Google Git
Sign in
chromium / chromium / src / sandbox / c776508b0edb81c97970801f3bc2dd78ca8e92dd
commitc776508b0edb81c97970801f3bc2dd78ca8e92dd[log] [tgz]
authorMatthew Denton <mpdenton@chromium.org>Mon Nov 01 21:26:46 2021
committerCopybara-Service <copybara-worker@google.com>Mon Nov 01 21:41:41 2021
treec2e6d35b689cd5f3dbb318d7e3a3dfd4882a2a65
parent27ca9632ee7b3dde9d2fcaa145d4267b481516db [diff]
Linux sandbox: Refactor to use BrokerSandboxConfig

The BrokerPermissionList and BrokerCommandSet are pretty much always
passed around as a pair. Combine them in a struct, and make it simpler
to land the next CL in which the sandbox client can optionally provide
the BrokerSandboxConfig after starting up the broker by passing it over
IPC.

It's named BrokerSandboxConfig instead of BrokerPolicy to avoid
confusion with the similarly named BPF policies, see
https://crrev.com/c/812285.

This also includes some other small refactors, including renaming
BrokerProcess::Init to BrokerProcess::Fork to be more descriptive, and
Broker-side callbacks take the BrokerSandboxConfig as an argument.

Bug: 996455
Change-Id: I8ad80f701f6392edcff7d2b6a7231a4842774906
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3226200
Reviewed-by: Mirko Bonadei <mbonadei@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#937048}
NOKEYCHECK=True
GitOrigin-RevId: 18f8df343ebfd261e3d395aacba77960daa462da
17 files changed
tree: c2e6d35b689cd5f3dbb318d7e3a3dfd4882a2a65
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.