chromium/src
0
Fork 0
Code Activity
Files
ca35ab2022b017562b9ad3d12fea3f149d18cf87
src/sandbox
History
Dirk Pranke ca35ab2022 Change actions to python2_actions as needed. 
As a prelude to starting to move the build fully over to
Python 3, this CL changes all of the GN `action` and
`action_foreach` targets that appear to require Python 2
over to `python2_action` and `python2_action_foreach`.

This CL by itself should produce no functional change since
we'll still be using Python 2 by default, and the new templates
are passthroughs in that config.

To start using Python3, you can run
`gn gen --script-executable=python3 //out/Default` on Unix; on
Python3 you need to point to an actual python3.exe and not
the python3.bat wrapper in depot_tools; once we can roll GN forward
to a version that contains
https://gn-review.googlesource.com/c/gn/+/10560 (which will hopefully
happen in the next day or two), that won't be necessary.

The Fuchsia build will not work until http://fxrev.dev/446479 lands
and is rolled in.

No-Presubmit: true
Bug: 1112471
AX-Relnotes: n/a
Change-Id: I891155502e0940a8075cf26d675f54b803d91242
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2510878
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Reviewed-by: Andrew Grieve <agrieve@chromium.org>
Commit-Queue: Dirk Pranke <dpranke@google.com>
Cr-Commit-Position: refs/heads/master@{#824216}
2020-11-04 23:56:53 +00:00
..
linux
Add DIR_METADATA files to //sandbox
2020-10-08 22:35:31 +00:00
mac
Add DIR_METADATA files to //sandbox
2020-10-08 22:35:31 +00:00
policy
Change actions to python2_actions as needed.
2020-11-04 23:56:53 +00:00
win
Reland "Reland "Only pass executable sections to OnDllLoaded for patching""
2020-11-04 23:39:34 +00:00
BUILD.gn
build: Remove a few more now-no-op set_sources_assignment_filter calls
2020-10-02 00:00:04 +00:00
constants.h
DEPS
Move //services/service_manager/sandbox to //sandbox/policy.
2020-07-08 18:31:27 +00:00
DIR_METADATA
Add DIR_METADATA files to //sandbox
2020-10-08 22:35:31 +00:00
features.gni
Rewrite is_linux flag for sandbox, servicse, ski and testing directories.
2020-07-30 19:27:03 +00:00
ipc.dict
OWNERS
Add DIR_METADATA files to //sandbox
2020-10-08 22:35:31 +00:00
README.md
Move //services/service_manager/sandbox to //sandbox/policy.
2020-07-08 18:31:27 +00:00
sandbox_export.h

README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.