBMITTED TO THE KERNEL

      Putting something in bold doesn't in any way make it relevant. Chrome devs didn't put it into the kernel, they submitted it as you said. There's a whole team that look after and maintain the kernel and they don't just blindly let every bit of code in. Most things go through review and go into the kernel only if Linus doesn't castrate the submitter.

      TSYNC is now a current feature of the kernel. Where it came from is entirely irrelevant.

      Also given the market share of Chrome on Linux in the wider scheme of the internet I think they may have only shot off the tip of one toenail. The foot will be fine.

  9. Re:Mailing list sounds like a bunch of Whiners.... by BitZtream · · Score: 5, Insightful

    Chrome is by definition, spyware.

    It does everything in its power to relay information about your activities back to Google, right down to what you click and when, if you allow it.

    Most of these 'features' require you to opt-in, but some just happen right out of the box.

    If you don't realize that the entire existence of Chrome and Chromium is to get information about you, you're an idiot with your head in the sand.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  10. Re:So much for Debian 8, then... by Gr8Apes · · Score: 5, Insightful

    You know what? I'm not paranoid about Google. They don't care about me individually, and I opt out of their ad targeting. The rest I just don't care about.

    You're can't be paranoid about google, paranoia is thinking that someone's watching you, with Google, they boldly state they're watching you and in your case you're aware of that. I personally do care what Google knows and have taken steps to limit that significantly, by using as little of their services as possible and making tracking me much more difficult. A random Jane or John at Google shouldn't be able to tell you you're on your period this week, for instance.

    --
    The cesspool just got a check and balance.
  11. Re:So much for Debian 8, then... by Jay+Maynard · · Score: 5, Informative

    "TSYNC is a new sandboxing flag for seccomp that was recently added to the Linux kernel." -- from the description of the change to Chromium

    Sounds like more browsers should be using it.

    --
    Disinfect the GNU General Public Virus!
  12. Re:So much for Debian 8, then... by Lennie · · Score: 5, Informative

    Here is the kernel commit message:

    seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
    Applying restrictive seccomp filter programs to large or diverse
    codebases often requires handling threads which may be started early in
    the process lifetime (e.g., by code that is linked in). While it is
    possible to apply permissive programs prior to process start up, it is
    difficult to further restrict the kernel ABI to those threads after that
    point.

    This change adds a new seccomp syscall flag to SECCOMP_SET_MODE_FILTER for
    synchronizing thread group seccomp filters at filter installation time.

    When calling seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
    filter) an attempt will be made to synchronize all threads in current's
    threadgroup to its new seccomp filter program. This is possible iff all
    threads are using a filter that is an ancestor to the filter current is
    attempting to synchronize to. NULL filters (where the task is running as
    SECCOMP_MODE_NONE) are also treated as ancestors allowing threads to be
    transitioned into SECCOMP_MODE_FILTER. If prctrl(PR_SET_NO_NEW_PRIVS, ...) has been set on the calling thread, no_new_privs will be set for
    all synchronized threads too. On success, 0 is returned. On failure,
    the pid of one of the failing threads will be returned and no filters
    will have been applied.

    The race conditions against another thread are:
    - requesting TSYNC (already handled by sighand lock)
    - performing a clone (already handled by sighand lock)
    - changing its filter (already handled by sighand lock)
    - calling exec (handled by cred_guard_mutex)
    The clone case is assisted by the fact that new threads will have their
    seccomp state duplicated from their parent before appearing on the tasklist.

    Holding cred_guard_mutex means that seccomp filters cannot be assigned
    while in the middle of another thread's exec (potentially bypassing
    no_new_privs or similar). The call to de_thread() may kill threads waiting
    for the mutex.

    Changes across threads to the filter pointer includes a barrier.

    https://git.kernel.org/cgit/li...

    --
    New things are always on the horizon
  13. Re:So much for Debian 8, then... by IamTheRealMike · · Score: 4, Informative

    It means it makes Chrome more secure.

    This sort of thing is why Debian is so often seen as a realm of knee jerk lunatics. Debian isn't keeping up with features Chrome needs to be more resistant to browser exploits (which are used to install ACTUAL spyware) and the answer is "Chrome gathers statistics on how it's used so it's evil and we don't care if it breaks". WTF?

  14. Re:So much for Debian 8, then... by Anonymous Coward · · Score: 4, Interesting

    This needs some serious modding up. ... as a lead developer who was instrumental in moving us from debian (which until the last year or two, I had been evangelizing and supporting for almost a decade) to FreeBSD for over 10,000 servers (two entire clusters) and hundreds of workstations (test/dev machines of developers/scientists/etc).

    We're starting to see similar things from our peers as well, debian/centos/rhel/ubuntu being dropped pretty rapidly within our circle of influence - they don't listen to users/customers (really bad RHEL wise, when you're paying them hundreds of thousands of dollars), they fail on security (something debian was once great at), and they're moving linux into a direction that's frankly - undesirable for serious servers, HPC, etc.

    Debian is dead, stop giving it attention, we've all moved on - so should the conversations.