commit | bd5c81e6701b5220180f612d9d125d352083d935 | [log] [tgz] |
---|---|---|
author | Sergei Glazunov <glazunov@google.com> | Tue Jun 21 13:20:16 2022 |
committer | Copybara-Service <copybara-worker@google.com> | Tue Jun 21 13:33:36 2022 |
tree | 5909dbf863ab72e7184ceb7aaef8fb573c365532 | |
parent | 79180946162d0a1fd37fb2d0ba53d39005c74919 [diff] |
[BRP] Revert some fields in the sandbox from raw_ptr<T> to T* The Windows sandbox initialization code runs extremely early during the process startup. After the MiraclePtr rewrite, we may observe the following call stack: ``` weblayer_browsertests!base::internal::AsanBackupRefPtrImpl::WrapRawPtr weblayer_browsertests!base::raw_ptr<sandbox::SharedMemory...>::operator= weblayer_browsertests!sandbox::InterceptionAgent::Init weblayer_browsertests!sandbox::InterceptionAgent::GetInterceptionAgent weblayer_browsertests!TargetNtMapViewOfSection weblayer_browsertests!TargetNtMapViewOfSection64 ntdll!LdrpMinimalMapModule ntdll!LdrpMapDllWithSectionHandle ntdll!LdrpLoadKnownDll ntdll!LdrpFindOrPrepareLoadingModule ntdll!LdrpLoadDllInternal ntdll!LdrpLoadDll ntdll!LdrLoadDll ntdll!LdrpInitializeProcess ntdll!LdrpInitialize ntdll!LdrpInitialize ntdll!LdrInitializeThunk ``` If we're in a component build, and the active `raw_ptr` implementation is `AsanBackupRefPtrImpl`, the `WrapRawPtr` method will attempt to call a function from another executable module, which the process won't be able to load and, therefore, a crash will occur. Bug: 1337642 Change-Id: I405c6d71c9d5bcdf8f3d5d3da3ad939a077b3285 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3714655 Reviewed-by: James Forshaw <forshaw@chromium.org> Commit-Queue: Sergei Glazunov <glazunov@google.com> Cr-Commit-Position: refs/heads/main@{#1016148} NOKEYCHECK=True GitOrigin-RevId: 25c8d4b47786e9310c60fdf1839b6c5175d6b682
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.