| commit | 6e8a6189fa552988a2296f0daad5a95e68f18247 | [log] [tgz] |
|---|---|---|
| author | Alex Gough <ajgo@chromium.org> | Fri Jul 30 23:23:57 2021 |
| committer | Copybara-Service <copybara-worker@google.com> | Fri Jul 30 23:39:02 2021 |
| tree | e67616d76e3ac884bac16de3b0732e2875ff8823 | |
| parent | a3481402d910ec289fc21747c3995cd7284eafa4 [diff] |
Add [ServiceSandbox=type] attribute to mojom interfaces
See doc linked in bug 1210301.
This allows a mojom interface to specify the sandbox its service should
be launched in:-
[ServiceSandbox=sandbox.mojom.Sandbox.kService]
interface FakeService {
Foo() => ();
}
This is achieved by:
* Allowing fully-qualified names as attribute values in .mojom
files. This was not allowed before so shouldn't change any existing
behavior.
* Adding the Sandbox attribute to the mojom cpp generator.
* constexpr kServiceSandbox members on the generated mojom classes.
* mapping mojom sandbox types to chrome sandbox types.
* Modifying content::ServiceProcessHost to fall back to asking mojo
which sandbox to use if a specialization of GetServiceSandboxType()
has not already been provided. If no kServiceSandbox exists
compilation still fails if no sandbox is specified for the
interface being ::Launch()ed.
Sandbox attributes are verified at C++ compilation time.
This makes it much easier to select an approved sandbox, and difficult
but still possible to select a build or platform varying sandbox, while
still requiring security review.
A following change will add a presubmit to prevent direct inclusion of
GetInterfaceSandbox specializations.
This also adopts this attribute for the TestService and for the
DataDecoderService.
tests: content_browsertests ServiceProcessHostBrowserTest.*
Bug: 1210301
Change-Id: Ie014724de603facae1edb6808733d4212ec20ee1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2912898
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#907309}
NOKEYCHECK=True
GitOrigin-RevId: ad69b6d498863d3713371ca280253f3ce5cafb46
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/ uses the Seatbelt sandbox. See the detailed design for more.linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.