Google Git
Sign in
chromium / chromium / src / sandbox / 0c14b084cc94801c8620865d3c509996f6d17c5b
commit0c14b084cc94801c8620865d3c509996f6d17c5b[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Sun Feb 06 03:37:31 2022
committerCopybara-Service <copybara-worker@google.com>Sun Feb 06 03:55:14 2022
tree0487aa0fa894f9db4ccfff1032a3bfe33fcc2fb3
parent4a4427e0c5d66284202d0c4d32df7166f4bfc906 [diff]
Reland "Only allow a single process to be associated with a policy"

This is a reland of 5817c1c73a8c6451c8b2aa33f42a937bab1f2710

Many tests reused policies, but this is now prevented by:
https://chromium-review.googlesource.com/c/chromium/src/+/3426302

Original change's description:
> Only allow a single process to be associated with a policy
>
> TargetPolicy was designed to work with multiple registered processes.
> However in Chrome we only ever use a 1:1 mapping between process and
> policy. This is because we create specific tokens, and pass specific
> lists of handles, jobs etc. which cannot be shared between processes.
>
> This CL changes PolicyBase to no longer have a list of associated
> processes, and removes the lock that is no longer necessary. The
> method to apply a policy to a process is now renamed to ApplyToTarget.
>
> A follow-up CL will modify chrome://sandbox to no longer use a list
> of pids when displaying policies. As it stands the existing list has
> one member.
>
> Bug: 1270309
> Change-Id: I3b8c69105ab2f9b745a4b1be706b1cfa67933e82
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3419518
> Reviewed-by: Will Harris <wfh@chromium.org>
> Commit-Queue: Alex Gough <ajgo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#964384}

Bug: 1270309
Change-Id: I0f3164653f95cde3dc2020677602255bb89ca633
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3439012
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#967609}
NOKEYCHECK=True
GitOrigin-RevId: 56d599babfa7d3b4eaf27dd942ae866bf7863fdc
4 files changed
tree: 0487aa0fa894f9db4ccfff1032a3bfe33fcc2fb3
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.