commit | 72084d26227ba085428ee085747be0d2c178752e | [log] [tgz] |
---|---|---|
author | Alex Gough <ajgo@chromium.org> | Fri Jan 28 01:58:31 2022 |
committer | Copybara-Service <copybara-worker@google.com> | Fri Jan 28 02:23:09 2022 |
tree | 6ef3e0a2361962dcaac28b21139d7ef4b006ee17 | |
parent | b506aefc058b90a804cbdc23efc5cb5edda4fe61 [diff] |
Only allow a single process to be associated with a policy TargetPolicy was designed to work with multiple registered processes. However in Chrome we only ever use a 1:1 mapping between process and policy. This is because we create specific tokens, and pass specific lists of handles, jobs etc. which cannot be shared between processes. This CL changes PolicyBase to no longer have a list of associated processes, and removes the lock that is no longer necessary. The method to apply a policy to a process is now renamed to ApplyToTarget. A follow-up CL will modify chrome://sandbox to no longer use a list of pids when displaying policies. As it stands the existing list has one member. Bug: 1270309 Change-Id: I3b8c69105ab2f9b745a4b1be706b1cfa67933e82 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3419518 Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/main@{#964384} NOKEYCHECK=True GitOrigin-RevId: 5817c1c73a8c6451c8b2aa33f42a937bab1f2710
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.