Google Git
Sign in
chromium / chromium / src / sandbox / 0e78567b121532c454b7b5e482215aea50c31c77
commit0e78567b121532c454b7b5e482215aea50c31c77[log] [tgz]
authorLukasz Anforowicz <lukasza@chromium.org>Fri Nov 26 00:03:23 2021
committerCopybara-Service <copybara-worker@google.com>Fri Nov 26 00:20:09 2021
treea31b65797096b4271d2a8edb37752d76415632a7
parent7a1fc7efd6ba1f90823e03a8d882ed5741a679bb [diff]
Inline, next-to-field-decl comments explaining raw_ptr exclusions.

Before this CL, some fields were excluded from the Big MiraclePtr
Rewrite (i.e. kept as `SomeClass* field_` rather than rewritten into
`raw_ptr<SomeClass> field_`), because earlier analysis has shown that
rewriting these particular fields would either 1) have an unusually big,
negative impact on performance or 2) result in runtime crashes because
of violating stricter raw_ptr usage rules [1].

After this CL, these exclusions will also be documented in inline
comments, next to the pointer fields that shouldn't use raw_ptr<T>.

This CL should prevent backsliding (and unintentional performance and/or
stability regressions).  This is important, because there are currently
no plans for automated detection and enforcement to disallow using
raw_ptr<T> in performance-sensitive fields (or fields that use more
complex casts or memory operations).

This CL should also prevent surprises and communicate upfront to omit
these fields from future manual rewrites (e.g. suppressing the somewhat
natural and desirable urge to make all fields raw_ptr<T> wherever the
compiler doesn't complain).

[1] See //base/memory/raw_ptr.md#Extra-pointer-rules

Bug: 1073933
Change-Id: Ic58973da003dd54fb11635d7c57f02cf2d197276
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3298431
Auto-Submit: Ɓukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Bartek Nowierski <bartekn@chromium.org>
Reviewed-by: Bartek Nowierski <bartekn@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Owners-Override: Bartek Nowierski <bartekn@chromium.org>
Cr-Commit-Position: refs/heads/main@{#945508}
NOKEYCHECK=True
GitOrigin-RevId: 877e622383fc633385e407bac68f3d949dcefb38
3 files changed
tree: a31b65797096b4271d2a8edb37752d76415632a7
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.