[Bug]: Sandbox browser runs Chromium as root with --no-sandbox #8566
Description
Summary
The sandbox browser image launches Chromium with --no-sandbox and does not drop root privileges. This disables Chromium’s security sandbox while running as root, materially weakening the browser’s isolation boundary; if a browser exploit occurs, the impact is significantly worse. Because sandbox containers mount agent workspaces, this increases the risk of workspace tampering and broader compromise of the OpenClaw runtime.
Executive Risk Snapshot
- CVSS v3.1: 9.6 (Critical)
- CVSS v4.0: 9.4 (Critical)
- Primary risk: The sandbox browser image launches Chromium with
--no-sandboxand does not drop root privileges.
Technical Analysis
Describe root cause, what breaks, reproduction details, and fix approach.
Affected Code
File: Dockerfile.sandbox-browser:1-28
FROM debian:bookworm-slim
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
chromium \
socat \
x11vnc \
xvfb \
&& rm -rf /var/lib/apt/lists/*
COPY scripts/sandbox-browser-entrypoint.sh /usr/local/bin/openclaw-sandbox-browser
RUN chmod +x /usr/local/bin/openclaw-sandbox-browser
EXPOSE 9222 5900 6080
CMD ["openclaw-sandbox-browser"]File: scripts/sandbox-browser-entrypoint.sh:34-49
CHROME_ARGS+=(
"--remote-debugging-address=127.0.0.1"
"--remote-debugging-port=${CHROME_CDP_PORT}"
"--user-data-dir=${HOME}/.chrome"
"--no-first-run"
"--no-default-browser-check"
"--disable-dev-shm-usage"
"--disable-background-networking"
"--disable-features=TranslateUI"
"--disable-breakpad"
"--disable-crash-reporter"
"--metrics-recording-only"
"--no-sandbox"
)
chromium "${CHROME_ARGS[@]}" about:blank &Steps to Reproduce
- Build and run the sandbox browser image (
Dockerfile.sandbox-browser). - Start a sandboxed session that opens an arbitrary external site.
- Observe that Chromium is started with
--no-sandboxand runs as root by default. - A malicious page exploit can escape the browser sandbox and gain root inside the container.
Recommended Fix
- Create a non-root user in
Dockerfile.sandbox-browserand switch to it withUSER. - Remove
--no-sandboxfrom the entrypoint so Chromium’s sandbox is enabled. - Optionally enforce
--userin sandbox Docker runtime config (or user namespace remapping) to prevent future regressions.
Detailed Risk Analysis
CVSS Assessment
| Metric | Value |
|---|---|
| Score | 9.6 / 10.0 |
| Severity | Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Attack Surface
How is this reached?
- Network / [ ] Adjacent / [ ] Local / [ ] Physical
Authentication required?
- None / [ ] Low / [ ] High
Entry point: Sandbox browser container used by the browser tool
Exploit Conditions
Complexity: [x] Low / [ ] High
User interaction: [ ] None / [x] Required
Prerequisites: A sandboxed session visits or renders a malicious web page using the built-in browser tool.
Impact Assessment
Scope: [ ] Unchanged / [x] Changed
| Impact Type | Level | Description |
|---|---|---|
| Confidentiality | High | Malicious page can read data within the container and any mounted workspace directories. |
| Integrity | High | Attacker can modify workspace files or cached state mounted into the container. |
| Availability | High | Compromise can disrupt or sabotage sandbox execution and related workflows. |
References
- CWE: CWE-250
- Chromium docs:
--no-sandboxdisables the security sandbox and should not be used for general browsing (https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md) - Docker docs: user namespace remapping maps container root to an unprivileged host user (https://docs.docker.com/engine/security/userns-remap/)