sandbox/policy/features.cc - chromium/src - Git at Google

 // Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "sandbox/policy/features.h"

 #include "build/build_config.h"
 #include "build/chromeos_buildflags.h"
 #include "sandbox/features.h"

 namespace sandbox::policy::features {

 #if !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_FUCHSIA)
 // Enables network service sandbox.
 // (Only causes an effect when feature kNetworkServiceInProcess is disabled.)
 BASE_FEATURE(kNetworkServiceSandbox,
              "NetworkServiceSandbox",
              base::FEATURE_DISABLED_BY_DEFAULT);

 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
 // Enables a fine-grained seccomp-BPF syscall filter for the network service.
 // Only has an effect if IsNetworkSandboxEnabled() returns true.
 // If the network service sandbox is enabled and |kNetworkServiceSyscallFilter|
 // is disabled, a seccomp-BPF filter will still be applied but it will not
 // disallow any syscalls.
 BASE_FEATURE(kNetworkServiceSyscallFilter,
              "NetworkServiceSyscallFilter",
              base::FEATURE_ENABLED_BY_DEFAULT);
 // Enables a fine-grained file path allowlist for the network service.
 // Only has an effect if IsNetworkSandboxEnabled() returns true.
 // If the network service sandbox is enabled and |kNetworkServiceFileAllowlist|
 // is disabled, a file path allowlist will still be applied, but the policy will
 // allow everything.
 BASE_FEATURE(kNetworkServiceFileAllowlist,
              "NetworkServiceFileAllowlist",
              base::FEATURE_ENABLED_BY_DEFAULT);
 #endif  // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
 #endif  // !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_FUCHSIA)

 #if BUILDFLAG(IS_WIN)
 // Experiment for Windows sandbox security mitigation,
 // sandbox::MITIGATION_EXTENSION_POINT_DISABLE.
 BASE_FEATURE(kWinSboxDisableExtensionPoints,
              "WinSboxDisableExtensionPoint",
              base::FEATURE_DISABLED_BY_DEFAULT);

 // Enables GPU AppContainer sandbox on Windows.
 BASE_FEATURE(kGpuAppContainer,
              "GpuAppContainer",
              base::FEATURE_DISABLED_BY_DEFAULT);

 // Enables GPU Low Privilege AppContainer when combined with kGpuAppContainer.
 BASE_FEATURE(kGpuLPAC,
              "GpuLPAC",
              base::FEATURE_ENABLED_BY_DEFAULT);

 // Enables Renderer AppContainer
 BASE_FEATURE(kRendererAppContainer,
              "RendererAppContainer",
              base::FEATURE_DISABLED_BY_DEFAULT);

 // Emergency "off switch" for removal of direct system font access from
 // web renderer processes.
 BASE_FEATURE(kWinSboxAllowSystemFonts,
              "WinSboxAllowSystemFonts",
              base::FEATURE_DISABLED_BY_DEFAULT);

 // Enables very high job memory limits for sandboxed renderer processes. This
 // sets a limit of 1Tb, effectively removing the Job memory limits, except in
 // egregious cases.
 BASE_FEATURE(kWinSboxHighRendererJobMemoryLimits,
              "WinSboxHighRendererJobMemoryLimits",
              base::FEATURE_DISABLED_BY_DEFAULT);

 #endif  // BUILDFLAG(IS_WIN)

 #if BUILDFLAG(IS_CHROMEOS_ASH)
 // Controls whether the Spectre variant 2 mitigation is enabled. We use a USE
 // flag on some Chrome OS boards to disable the mitigation by disabling this
 // feature in exchange for system performance.
 BASE_FEATURE(kSpectreVariant2Mitigation,
              "SpectreVariant2Mitigation",
              base::FEATURE_ENABLED_BY_DEFAULT);

 // An override for the Spectre variant 2 default behavior. Security sensitive
 // users can enable this feature to ensure that the mitigation is always
 // enabled.
 BASE_FEATURE(kForceSpectreVariant2Mitigation,
              "ForceSpectreVariant2Mitigation",
              base::FEATURE_DISABLED_BY_DEFAULT);
 #endif  // BUILDFLAG(IS_CHROMEOS_ASH)

 #if BUILDFLAG(IS_MAC)
 // Enables caching compiled sandbox profiles. Only some profiles support this,
 // as controlled by CanCacheSandboxPolicy().
 BASE_FEATURE(kCacheMacSandboxProfiles,
              "CacheMacSandboxProfiles",
              base::FEATURE_ENABLED_BY_DEFAULT);
 #endif  // BUILDFLAG(IS_MAC)

 bool IsNetworkSandboxEnabled() {
 #if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA)
   return true;
 #else
 #if BUILDFLAG(IS_WIN)
   if (!sandbox::features::IsAppContainerSandboxSupported())
     return false;
 #endif  // BUILDFLAG(IS_WIN)
   // Check feature status.
   return base::FeatureList::IsEnabled(kNetworkServiceSandbox);
 #endif  // BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA)
 }

 }  // namespace sandbox::policy::features
	// Copyright 2017 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "sandbox/policy/features.h"

