Google Git
Sign in
chromium / chromium / src / sandbox / 67fd7159e5f1540df190677dfa76f85d7c0762a3
commit67fd7159e5f1540df190677dfa76f85d7c0762a3[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Sat Jul 23 10:16:36 2022
committerCopybara-Service <copybara-worker@google.com>Sat Jul 23 10:32:03 2022
treec455fafbef81443690ac10253d2c0dc3a66b859d
parenta80d2785fb638afcad42790b16df317fe3313005 [diff]
Add sandbox launcher delegate GetSandboxTag

SandboxedProcessLauncherDelegate gains a method GetSandboxTag().
Delegates use this to return a string which is opaque to SandboxWin
but should uniquely identify the TargetConfig configuration that will
be applied to TargetPolicy. Delegates that do not wish to fix any
part of the policy can return an empty string.

SandboxWin gains a method GetSandboxTagForDelegate to simplify creating
different tags for delegates that use the same sandbox type but a
different process host - the assumption is that a utility in kGpu
might want different behavior to the gpu process and it's safer to
make it easy to use distinct policies in these cases.

This enables shared fixed policy configs for most processes, but as no
backing data is yet shared has little practical effect.

Bug: 549319
Change-Id: I17d1f817c2b750d9789c0c989c1dbc139e5146ae
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3556185
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Mark Seaborn <mseaborn@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Bo Liu <boliu@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1027531}
NOKEYCHECK=True
GitOrigin-RevId: 9ce7ce2e2c3977c92a2f83cd33112d92726be4f3
6 files changed
tree: c455fafbef81443690ac10253d2c0dc3a66b859d
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.cc
  11. features.gni
  12. features.h
  13. ipc.dict
  14. OWNERS
  15. README.md
  16. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.