Pad Chromium in bubblewrap

[Manawyrm]

bubblewrap is a nice little sandboxing tool, which (amongst other things) allows users to filter syscalls of a process. The Chromium process could be limited to a very small number of syscalls, limiting the attack surface against the linux kernel.

A successful exploit would then need:

• a Chromium exploit (V8, etc.)
• a sandbox escape
• bubblewrap escape (with limited syscalls from a non-privileged user)
• Linux kernel local privilege escalation (from user to root/kernel)