Google Git
Sign in
chromium / chromium / src / sandbox / 5bbb98ce5ab1587a6d2c20d3cf7b3a64694eb68e
commit5bbb98ce5ab1587a6d2c20d3cf7b3a64694eb68e[log] [tgz]
authorYuly Novikov <ynovikov@chromium.org>Sat Apr 02 21:34:58 2022
committerCopybara-Service <copybara-worker@google.com>Sat Apr 02 21:50:49 2022
tree94649800369e022e468a933f2d6c65e7970e0303
parent6fc08af0f14cd3428b6bb3bbfeb5a22ff3f2b0bd [diff]
New toolchain for Windows 10 20348 SDK

This change updates the toolchain package used to build Chromium with
the 10.0.20348.0 (2021-04) SDK.

Packaging was done on a Windows Server 2019 VM, cleanly created for this
purpose.
Debuggers were kept at the previous 10.0.19041 version,
due to crbug.com/1312060

The package was created by downloading the VS Professional 2019
installer from https://visualstudio.microsoft.com/downloads/
(free trial, not preview) and then running the installer like this:

$ PATH_TO_INSTALLER.EXE ^
    --add Microsoft.VisualStudio.Workload.NativeDesktop ^
    --add Microsoft.VisualStudio.Component.VC.ATLMFC ^
    --add Microsoft.VisualStudio.Component.VC.Tools.ARM64 ^
    --add Microsoft.VisualStudio.Component.VC.MFC.ARM64 ^
    --includeRecommended --passive

Then the 10.0.20348.0 Windows 10 SDK was downloaded and installed from
https://developer.microsoft.com/en-ca/windows/downloads/sdk-archive/

Then the packaging script was run like this:

  python3 depot_tools\win_toolchain\package_from_installed.py 2019 -w 10.0.20348.0

The final packaging step was to unzip the package, copy over the Debuggers
directory from the previous 10.0.19041 toolchain,
and then repackage the toolchain with:
  > python3 package_from_installed.py --repackage=<full-path-to-toolchain-dir>

UWP and ARM64 support and Python 3 compatibility were previously added
to package_from_installed.py.

Older SDKs can no longer be used to build Chromium.

The reason for updating the SDK is incompatibility between MSVC 19.29
and the previous 10.0.19041.0 SDK, affecting MSVC builds of ANGLE.

Bug: 1292528, 1312060
Change-Id: I5dbda09cdd0a89d9fd0dd81b5b1ebdeae0671db1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3550827
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Maggie Chen <magchen@chromium.org>
Reviewed-by: Mark Foltz <mfoltz@chromium.org>
Commit-Queue: Yuly Novikov <ynovikov@chromium.org>
Cr-Commit-Position: refs/heads/main@{#988269}
NOKEYCHECK=True
GitOrigin-RevId: 804d5a91d49d0ad79d3d5529e6ba2610225cfe55
1 file changed
tree: 94649800369e022e468a933f2d6c65e7970e0303
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.cc
  11. features.gni
  12. features.h
  13. ipc.dict
  14. OWNERS
  15. README.md
  16. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.