From 2483d1dc12e6091dba29ae3f9af93c7574da2090 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 25 Apr 2026 10:04:29 +0100 Subject: [PATCH] fix(browser): drop redundant setuid sandbox flag Co-authored-by: Sebastian Krueger <150018+sebykrueger@users.noreply.github.com> --- CHANGELOG.md | 1 + docs/gateway/config-agents.md | 2 +- docs/gateway/sandboxing.md | 2 +- extensions/browser/src/browser/chrome.internal.test.ts | 2 +- extensions/browser/src/browser/chrome.ts | 1 - 5 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa153b89c45..6250e909dcb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ Docs: https://docs.openclaw.ai - Telegram: remove the startup persisted-offset `getUpdates` preflight so polling restarts do not self-conflict before the runner starts. Fixes #69304. (#69779) Thanks @chinar-amrutkar. - Browser/Playwright: ignore benign already-handled route races during guarded navigation so browser-page tasks no longer fail when Playwright tears down a route mid-flight. (#68708) Thanks @Steady-ai. - Browser/downloads: seed managed Chrome profiles with OpenClaw download prefs and capture unmanaged click-triggered downloads under the guarded downloads directory, while explicit download waiters still own their target file. (#64558) Thanks @Pearcekieser. +- Browser/Chrome: stop passing redundant `--disable-setuid-sandbox` when `browser.noSandbox` is enabled; `--no-sandbox` remains the effective sandbox opt-out. (#67939) Thanks @sebykrueger. - Browser/aria snapshots: bind `format=aria` `axN` refs to live DOM nodes through backend DOM ids when Playwright is available, so follow-up browser actions can use those refs without timing out. (#62434) Thanks @MrKipler. - Telegram: prevent duplicate in-process long pollers for the same bot token and add clearer `getUpdates` conflict diagnostics for external duplicate pollers. Fixes #56230. - Browser/Linux: detect Chromium-based installs under `/opt/google`, `/opt/brave.com`, `/usr/lib/chromium`, and `/usr/lib/chromium-browser` before asking users to set `browser.executablePath`. (#48563) Thanks @lupuletic. diff --git a/docs/gateway/config-agents.md b/docs/gateway/config-agents.md index 1dfed57c2f5..61447670c6b 100644 --- a/docs/gateway/config-agents.md +++ b/docs/gateway/config-agents.md @@ -881,7 +881,7 @@ noVNC observer access uses VNC auth by default and OpenClaw emits a short-lived - `--renderer-process-limit=2` can be changed with `OPENCLAW_BROWSER_RENDERER_PROCESS_LIMIT=`; set `0` to use Chromium's default process limit. - - plus `--no-sandbox` and `--disable-setuid-sandbox` when `noSandbox` is enabled. + - plus `--no-sandbox` when `noSandbox` is enabled. - Defaults are the container image baseline; use a custom browser image with a custom entrypoint to change container defaults. diff --git a/docs/gateway/sandboxing.md b/docs/gateway/sandboxing.md index a45871dedce..9f75b4310aa 100644 --- a/docs/gateway/sandboxing.md +++ b/docs/gateway/sandboxing.md @@ -393,7 +393,7 @@ for containerized workloads. Current container defaults include: - `--no-zygote` - `--metrics-recording-only` - `--renderer-process-limit=2` -- `--no-sandbox` and `--disable-setuid-sandbox` when `noSandbox` is enabled. +- `--no-sandbox` when `noSandbox` is enabled. - The three graphics hardening flags (`--disable-3d-apis`, `--disable-software-rasterizer`, `--disable-gpu`) are optional and are useful when containers lack GPU support. Set `OPENCLAW_BROWSER_DISABLE_GRAPHICS_FLAGS=0` diff --git a/extensions/browser/src/browser/chrome.internal.test.ts b/extensions/browser/src/browser/chrome.internal.test.ts index aa6136addc7..1450c525d11 100644 --- a/extensions/browser/src/browser/chrome.internal.test.ts +++ b/extensions/browser/src/browser/chrome.internal.test.ts @@ -210,7 +210,7 @@ describe("chrome.ts internal", () => { userDataDir: "/tmp/foo", }); expect(args).toContain("--no-sandbox"); - expect(args).toContain("--disable-setuid-sandbox"); + expect(args).not.toContain("--disable-setuid-sandbox"); }); it("adds --disable-dev-shm-usage on linux", () => { diff --git a/extensions/browser/src/browser/chrome.ts b/extensions/browser/src/browser/chrome.ts index 767515420db..49804210a4f 100644 --- a/extensions/browser/src/browser/chrome.ts +++ b/extensions/browser/src/browser/chrome.ts @@ -245,7 +245,6 @@ export function buildOpenClawChromeLaunchArgs(params: { } if (resolved.noSandbox) { args.push("--no-sandbox"); - args.push("--disable-setuid-sandbox"); } if (process.platform === "linux") { args.push("--disable-dev-shm-usage");