OLD | NEW |
---|---|
1 # Linux `SUID` Sandbox | 1 # Linux `SUID` Sandbox |
2 | 2 |
3 With [r20110](https://crrev.com/20110), Chromium on Linux can now sandbox its | 3 With [r20110](https://crrev.com/20110), Chromium on Linux can now sandbox its |
4 renderers using a `SUID` helper binary. This is one of | 4 renderers using a `SUID` helper binary. This is one of |
5 [our layer-1 sandboxing solutions](linux_sandboxing.md). | 5 [our layer-1 sandboxing solutions](linux_sandboxing.md). |
6 | 6 |
7 ## `SUID` helper executable | 7 ## `SUID` helper executable |
8 | 8 |
9 *TODO This section seems to be out-of-date as `linux_sandbox_path` does not | |
10 exist in the build. Please fix if you know about this!* | |
Dirk Pranke
2016/04/11 21:51:07
The setuid sandbox is almost, but not completely g
| |
11 | |
9 The `SUID` helper binary is called `chrome_sandbox` and you must build it | 12 The `SUID` helper binary is called `chrome_sandbox` and you must build it |
10 separately from the main 'chrome' target. To use this sandbox, you have to | 13 separately from the main 'chrome' target. To use this sandbox, you have to |
11 specify its path in the `linux_sandbox_path` GYP variable. When spawning the | 14 specify its path in the `linux_sandbox_path` GYP variable. When spawning the |
12 [zygote process](linux_zygote.md), if the `SUID` sandbox is enabled, Chromium | 15 [zygote process](linux_zygote.md), if the `SUID` sandbox is enabled, Chromium |
13 will check for the sandbox binary at the location specified by | 16 will check for the sandbox binary at the location specified by |
14 `linux_sandbox_path`. For Google Chrome, this is set to | 17 `linux_sandbox_path`. For Google Chrome, this is set to |
15 `/opt/google/chrome/chrome-sandbox`, and early version had this value hard coded | 18 `/opt/google/chrome/chrome-sandbox`, and early version had this value hard coded |
16 in `chrome/browser/zygote_host_linux.cc`. | 19 in `chrome/browser/zygote_host_linux.cc`. |
17 | 20 |
18 | 21 |
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
121 `/opt/google/chrome/chrome`. This string is hard coded | 124 `/opt/google/chrome/chrome`. This string is hard coded |
122 (`sandbox/linux/suid/sandbox.cc`). If your package is going to place the | 125 (`sandbox/linux/suid/sandbox.cc`). If your package is going to place the |
123 Chromium binary somewhere else you need to modify this string. | 126 Chromium binary somewhere else you need to modify this string. |
124 | 127 |
125 ## See also | 128 ## See also |
126 | 129 |
127 * [LinuxSUIDSandboxDevelopment](linux_suid_sandbox_development.md) | 130 * [LinuxSUIDSandboxDevelopment](linux_suid_sandbox_development.md) |
128 * [LinuxSandboxing](linux_sandboxing.md) | 131 * [LinuxSandboxing](linux_sandboxing.md) |
129 * General information on Chromium sandboxing: | 132 * General information on Chromium sandboxing: |
130 http://dev.chromium.org/developers/design-documents/sandbox | 133 http://dev.chromium.org/developers/design-documents/sandbox |
OLD | NEW |