chromium/src
0
Fork 0
Code Activity
Files
a24b4789fe75b7b23dedac3640f8019535d5da08
src/sandbox
History
Ben Scarlato 5ece30c7b7 Add ability to apply Landlock to the GPU process 
This feature is disabled by default and is primarily intended for use
with Desktop Android.

Adding Landlock is meant to provide a way for the Chrome app to provide
sandboxing around the GPU process that’s close in strength to desktop
platforms.

It looks like the ideal way to test this would be expanding the tests in
`content/test/gpu/gpu_tests/`, but since this is disabled by default,
and CQ bots aren’t guaranteed to support Landlock, leaving that change
for a separate CL.

Bug: 404867540
Test: Chrome launches on Desktop Android device with Landlock enabled.
Test: chrome://gpu shows the same Feature Status with Landlock enforced
Change-Id: I2d8457e2e473805a3307eada0d782a0da7dfbce2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6476512
Commit-Queue: Ben Scarlato <akhna@google.com>
Auto-Submit: Ben Scarlato <akhna@google.com>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1458373}
2025-05-09 15:13:20 -07:00
..
linux
Add ability to apply Landlock to the GPU process
2025-05-09 15:13:20 -07:00
mac
Exported things should always be visible
2025-05-06 14:23:23 -07:00
policy
Add ability to apply Landlock to the GPU process
2025-05-09 15:13:20 -07:00
win
Fix sandbox integration tests that need to open files.
2025-05-07 19:18:04 -07:00
BUILD.gn
Always disable SSBD, even on Android
2025-04-17 12:44:48 -07:00
COMMON_METADATA
constants.h
DEPS
DIR_METADATA
features.cc
features.gni
Always disable SSBD, even on Android
2025-04-17 12:44:48 -07:00
features.h
OWNERS
README.md
sandbox_export.h
Exported things should always be visible
2025-05-06 14:23:23 -07:00

README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.