chromium/src
0
Fork 0
Code Activity
Files
24cc0dfd28ffe2786311680d4ae597a835b39118
src/sandbox
History
Liza Burakova 198b80a354 Allow Android to use RendererProcessPolicy. 
This change sets up the sandbox to build RendererProcessPolicy and
BPFBasePolicy on Android. BPFBasePolicy now also creates a
BaselinePolicyAndroid on Android builds.

The renderer main platform delegate now checks if it's in a renderer
process and sets the RendererProcessPolicy if it is. There are no changes to the seccomp policy on other processes.

The seccomp policy itself is becoming slightly more permissive on Android as there are some syscalls allowed in RendererProcessPolicy that are currently not allowed on BaselinePolicyAndroid (setrlimit, sched_get_priority_max, sched_get_priority_min, times, uname). This change is guarded behind a feature flag so future CLs can properly clean up all the allowed syscalls, as well as determine which syscalls in AndroidBaselinePolicy can now be blocked as they're only needed by the renderer.

Bug: 739879
Change-Id: I01f51d9dc947467d0a1f5b00a4b91625f246a61e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4902220
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Liza Burakova <liza@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1205405}
2023-10-04 19:51:56 +00:00
..
linux
Ban raw_ptr<T>::operator[] under enable_pointer_arithmetic_trait_check.
2023-09-19 00:10:00 +00:00
mac
Make Mac sandbox initialization errors available to crash dumps
2023-10-02 22:33:48 +00:00
policy
Allow Android to use RendererProcessPolicy.
2023-10-04 19:51:56 +00:00
win
Consume Windows FSCTL mitigation in sandboxed processes
2023-09-22 20:05:39 +00:00
BUILD.gn
COMMON_METADATA
constants.h
DEPS
DIR_METADATA
features.cc
features.gni
features.h
OWNERS
README.md
sandbox_export.h

README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.