Google Git
Sign in
chromium / chromium / src / sandbox / 5850a1d91abfe2daa9bf240d95fc3e93e28e4ae1
commit5850a1d91abfe2daa9bf240d95fc3e93e28e4ae1[log] [tgz]
authorNodir Turakulov <nodir@chromium.org>Tue Sep 28 06:50:47 2021
committerCopybara-Service <copybara-worker@google.com>Tue Sep 28 07:01:51 2021
treec7ccd6cd3c2793384eae9f1af51c72ca55fdaad5
parent49da9fa5504deac891e475e6aa8975e8710d3729 [diff]
[dirmd] Use metadata mixins

Use the new "mixins" feature in dirmd.
Derive mixins from file:// links in OWNERS files.

This CL is machine-generated, in two parts.

Part 1: use mixins.

1. Save current metadata to JSON files, in ORIGINAL and REDUCED forms.
   dirmd read -form original > ~/tmp/dirmd/original.json
   dirmd read -form reduced  > ~/tmp/dirmd/reduced.json
2. Run mixins.py.
   Source code: https://gist.github.com/nodirg/b59d3df338a72a8944f957c5b3a15e22

The script finds related directories, connected by file:// links
in OWNERS files. For those directories that have the same base
name, e.g.
  components/autofill
  chrome/android/java/src/org/chromium/chrome/browser/autofill
if importing the "parent" to the "child" reduces metadata, or adds
missing metadata, extract the common metadata to COMMON_METADATA
and import it in both directories.

Part2: deduplicate metadata.
Apply same instructions as in
https://chromium-review.googlesource.com/c/chromium/src/+/2795985/16

Bug: 1179786
Change-Id: I2e6378004ce433e02f1c9360b09eb72354083bf6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2897943
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Fred Mello <fredmello@chromium.org>
Owners-Override: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Nodir Turakulov <nodir@chromium.org>
Cr-Commit-Position: refs/heads/main@{#925648}
NOKEYCHECK=True
GitOrigin-RevId: de11715e63f49274f3fab352f2367699348ba255
2 files changed
tree: c7ccd6cd3c2793384eae9f1af51c72ca55fdaad5
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.