Google Git
Sign in
chromium / chromium / src / sandbox / 3304fad73e3009607fe2c472241ed7fd6b2a52c7
commit3304fad73e3009607fe2c472241ed7fd6b2a52c7[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Sun May 21 22:06:47 2023
committerCopybara-Service <copybara-worker@google.com>Sun May 21 22:10:28 2023
tree6a62aba4d010f68576f36f1c3fe5f8e8c03dd26c
parent62184c7452a892af563152411e68adc741bde908 [diff]
Move FileUtilService to kService on Windows

Sandbox::kFileUtilService only exists so that we can
pin user32 early in utility_main for this service. This
CL moves FileUtilService to use the new WithPinUser32
service process host option, and deletes the now unused
sandbox type.

LaunchFileUtilService is moved inside a helper class to
allow access to the passkeys needed without a complex
replication of the launching function's signature in
service_process_host_passkeys.h.

Tests: browser_tests
Bug: 1435571,1408988
Change-Id: Iafdde12b482f1fe8413670baad33444dfbb2c6af
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4534184
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Marc Treib <treib@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1146976}
NOKEYCHECK=True
GitOrigin-RevId: 71f4a4bedc0ce45d19f9b0e1ddd5ea0bd9656663
5 files changed
tree: 6a62aba4d010f68576f36f1c3fe5f8e8c03dd26c
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.cc
  11. features.gni
  12. features.h
  13. OWNERS
  14. README.md
  15. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.