Google Git
Sign in
chromium / chromium / src / sandbox / 72084d26227ba085428ee085747be0d2c178752e
commit72084d26227ba085428ee085747be0d2c178752e[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Fri Jan 28 01:58:31 2022
committerCopybara-Service <copybara-worker@google.com>Fri Jan 28 02:23:09 2022
tree6ef3e0a2361962dcaac28b21139d7ef4b006ee17
parentb506aefc058b90a804cbdc23efc5cb5edda4fe61 [diff]
Only allow a single process to be associated with a policy

TargetPolicy was designed to work with multiple registered processes.
However in Chrome we only ever use a 1:1 mapping between process and
policy. This is because we create specific tokens, and pass specific
lists of handles, jobs etc. which cannot be shared between processes.

This CL changes PolicyBase to no longer have a list of associated
processes, and removes the lock that is no longer necessary. The
method to apply a policy to a process is now renamed to ApplyToTarget.

A follow-up CL will modify chrome://sandbox to no longer use a list
of pids when displaying policies. As it stands the existing list has
one member.

Bug: 1270309
Change-Id: I3b8c69105ab2f9b745a4b1be706b1cfa67933e82
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3419518
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#964384}
NOKEYCHECK=True
GitOrigin-RevId: 5817c1c73a8c6451c8b2aa33f42a937bab1f2710
4 files changed
tree: 6ef3e0a2361962dcaac28b21139d7ef4b006ee17
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.