commit | 3ce0f1b68995f3a2be4472ff18302639fed0f816 | [log] [tgz] |
---|---|---|
author | Alex Gough <ajgo@chromium.org> | Tue Nov 09 21:10:08 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Tue Nov 09 21:24:38 2021 |
tree | 792f232cf1904c128434693122f43e93446f56a0 | |
parent | 03d3a9319bedd2a0a1f4233d9594ba347574e2d6 [diff] |
Sandbox mitigations to allow dynamic CET ranges in child processes This adds a process mitigation to allow access to dynamic CET-allowed ranges (e.g. using SetProcessDynamicEnforcedCetCompatibleRanges()). Normally these functions are blocked in processes where CET is enabled. The SDK definitions for the required process mitigation field PROCESS_CREATION_MITIGATION_POLICY2_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY_ALWAYS_OFF are (weirdly) available in 10.0.19041.0 but not in 10.0.19551.0. The SDK definition for the CetDynamicApisOutOfProcOnly field of PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY is only available starting in 10.0.20226.0. We therefore have to define these ourselves until Chrome's oldest supported SDK is moved to 20226 or later. Future CLs will add plumbing to //sandbox/policy to use this mitigation for v8 in renderer and utility processes. Bug: 1268074 Change-Id: I16c42568b2a04da149fc1de81f235c1828fa77aa Tests: sbox_integration_tests --gtest_filter=ProcessMitigationsTest.CetAllowDynamicApis Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3269927 Commit-Queue: Alex Gough <ajgo@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/main@{#940004} NOKEYCHECK=True GitOrigin-RevId: 04af530e6467ff9cb9ec03899a00a38cb247dd8b
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.