Move FileUtilService to kService on Windows

Sandbox::kFileUtilService only exists so that we can
pin user32 early in utility_main for this service. This
CL moves FileUtilService to use the new WithPinUser32
service process host option, and deletes the now unused
sandbox type.

LaunchFileUtilService is moved inside a helper class to
allow access to the passkeys needed without a complex
replication of the launching function's signature in

Tests: browser_tests
Bug: 1435571,1408988
Change-Id: Iafdde12b482f1fe8413670baad33444dfbb2c6af
Reviewed-by: Nasko Oskov <>
Reviewed-by: Will Harris <>
Commit-Queue: Alex Gough <>
Reviewed-by: Marc Treib <>
Cr-Commit-Position: refs/heads/main@{#1146976}
GitOrigin-RevId: 71f4a4bedc0ce45d19f9b0e1ddd5ea0bd9656663
5 files changed
tree: 6a62aba4d010f68576f36f1c3fe5f8e8c03dd26c
  1. linux/
  2. mac/
  3. policy/
  4. win/
  7. constants.h
  8. DEPS
  11. features.gni
  12. features.h
  13. OWNERS
  15. sandbox_export.h

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.