commit | bcd054640db354f9e6e11782b587789c3efd641a | [log] [tgz] |
---|---|---|
author | Andres Calderon Jaramillo <andrescj@chromium.org> | Thu Dec 09 03:32:26 2021 |
committer | Copybara-Service <copybara-worker@google.com> | Thu Dec 09 03:54:43 2021 |
tree | 96f09f6df83c12ab9afb0d8c65cb8d3de70527e6 | |
parent | 4897fdd01bad6c604466f1b6ef36ffef62aa004d [diff] |
Create a sandbox type for hardware video decoding. This CL adds the kHardwareVideoDecoding sandbox type that's intended to be used to protect utility processes that perform hardware video decode acceleration on behalf of an untrusted client. For now, this new type translates to the GPU process sandbox policy. However, in the future, we will create our own tighter policy. The pre-sandbox hook is adapted from GpuProcessPreSandboxHook() [1] and ContentSandboxHelper::PreSandboxStartup() [2]. [1] https://source.chromium.org/chromium/chromium/src/+/main:content/gpu/gpu_sandbox_hook_linux.cc;l=546;drc=6a5249030cf1ae0f4ed3c460d8c338beba3677bd [2] https://source.chromium.org/chromium/chromium/src/+/main:content/gpu/gpu_main.cc;l=144;drc=fbeeb1c228427bcc94d22747210309b99f88c0b1 Bug: b:195769334 Test: None Change-Id: If021109095d83f553a8ae1419d542e586708483e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3280671 Reviewed-by: Alex Gough <ajgo@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Dan Sanders <sandersd@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Miguel Casas-Sanchez <mcasas@chromium.org> Commit-Queue: Andres Calderon Jaramillo <andrescj@chromium.org> Cr-Commit-Position: refs/heads/main@{#949917} NOKEYCHECK=True GitOrigin-RevId: da864bcdb78ea25acc9365c9222fc1a9d57f5eaf
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/
uses the Seatbelt sandbox. See the detailed design for more.linux/
uses namespaces and Seccomp-BPF. See the detailed design for more.win/
uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.Built on top of the low-level sandboxing library is the //sandbox/policy
component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.