From ffc2fed113af6a7dde8f2e2ff4407281992d92d5 Mon Sep 17 00:00:00 2001 From: Leena Miettinen Date: Mon, 27 Jan 2020 15:18:52 +0100 Subject: Doc: Remove info about Sandboxing not being supported on Windows Since 5.14.1, it is supported. List restrictions on Linux and ways of explicitly disabling sandboxing on all platforms. Fixes: QTBUG-81688 Change-Id: I7f8fc08b921cc0e50056cc143cbf63b62be90b4e Reviewed-by: Allan Sandfeld Jensen --- .../doc/src/qtwebengine-platform-notes.qdoc | 34 +++++++++++++++------- 1 file changed, 23 insertions(+), 11 deletions(-) (limited to 'src/webengine/doc/src/qtwebengine-platform-notes.qdoc') diff --git a/src/webengine/doc/src/qtwebengine-platform-notes.qdoc b/src/webengine/doc/src/qtwebengine-platform-notes.qdoc index 1b8320c0c..1af2141b1 100644 --- a/src/webengine/doc/src/qtwebengine-platform-notes.qdoc +++ b/src/webengine/doc/src/qtwebengine-platform-notes.qdoc @@ -174,20 +174,32 @@ \section1 Sandboxing Support - \QWE provides out-of-the-box sandboxing support for Chromium render processes on Linux - and \macos. Sandboxing is currently not supported on Windows due to a limitation in how - the sandbox is set up and how it interacts with the host process provided by the \QWE - libraries. + \QWE provides out-of-the-box sandboxing support for Chromium render + processes. - On \macos, there are no special requirements for enabling sandbox support. + On Linux, note the following restrictions: - On Linux, the kernel has to support the anonymous namespaces feature (kernel version >= 3.8) - and seccomp-bpf feature (kernel version >= 3.5). Setuid sandboxes are not supported and are thus - disabled. + \list + \li The kernel has to support the anonymous namespaces feature + (kernel version 3.8 or later). However, on Debian, Ubuntu, + and other Debian-derived distributions, this feature is off + by default. It can be turned on by setting + \c /proc/sys/kernel/unprivileged_userns_clone to 1. + \li The kernel has to support the \c seccomp-bpf feature (kernel + version 3.5 or later). + \li Setuid sandboxes are not supported and are thus disabled. + \endlist + + To explicitly disable sandboxing, use one of the following options: + + \list + \li Set the \c QTWEBENGINE_DISABLE_SANDBOX environment variable to 1. + \li Pass the \c{--no-sandbox} command line argument to the user + application executable. + \li Set \c QTWEBENGINE_CHROMIUM_FLAGS to \c{--no-sandbox}. + \endlist - To explicitly disable sandboxing, the \c QTWEBENGINE_DISABLE_SANDBOX environment variable can be - set to 1 or alternatively the \c{--no-sandbox} command line argument can be passed to the user - application executable. + For more information, see \l{Using Command-Line Arguments}. \section1 Accessibility and Performance -- cgit v1.2.3