chromium/src
0
Fork 0
Code Activity
Files
6ed110fb2ef6940e4ec68fe6158d4d08c3521399
src/sandbox
History
Sylvain Defresne 0e80bba731 Explicit use of deprecated global sources assignment filter 
Change all files that depends on the existence of the deprecated
global sources assignment filter to explicitly configure it by
importing the deprecated_default_sources_assignment_filter.gni
and calling set_sources_assignment_filter().

This is a preliminary step before removing the global assignment
in //build/config/BUILDCONFIG.gn and incremental migration of
those files from the deprecated feature.

To verify, used a patched version of gn:
https://gn-review.googlesource.com/c/gn/+/6401
And then ran:

    gn gen out/xxx | grep Filtering: | sort

with and without the patch for all configuration
(cross-compiling Windows on Linux).

This is a followup of https://crrev.com/c/2418443 that missed
some of the usages (as not all configuration were tested).

TBR=jochen

Bug: 1018739
Change-Id: I76d38ec4e3720d36de30bb7921148ca76b3d4d01
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2428894
Reviewed-by: Nico Weber <thakis@chromium.org>
Commit-Queue: Nico Weber <thakis@chromium.org>
Commit-Queue: Sylvain Defresne <sdefresne@chromium.org>
Auto-Submit: Sylvain Defresne <sdefresne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#810362}
2020-09-25 00:08:07 +00:00
..
linux
Explicit use of deprecated global sources assignment filter
2020-09-25 00:08:07 +00:00
mac
mac: Disable CoreServices _CSCheckFix.
2020-09-10 18:38:32 +00:00
policy
Linux sandbox: Add BrokerType and ForkSignalBasedBroker()
2020-09-22 20:45:30 +00:00
win
Fix UAF and reenable test
2020-09-24 15:34:47 +00:00
BUILD.gn
Rewrite is_linux flag for sandbox, servicse, ski and testing directories.
2020-07-30 19:27:03 +00:00
constants.h
DEPS
Move //services/service_manager/sandbox to //sandbox/policy.
2020-07-08 18:31:27 +00:00
features.gni
Rewrite is_linux flag for sandbox, servicse, ski and testing directories.
2020-07-30 19:27:03 +00:00
ipc.dict
OWNERS
README.md
Move //services/service_manager/sandbox to //sandbox/policy.
2020-07-08 18:31:27 +00:00
sandbox_export.h

README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.