sandboxing.md: Document daemon store mounts

Documents a new way to set up Cryptohome daemon store folders, so that
the Cryptohome mount event propagates into mount namespaces. This allows
daemons that run inside a mount namespaces to securely use per-user
daemon storage ('user' in the sense of Chrome OS user account, not Linux
user).

CQ-DEPEND=CL:1127665
BUG=chromium:738433
TEST=Viewed in VSCode built-in MD viewer

Change-Id: I16563f298bd427e0c6fa4d531669b26f3f964396
Reviewed-on: https://chromium-review.googlesource.com/1136440
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
2 files changed
tree: 4cee46683a5b85b70e8af8442c0d38b66578e360
  1. COMMIT-QUEUE.ini
  2. PRESUBMIT.cfg
  3. README.md
  4. ca_certs.md
  5. chrome_commit_pipeline.md
  6. containers_and_vms.md
  7. cros_commit_pipeline.md
  8. cros_vm.md
  9. dbus_best_practices.md
  10. dbus_in_chrome.md
  11. developer_guide.md
  12. development_basics.md
  13. fuzzing.md
  14. images/
  15. navbar.md
  16. platform2_gn.md
  17. reporting_bugs.md
  18. rust_on_cros.md
  19. sandboxing.md
  20. scripts/
  21. security_review_howto.md
  22. security_severity_guidelines.md
  23. simple_chrome_workflow.md
  24. unit_tests.md
README.md

Chromium OS docs

This directory contains public Chromium OS project documentation that is automatically rendered by Gitiles. The docs are written in Gitiles-flavored Markdown.

General guidelines

See the Chromium documentation guidelines and Chromium documentation best practices.

Style guide

Markdown documents must follow the style guide.

Making changes

This repository is managed by the repo tool, so you can make changes to it using the same techniques that you'd use for any other repositories in the project. Feel free to bypass the commit queue and commit changes immediately after they are reviewed.

Making changes without repo

You can also make changes to this repository without using the repo tool. This comes in handy when you don't have a Chromium OS checkout:

git clone https://chromium.googlesource.com/chromiumos/docs
curl -Lo .git/hooks/commit-msg https://gerrit-review.googlesource.com/tools/hooks/commit-msg
chmod +x .git/hooks/commit-msg
cd docs
git checkout -b changes
(make some changes)
git commit -a
git push origin HEAD:refs/for/master

The above steps will upload a patch to chromium-review.googlesource.com where you can get your patch reviewed, and submit.

Previewing changes

You can preview your local changes using scripts/preview_docs:

scripts/preview_docs README.md

You can also use md_browser, which is entirely local and does not require refs/sandbox/ push permission, but has somewhat inaccurate rendering:

# at top of Chromium OS checkout
./chromium/src/tools/md_browser/md_browser.py -d docs

Then browse to e.g. http://localhost:8080/README.md.

To review someone else's changes, apply them locally first, or just click the gitiles link near the top of a Gerrit file diff page.