commit | 7cb05ff7cf032cbd306aab5f90d852dc0ccdea86 | [log] [tgz] |
---|---|---|
author | Alex Gough <ajgo@chromium.org> | Tue Oct 12 00:55:44 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Tue Oct 12 01:08:16 2021 |
tree | 798a877f528117ea17a8f830049025339510adba | |
parent | bcc9e1981344e2393d2257674b0c0c63d2c92005 [diff] |
Specify Audio and Network sandboxes in mojo Adds ServiceSandbox attribute to AudioService and NetworkService interfaces and deletes the final service_sandbox_type.h file. All service sandboxes are now specified this way. These two services are different, however. Their sandboxes can be disabled (to kNoSandbox) by policy or feature flags. This means the service launching machinery must know how to do this. In this CL we move this logic into the ServiceProcessHost which in turn asks the ContentBrowserClient if the sandboxes should be enabled. As this is only necessary for two sandbox types we have not generalised the CBC interface. We also delete `sandbox_type` from service process host options as it cannot be specified as an option and must be specified using the ServiceSandbox attribute on the launched mojom. We migrate the type used within ServiceProcessHost to sandbox::mojom::Sandbox. A future CL will replace sandbox::policy::mojom::SandboxType with the mojom type throughout. Bug: 1210301 Change-Id: I4de13359487158a52da8ad414c8beb9cd93033bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3209992 Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Ken Rockot <rockot@google.com> Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/main@{#930365} NOKEYCHECK=True GitOrigin-RevId: ec569389922f7fc66486dcd94a5b4b5ccd0a15a9
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.