commit eb8856d6eeacbc5d9dcd1f102768633ff4fd6d8e
author Alex Gough <ajgo@chromium.org> Tue Dec 21 11:08:31 2021
committer Copybara-Service <copybara-worker@google.com> Tue Dec 21 11:23:18 2021
tree 0a61e596fbc095638ab7081250ed66fca93230e1
parent c716bb834497792bff638ac9ddf3ade0f0aee032

Create kServiceWithJit sandbox type

This creates a utility sandbox that locks down as much as possible but
does allow dynamic code execution from within the sandbox. Its initial
purpose will be to host the AuctionWorkletService which runs web
supplied javascript and wasm but otherwise does not need access to
system resources.

Bug: 1272034
Tests: content_browsertests
Change-Id: I0cb626008b9662a8696a6fcf5b837f1c47d4b2fa
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3331179
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#953168}
NOKEYCHECK=True
GitOrigin-RevId: 7242135038466f907211a7b943ba8d697a335fd4

policy/fuchsia/sandbox_policy_fuchsia.cc

diff --git a/policy/fuchsia/sandbox_policy_fuchsia.cc b/policy/fuchsia/sandbox_policy_fuchsia.cc
index b511e3c..93a4553 100644
--- a/policy/fuchsia/sandbox_policy_fuchsia.cc
+++ b/policy/fuchsia/sandbox_policy_fuchsia.cc
@@ -109,6 +109,11 @@
     0,
 };
 
+constexpr SandboxConfig kServiceWithJitConfig = {
+    base::span<const char* const>(),
+    kAmbientMarkVmoAsExecutable,
+};
+
 // No-access-to-anything.
 constexpr SandboxConfig kEmptySandboxConfig = {
     base::span<const char* const>(),
@@ -127,6 +132,8 @@
       return &kRendererConfig;
     case sandbox::mojom::Sandbox::kVideoCapture:
       return &kVideoCaptureConfig;
+    case sandbox::mojom::Sandbox::kServiceWithJit:
+      return &kServiceWithJitConfig;
     // Remaining types receive no-access-to-anything.
     case sandbox::mojom::Sandbox::kAudio:
     case sandbox::mojom::Sandbox::kCdm:

policy/linux/sandbox_seccomp_bpf_linux.cc

diff --git a/policy/linux/sandbox_seccomp_bpf_linux.cc b/policy/linux/sandbox_seccomp_bpf_linux.cc
index 75ffefc..62c4551 100644
--- a/policy/linux/sandbox_seccomp_bpf_linux.cc
+++ b/policy/linux/sandbox_seccomp_bpf_linux.cc
@@ -186,6 +186,8 @@
       return std::make_unique<AudioProcessPolicy>();
     case sandbox::mojom::Sandbox::kService:
       return std::make_unique<ServiceProcessPolicy>();
+    case sandbox::mojom::Sandbox::kServiceWithJit:
+      return std::make_unique<ServiceProcessPolicy>();
     case sandbox::mojom::Sandbox::kSpeechRecognition:
       return std::make_unique<SpeechRecognitionProcessPolicy>();
 #if BUILDFLAG(IS_CHROMEOS_ASH)
@@ -259,6 +261,7 @@
 #endif  // BUILDFLAG(IS_CHROMEOS_ASH)
     case sandbox::mojom::Sandbox::kAudio:
     case sandbox::mojom::Sandbox::kService:
+    case sandbox::mojom::Sandbox::kServiceWithJit:
     case sandbox::mojom::Sandbox::kSpeechRecognition:
     case sandbox::mojom::Sandbox::kNetwork:
 #if BUILDFLAG(ENABLE_OOP_PRINTING)

policy/mac/sandbox_mac.mm

diff --git a/policy/mac/sandbox_mac.mm b/policy/mac/sandbox_mac.mm
index 248f571..34f8b00 100644
--- a/policy/mac/sandbox_mac.mm
+++ b/policy/mac/sandbox_mac.mm
@@ -85,6 +85,7 @@
       break;
     // kService and kUtility are the same on OS_MAC, so fallthrough.
     case sandbox::mojom::Sandbox::kService:
+    case sandbox::mojom::Sandbox::kServiceWithJit:
     case sandbox::mojom::Sandbox::kUtility:
       profile += kSeatbeltPolicyString_utility;
       break;

policy/mojom/sandbox.mojom

diff --git a/policy/mojom/sandbox.mojom b/policy/mojom/sandbox.mojom
index 6ee006b..916ead9 100644
--- a/policy/mojom/sandbox.mojom
+++ b/policy/mojom/sandbox.mojom
@@ -16,6 +16,11 @@
   // if possible.
   kService,
 
