Google Git
Sign in
chromium / chromium / src / sandbox / eb8856d6eeacbc5d9dcd1f102768633ff4fd6d8e
commiteb8856d6eeacbc5d9dcd1f102768633ff4fd6d8e[log] [tgz]
authorAlex Gough <ajgo@chromium.org>Tue Dec 21 11:08:31 2021
committerCopybara-Service <copybara-worker@google.com>Tue Dec 21 11:23:18 2021
tree0a61e596fbc095638ab7081250ed66fca93230e1
parentc716bb834497792bff638ac9ddf3ade0f0aee032 [diff]
Create kServiceWithJit sandbox type

This creates a utility sandbox that locks down as much as possible but
does allow dynamic code execution from within the sandbox. Its initial
purpose will be to host the AuctionWorkletService which runs web
supplied javascript and wasm but otherwise does not need access to
system resources.

Bug: 1272034
Tests: content_browsertests
Change-Id: I0cb626008b9662a8696a6fcf5b837f1c47d4b2fa
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3331179
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#953168}
NOKEYCHECK=True
GitOrigin-RevId: 7242135038466f907211a7b943ba8d697a335fd4
9 files changed
tree: 0a61e596fbc095638ab7081250ed66fca93230e1
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.