Google Git
Sign in
chromium / chromium / src / sandbox / bd5c81e6701b5220180f612d9d125d352083d935
commitbd5c81e6701b5220180f612d9d125d352083d935[log] [tgz]
authorSergei Glazunov <glazunov@google.com>Tue Jun 21 13:20:16 2022
committerCopybara-Service <copybara-worker@google.com>Tue Jun 21 13:33:36 2022
tree5909dbf863ab72e7184ceb7aaef8fb573c365532
parent79180946162d0a1fd37fb2d0ba53d39005c74919 [diff]
[BRP] Revert some fields in the sandbox from raw_ptr<T> to T*

The Windows sandbox initialization code runs extremely early during the
process startup.

After the MiraclePtr rewrite, we may observe the following call stack:

```
weblayer_browsertests!base::internal::AsanBackupRefPtrImpl::WrapRawPtr
weblayer_browsertests!base::raw_ptr<sandbox::SharedMemory...>::operator=
weblayer_browsertests!sandbox::InterceptionAgent::Init
weblayer_browsertests!sandbox::InterceptionAgent::GetInterceptionAgent
weblayer_browsertests!TargetNtMapViewOfSection
weblayer_browsertests!TargetNtMapViewOfSection64
ntdll!LdrpMinimalMapModule
ntdll!LdrpMapDllWithSectionHandle
ntdll!LdrpLoadKnownDll
ntdll!LdrpFindOrPrepareLoadingModule
ntdll!LdrpLoadDllInternal
ntdll!LdrpLoadDll
ntdll!LdrLoadDll
ntdll!LdrpInitializeProcess
ntdll!LdrpInitialize
ntdll!LdrpInitialize
ntdll!LdrInitializeThunk
```

If we're in a component build, and the active `raw_ptr` implementation
is `AsanBackupRefPtrImpl`, the `WrapRawPtr` method will attempt to call
a function from another executable module, which the process won't be
able to load and, therefore, a crash will occur.

Bug: 1337642
Change-Id: I405c6d71c9d5bcdf8f3d5d3da3ad939a077b3285
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3714655
Reviewed-by: James Forshaw <forshaw@chromium.org>
Commit-Queue: Sergei Glazunov <glazunov@google.com>
Cr-Commit-Position: refs/heads/main@{#1016148}
NOKEYCHECK=True
GitOrigin-RevId: 25c8d4b47786e9310c60fdf1839b6c5175d6b682
3 files changed
tree: 5909dbf863ab72e7184ceb7aaef8fb573c365532
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.cc
  11. features.gni
  12. features.h
  13. ipc.dict
  14. OWNERS
  15. README.md
  16. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.