commit | 67fd7159e5f1540df190677dfa76f85d7c0762a3 | [log] [tgz] |
---|---|---|
author | Alex Gough <ajgo@chromium.org> | Sat Jul 23 10:16:36 2022 |
committer | Copybara-Service <copybara-worker@google.com> | Sat Jul 23 10:32:03 2022 |
tree | c455fafbef81443690ac10253d2c0dc3a66b859d | |
parent | a80d2785fb638afcad42790b16df317fe3313005 [diff] |
Add sandbox launcher delegate GetSandboxTag SandboxedProcessLauncherDelegate gains a method GetSandboxTag(). Delegates use this to return a string which is opaque to SandboxWin but should uniquely identify the TargetConfig configuration that will be applied to TargetPolicy. Delegates that do not wish to fix any part of the policy can return an empty string. SandboxWin gains a method GetSandboxTagForDelegate to simplify creating different tags for delegates that use the same sandbox type but a different process host - the assumption is that a utility in kGpu might want different behavior to the gpu process and it's safer to make it easy to use distinct policies in these cases. This enables shared fixed policy configs for most processes, but as no backing data is yet shared has little practical effect. Bug: 549319 Change-Id: I17d1f817c2b750d9789c0c989c1dbc139e5146ae Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3556185 Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Mark Seaborn <mseaborn@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Reviewed-by: Bo Liu <boliu@chromium.org> Cr-Commit-Position: refs/heads/main@{#1027531} NOKEYCHECK=True GitOrigin-RevId: 9ce7ce2e2c3977c92a2f83cd33112d92726be4f3
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.