	#include "build/build_config.h"
	#include "build/chromeos_buildflags.h"
	#include "sandbox/features.h"

	namespace sandbox::policy::features {

	#if !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_FUCHSIA)
	// Enables network service sandbox.
	// (Only causes an effect when feature kNetworkServiceInProcess is disabled.)
	BASE_FEATURE(kNetworkServiceSandbox,
	"NetworkServiceSandbox",
	base::FEATURE_DISABLED_BY_DEFAULT);

	#if BUILDFLAG(IS_LINUX) \|\| BUILDFLAG(IS_CHROMEOS)
	// Enables a fine-grained seccomp-BPF syscall filter for the network service.
	// Only has an effect if IsNetworkSandboxEnabled() returns true.
	// If the network service sandbox is enabled and \|kNetworkServiceSyscallFilter\|
	// is disabled, a seccomp-BPF filter will still be applied but it will not
	// disallow any syscalls.
	BASE_FEATURE(kNetworkServiceSyscallFilter,
	"NetworkServiceSyscallFilter",
	base::FEATURE_ENABLED_BY_DEFAULT);
	// Enables a fine-grained file path allowlist for the network service.
	// Only has an effect if IsNetworkSandboxEnabled() returns true.
	// If the network service sandbox is enabled and \|kNetworkServiceFileAllowlist\|
	// is disabled, a file path allowlist will still be applied, but the policy will
	// allow everything.
	BASE_FEATURE(kNetworkServiceFileAllowlist,
	"NetworkServiceFileAllowlist",
	base::FEATURE_ENABLED_BY_DEFAULT);
	#endif // BUILDFLAG(IS_LINUX) \|\| BUILDFLAG(IS_CHROMEOS)
	#endif // !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_FUCHSIA)

	#if BUILDFLAG(IS_WIN)
	// Experiment for Windows sandbox security mitigation,
	// sandbox::MITIGATION_EXTENSION_POINT_DISABLE.
	BASE_FEATURE(kWinSboxDisableExtensionPoints,
	"WinSboxDisableExtensionPoint",
	base::FEATURE_DISABLED_BY_DEFAULT);

	// Enables GPU AppContainer sandbox on Windows.
	BASE_FEATURE(kGpuAppContainer,
	"GpuAppContainer",
	base::FEATURE_DISABLED_BY_DEFAULT);

	// Enables GPU Low Privilege AppContainer when combined with kGpuAppContainer.
	BASE_FEATURE(kGpuLPAC,
	"GpuLPAC",
	base::FEATURE_ENABLED_BY_DEFAULT);

	// Enables Renderer AppContainer
	BASE_FEATURE(kRendererAppContainer,
	"RendererAppContainer",
	base::FEATURE_DISABLED_BY_DEFAULT);

	// Emergency "off switch" for removal of direct system font access from
	// web renderer processes.
	BASE_FEATURE(kWinSboxAllowSystemFonts,
	"WinSboxAllowSystemFonts",
	base::FEATURE_DISABLED_BY_DEFAULT);

	// Enables very high job memory limits for sandboxed renderer processes. This
	// sets a limit of 1Tb, effectively removing the Job memory limits, except in
	// egregious cases.
	BASE_FEATURE(kWinSboxHighRendererJobMemoryLimits,
	"WinSboxHighRendererJobMemoryLimits",
	base::FEATURE_DISABLED_BY_DEFAULT);

	#endif // BUILDFLAG(IS_WIN)

	#if BUILDFLAG(IS_CHROMEOS_ASH)
	// Controls whether the Spectre variant 2 mitigation is enabled. We use a USE
	// flag on some Chrome OS boards to disable the mitigation by disabling this
	// feature in exchange for system performance.
	BASE_FEATURE(kSpectreVariant2Mitigation,
	"SpectreVariant2Mitigation",
	base::FEATURE_ENABLED_BY_DEFAULT);

	// An override for the Spectre variant 2 default behavior. Security sensitive
	// users can enable this feature to ensure that the mitigation is always
	// enabled.
	BASE_FEATURE(kForceSpectreVariant2Mitigation,
	"ForceSpectreVariant2Mitigation",
	base::FEATURE_DISABLED_BY_DEFAULT);
	#endif // BUILDFLAG(IS_CHROMEOS_ASH)

	#if BUILDFLAG(IS_MAC)
	// Enables caching compiled sandbox profiles. Only some profiles support this,
	// as controlled by CanCacheSandboxPolicy().
	BASE_FEATURE(kCacheMacSandboxProfiles,
	"CacheMacSandboxProfiles",
	base::FEATURE_ENABLED_BY_DEFAULT);
	#endif // BUILDFLAG(IS_MAC)

	bool IsNetworkSandboxEnabled() {
	#if BUILDFLAG(IS_MAC) \|\| BUILDFLAG(IS_FUCHSIA)
	return true;
	#else
	#if BUILDFLAG(IS_WIN)
	if (!sandbox::features::IsAppContainerSandboxSupported())
	return false;
	#endif // BUILDFLAG(IS_WIN)
	// Check feature status.
	return base::FeatureList::IsEnabled(kNetworkServiceSandbox);
	#endif // BUILDFLAG(IS_MAC) \|\| BUILDFLAG(IS_FUCHSIA)
	}

	} // namespace sandbox::policy::features