commit | 9095e15ed82a3ed4a20bf0e24e3da3c796cf4dab | [log] [tgz] |
---|---|---|
author | James Forshaw <forshaw@chromium.org> | Tue Nov 30 23:42:51 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Tue Nov 30 23:58:04 2021 |
tree | 7b48cbe8d9c9c9a0d37046e60cee75a0a335ef87 | |
parent | af07877ca3f166a9b4d7cded76ab5c39283bde91 [diff] |
[Windows] Simplify token privilege removal. This CL simplifies the removal of privileges in a restricted token. The fixed levels only permit leaving all privileges, removing all but the traversal privilege or removing all. Therefore we just codify that in the API. Bug: 1270309 Change-Id: Ifa8a6a1ba1a4406271bb90af72f38ac6a1d24a93 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3309405 Commit-Queue: James Forshaw <forshaw@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/main@{#946753} NOKEYCHECK=True GitOrigin-RevId: 6d62640f4bd0731e6c5f1723d5effbf0adce9d6c
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.