Google Git
Sign in
chromium / chromium / src / sandbox / 7cb05ff7cf032cbd306aab5f90d852dc0ccdea86
commit7cb05ff7cf032cbd306aab5f90d852dc0ccdea86[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Tue Oct 12 00:55:44 2021
committerCopybara-Service <copybara-worker@google.com>Tue Oct 12 01:08:16 2021
tree798a877f528117ea17a8f830049025339510adba
parentbcc9e1981344e2393d2257674b0c0c63d2c92005 [diff]
Specify Audio and Network sandboxes in mojo

Adds ServiceSandbox attribute to AudioService and NetworkService
interfaces and deletes the final service_sandbox_type.h file. All
service sandboxes are now specified this way.

These two services are different, however. Their sandboxes can be
disabled (to kNoSandbox) by policy or feature flags. This means
the service launching machinery must know how to do this. In this
CL we move this logic into the ServiceProcessHost which in turn
asks the ContentBrowserClient if the sandboxes should be enabled.
As this is only necessary for two sandbox types we have not
generalised the CBC interface.

We also delete `sandbox_type` from service process host options
as it cannot be specified as an option and must be specified using
the ServiceSandbox attribute on the launched mojom. We migrate
the type used within ServiceProcessHost to sandbox::mojom::Sandbox.
A future CL will replace sandbox::policy::mojom::SandboxType with
the mojom type throughout.

Bug: 1210301
Change-Id: I4de13359487158a52da8ad414c8beb9cd93033bb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3209992
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#930365}
NOKEYCHECK=True
GitOrigin-RevId: ec569389922f7fc66486dcd94a5b4b5ccd0a15a9
2 files changed
tree: 798a877f528117ea17a8f830049025339510adba
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.