commit | aef91cb54412e4c4b28d4460636f5bec2a24ad29 | [log] [tgz] |
---|---|---|
author | Will Harris <wfh@chromium.org> | Thu Oct 28 06:53:20 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Thu Oct 28 07:08:26 2021 |
tree | 52f07b28e130ab2272ed63d326c3349d120b28ae | |
parent | 790e8d05e1de803dfeb0e3e147dcf760e10894aa [diff] |
Use multiple timeouts for the UDP socket tests. These tests were flaky on slow bots because process startup times could vary depending on machine configuration. This CL separates the process startup timeout from the socket connection timeout and should fix the reliability issues, as the UDP server now only needs to start waiting once it is signalled that the child process has fully warmed up. This is not needed for the TCP tests as the 'server' on 445 is always running. It also standardizes on a one second network timeout for connections for both TCP and UDP. BUG=1264188 Change-Id: I5648ab622ea3a6143a0b79b7f6f9549925c9a2aa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3248275 Reviewed-by: Alex Gough <ajgo@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/main@{#935727} NOKEYCHECK=True GitOrigin-RevId: e49912b16cc0364438912e95423a92e11af3cd8a
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.