Google Git
Sign in
chromium / chromium / src / sandbox / 458d963b5374e86b0ab2550821a59312fafdfaf1
commit458d963b5374e86b0ab2550821a59312fafdfaf1[log] [tgz]
authorJames Forshaw <forshaw@chromium.org>Wed Feb 23 22:26:55 2022
committerCopybara-Service <copybara-worker@google.com>Wed Feb 23 22:43:44 2022
tree2ab5efd9bb18cca9a4b355679eb8ace42401138a
parent07639e08226c99f6cad55c9223e9fe1351e5069d [diff]
[Windows] Use CreateAppContainerToken over NtCreateLowBoxToken.

This CL replaces the use of the NtCreateLowBoxToken system call with
the CreateAppContainerToken API from kernelbase. This API handles the
appcontainer object directories and other quirks which allows us to
rely less on other undocumented behaviors. The API is exported from
Windows 8 although it is unfortunately undocumented.

Bug: 1270309
Change-Id: I4fe7185aa0d3dc85849b6deeb08538c2a47108b6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3484963
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#974365}
NOKEYCHECK=True
GitOrigin-RevId: 9d4152381ceebbd1445489daa4f45f3d728a213c
9 files changed
tree: 2ab5efd9bb18cca9a4b355679eb8ace42401138a
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.