Google Git
Sign in
chromium / chromium / src / sandbox / 7aa9146a60dcf31a8d557f312ccf06943b30d8df
commit7aa9146a60dcf31a8d557f312ccf06943b30d8df[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Tue Aug 10 23:54:40 2021
committerCopybara-Service <copybara-worker@google.com>Wed Aug 11 00:08:02 2021
treeaede57558e2699936c4e26cf0c045e59c6ad614a
parent5ed366d12b578f64863cf9549802405674de6b3e [diff]
Require valid sandbox string for utilities

UtilitySandboxTypeFromString() did not have an exhaustive set of valid
utility sandbox types, so if a utility was started with a new type it
would be reported inside the utility as the default kUtility.

For Linux this meant that the kUtility sandbox was applied, although
this is very close to kService on Linux.

For Windows this was accidentally safe as no additional lockdown
would occur within the utility process, but for future sandbox
types this could cause a reduction in security.

This CL removes the default and instead CHECKs, in combination with
the CHECK in SandboxTypeFromCommandLine() this should now cover all
paths.

kService is now added as a valid service within a utility.

Bug: 1238460
Change-Id: I509fbf4268536043562b72c42bdcf7504a6cc9a3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3086629
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#910577}
NOKEYCHECK=True
GitOrigin-RevId: 17104368d03c80e610d4a684aa034ed366d3c847
3 files changed
tree: aede57558e2699936c4e26cf0c045e59c6ad614a
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. constants.h
  7. DEPS
  8. DIR_METADATA
  9. features.gni
  10. ipc.dict
  11. OWNERS
  12. README.md
  13. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.