commit | 0e78567b121532c454b7b5e482215aea50c31c77 | [log] [tgz] |
---|---|---|
author | Lukasz Anforowicz <lukasza@chromium.org> | Fri Nov 26 00:03:23 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Fri Nov 26 00:20:09 2021 |
tree | a31b65797096b4271d2a8edb37752d76415632a7 | |
parent | 7a1fc7efd6ba1f90823e03a8d882ed5741a679bb [diff] |
Inline, next-to-field-decl comments explaining raw_ptr exclusions. Before this CL, some fields were excluded from the Big MiraclePtr Rewrite (i.e. kept as `SomeClass* field_` rather than rewritten into `raw_ptr<SomeClass> field_`), because earlier analysis has shown that rewriting these particular fields would either 1) have an unusually big, negative impact on performance or 2) result in runtime crashes because of violating stricter raw_ptr usage rules [1]. After this CL, these exclusions will also be documented in inline comments, next to the pointer fields that shouldn't use raw_ptr<T>. This CL should prevent backsliding (and unintentional performance and/or stability regressions). This is important, because there are currently no plans for automated detection and enforcement to disallow using raw_ptr<T> in performance-sensitive fields (or fields that use more complex casts or memory operations). This CL should also prevent surprises and communicate upfront to omit these fields from future manual rewrites (e.g. suppressing the somewhat natural and desirable urge to make all fields raw_ptr<T> wherever the compiler doesn't complain). [1] See //base/memory/raw_ptr.md#Extra-pointer-rules Bug: 1073933 Change-Id: Ic58973da003dd54fb11635d7c57f02cf2d197276 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3298431 Auto-Submit: Ćukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Bartek Nowierski <bartekn@chromium.org> Reviewed-by: Bartek Nowierski <bartekn@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Keishi Hattori <keishi@chromium.org> Owners-Override: Bartek Nowierski <bartekn@chromium.org> Cr-Commit-Position: refs/heads/main@{#945508} NOKEYCHECK=True GitOrigin-RevId: 877e622383fc633385e407bac68f3d949dcefb38
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.