24d736b1dd
The browser process collects the Mach task port of its child processes in order to monitor resource usage metrics and to manipulate the tasks using Mach APIs. Starting in macOS 12.3, task ports can sometimes become immovable, resulting in an EXC_GUARD crash when they are sent over mach_msg(). This CL adds crash keys to help identify a set of signals that can be used to determine if task ports are immovable and may result in crashes. In the future, these signals can be used to avoid requesting task ports from child processes. Bug: 1291789 Change-Id: Id13963a32ae6865efa3a4e32ac603f2a2bd7ae55 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3689036 Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/heads/main@{#1011592}
Sandbox Library
This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.
Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:
mac/uses the Seatbelt sandbox. See the detailed design for more.linux/uses namespaces and Seccomp-BPF. See the detailed design for more.win/uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.
Built on top of the low-level sandboxing library is the
//sandbox/policy component, which provides concrete
policies and helper utilities for sandboxing specific Chromium processes and
services. The core sandbox library cannot depend on the policy component.