Google Git
Sign in
chromium / chromium / src / sandbox / 3ce0f1b68995f3a2be4472ff18302639fed0f816
commit3ce0f1b68995f3a2be4472ff18302639fed0f816[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Tue Nov 09 21:10:08 2021
committerCopybara-Service <copybara-worker@google.com>Tue Nov 09 21:24:38 2021
tree792f232cf1904c128434693122f43e93446f56a0
parent03d3a9319bedd2a0a1f4233d9594ba347574e2d6 [diff]
Sandbox mitigations to allow dynamic CET ranges in child processes

This adds a process mitigation to allow access to dynamic CET-allowed
ranges (e.g. using SetProcessDynamicEnforcedCetCompatibleRanges()).
Normally these functions are blocked in processes where CET is
enabled.

The SDK definitions for the required process mitigation field
PROCESS_CREATION_MITIGATION_POLICY2_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY_ALWAYS_OFF
are (weirdly) available in 10.0.19041.0 but not in 10.0.19551.0. The SDK
definition for the CetDynamicApisOutOfProcOnly field of
PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY is only available starting
in 10.0.20226.0. We therefore have to define these ourselves until
Chrome's oldest supported SDK is moved to 20226 or later.

Future CLs will add plumbing to //sandbox/policy to use this mitigation
for v8 in renderer and utility processes.

Bug: 1268074
Change-Id: I16c42568b2a04da149fc1de81f235c1828fa77aa
Tests: sbox_integration_tests --gtest_filter=ProcessMitigationsTest.CetAllowDynamicApis
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3269927
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#940004}
NOKEYCHECK=True
GitOrigin-RevId: 04af530e6467ff9cb9ec03899a00a38cb247dd8b
4 files changed
tree: 792f232cf1904c128434693122f43e93446f56a0
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.