+  // |kServiceWithJit| hosts computation only services that make use of
+  // dynamic code (e.g. v8 or wasm) but do not need access to OS resources.
+  // Prefer |kService| if possible.
+  kServiceWithJit,
+
   // Hosts generic utilities with limited access to system services.
   // On some platforms, may be slightly less locked down than |kService|.
   // For instance, it allows dynamic code and wider access to APIs on Windows.

policy/sandbox_type.cc

diff --git a/policy/sandbox_type.cc b/policy/sandbox_type.cc
index 2a5385d..3c517f9 100644
--- a/policy/sandbox_type.cc
+++ b/policy/sandbox_type.cc
@@ -47,6 +47,7 @@
       return false;
     case Sandbox::kRenderer:
     case Sandbox::kService:
+    case Sandbox::kServiceWithJit:
     case Sandbox::kUtility:
     case Sandbox::kGpu:
 #if BUILDFLAG(ENABLE_PLUGINS)
@@ -112,6 +113,7 @@
       break;
 #endif
     case Sandbox::kService:
+    case Sandbox::kServiceWithJit:
     case Sandbox::kUtility:
     case Sandbox::kNetwork:
     case Sandbox::kCdm:
@@ -254,6 +256,8 @@
 #endif
     case Sandbox::kService:
       return switches::kServiceSandbox;
+    case Sandbox::kServiceWithJit:
+      return switches::kServiceSandboxWithJit;
     case Sandbox::kSpeechRecognition:
       return switches::kSpeechRecognitionSandbox;
 #if defined(OS_WIN)
@@ -308,6 +312,8 @@
     return Sandbox::kUtility;
   if (sandbox_string == switches::kServiceSandbox)
     return Sandbox::kService;
+  if (sandbox_string == switches::kServiceSandboxWithJit)
+    return Sandbox::kServiceWithJit;
 
   if (sandbox_string == switches::kNoneSandbox)
     return Sandbox::kNoSandbox;

policy/sandbox_type_unittest.cc

diff --git a/policy/sandbox_type_unittest.cc b/policy/sandbox_type_unittest.cc
index 83da610..8f8a5a3 100644
--- a/policy/sandbox_type_unittest.cc
+++ b/policy/sandbox_type_unittest.cc
@@ -115,6 +115,11 @@
                                    switches::kNoneSandbox);
   EXPECT_EQ(Sandbox::kNoSandbox, SandboxTypeFromCommandLine(command_line14));
 
+  base::CommandLine command_line15(command_line);
+  SetCommandLineFlagsForSandboxType(&command_line15, Sandbox::kServiceWithJit);
+  EXPECT_EQ(Sandbox::kServiceWithJit,
+            SandboxTypeFromCommandLine(command_line15));
+
   command_line.AppendSwitch(switches::kNoSandbox);
   EXPECT_EQ(Sandbox::kNoSandbox, SandboxTypeFromCommandLine(command_line));
 }

policy/switches.cc

diff --git a/policy/switches.cc b/policy/switches.cc
index c7fa011..2064e21 100644
--- a/policy/switches.cc
+++ b/policy/switches.cc
@@ -35,6 +35,7 @@
 const char kPrintCompositorSandbox[] = "print_compositor";
 const char kAudioSandbox[] = "audio";
 const char kServiceSandbox[] = "service";
+const char kServiceSandboxWithJit[] = "service_with_jit";
 const char kSpeechRecognitionSandbox[] = "speech_recognition";
 const char kVideoCaptureSandbox[] = "video_capture";
 

policy/switches.h

diff --git a/policy/switches.h b/policy/switches.h
index 5a4cb0a..5b346a5 100644
--- a/policy/switches.h
+++ b/policy/switches.h
@@ -36,6 +36,7 @@
 SANDBOX_POLICY_EXPORT extern const char kPrintCompositorSandbox[];
 SANDBOX_POLICY_EXPORT extern const char kAudioSandbox[];
 SANDBOX_POLICY_EXPORT extern const char kServiceSandbox[];
+SANDBOX_POLICY_EXPORT extern const char kServiceSandboxWithJit[];
 SANDBOX_POLICY_EXPORT extern const char kSpeechRecognitionSandbox[];
 SANDBOX_POLICY_EXPORT extern const char kVideoCaptureSandbox[];
 

policy/win/sandbox_win.cc

diff --git a/policy/win/sandbox_win.cc b/policy/win/sandbox_win.cc
index 29a7c45..197e66e 100644
--- a/policy/win/sandbox_win.cc
+++ b/policy/win/sandbox_win.cc
@@ -1266,6 +1266,8 @@
       return "Media Foundation CDM";
     case Sandbox::kService:
       return "Service";
+    case Sandbox::kServiceWithJit:
+      return "Service With Jit";
     case Sandbox::kIconReader:
       return "Icon Reader";
     case Sandbox::kWindowsSystemProxyResolver: