OLD | NEW |
1 # Linux Sandboxing | 1 # Linux Sandboxing |
2 | 2 |
3 Chromium uses a multiprocess model, which allows to give different privileges | 3 Chromium uses a multiprocess model, which allows to give different privileges |
4 and restrictions to different parts of the browser. For instance, we want | 4 and restrictions to different parts of the browser. For instance, we want |
5 renderers to run with a limited set of privileges since they process untrusted | 5 renderers to run with a limited set of privileges since they process untrusted |
6 input and are likely to be compromised. Renderers will use an IPC mechanism to | 6 input and are likely to be compromised. Renderers will use an IPC mechanism to |
7 request access to resource from a more privileged (browser process). | 7 request access to resource from a more privileged (browser process). |
8 You can find more about this general design | 8 You can find more about this general design |
9 [here](http://dev.chromium.org/developers/design-documents/sandbox). | 9 [here](https://dev.chromium.org/developers/design-documents/sandbox). |
10 | 10 |
11 We use different sandboxing techniques on Linux and Chrome OS, in combination, | 11 We use different sandboxing techniques on Linux and Chrome OS, in combination, |
12 to achieve a good level of sandboxing. You can see which sandboxes are currently | 12 to achieve a good level of sandboxing. You can see which sandboxes are currently |
13 engaged by looking at chrome://sandbox (renderer processes) and chrome://gpu | 13 engaged by looking at chrome://sandbox (renderer processes) and chrome://gpu |
14 (gpu process). | 14 (gpu process). |
15 | 15 |
16 We have a two layers approach: | 16 We have a two layers approach: |
17 | 17 |
18 * Layer-1 (also called the "semantics" layer) prevents access to most | 18 * Layer-1 (also called the "semantics" layer) prevents access to most |
19 resources from a process where it's engaged. The setuid sandbox is used for | 19 resources from a process where it's engaged. The setuid sandbox is used for |
(...skipping 14 matching lines...) Expand all Loading... |
34 using `open()` on `/proc` entries. | 34 using `open()` on `/proc` entries. |
35 | 35 |
36 Our layer-1 guarantees the integrity of processes running under different | 36 Our layer-1 guarantees the integrity of processes running under different |
37 `seccomp-bpf` policies. In addition, it allows restricting access to the | 37 `seccomp-bpf` policies. In addition, it allows restricting access to the |
38 network, something that is difficult to perform at the layer-2. | 38 network, something that is difficult to perform at the layer-2. |
39 | 39 |
40 ## Sandbox types summary | 40 ## Sandbox types summary |
41 | 41 |
42 | **Name** | **Layer and process** | **Linux flavors where available** | **State
** | | 42 | **Name** | **Layer and process** | **Linux flavors where available** | **State
** | |
43 |:---------|:----------------------|:----------------------------------|:-------
---| | 43 |:---------|:----------------------|:----------------------------------|:-------
---| |
44 | [Setuid sandbox](#The_setuid_sandbox.md) | Layer-1 in Zygote processes (render
ers, PPAPI, [NaCl](http://www.chromium.org/nativeclient), some utility processes
) | Linux distributions and Chrome OS | Enabled by default (old kernels) and mai
ntained | | 44 | [Setuid sandbox](#The_setuid_sandbox.md) | Layer-1 in Zygote processes (render
ers, PPAPI, [NaCl](https://www.chromium.org/nativeclient), some utility processe
s) | Linux distributions and Chrome OS | Enabled by default (old kernels) and ma
intained | |
45 | [User namespaces sandbox](#User_namespaces_sandbox.md) | Modern alternative to
the setuid sandbox. Layer-1 in Zygote processes (renderers, PPAPI, [NaCl](http:
//www.chromium.org/nativeclient), some utility processes) | Linux distributions
and Chrome OS (kernel >= 3.8) | Enabled by default (modern kernels) and actively
developed | | 45 | [User namespaces sandbox](#User_namespaces_sandbox.md) | Modern alternative to
the setuid sandbox. Layer-1 in Zygote processes (renderers, PPAPI, [NaCl](https
://www.chromium.org/nativeclient), some utility processes) | Linux distributions
and Chrome OS (kernel >= 3.8) | Enabled by default (modern kernels) and activel
y developed | |
46 | [Seccomp-BPF](#The_seccomp-bpf_sandbox.md) | Layer-2 in some Zygote processes
(renderers, PPAPI, [NaCl](http://www.chromium.org/nativeclient)), Layer-1 + Laye
r-2 in GPU process | Linux kernel >= 3.5, Chrome OS and Ubuntu | Enabled by defa
ult and actively developed | | 46 | [Seccomp-BPF](#The_seccomp-bpf_sandbox.md) | Layer-2 in some Zygote processes
(renderers, PPAPI, [NaCl](https://www.chromium.org/nativeclient)), Layer-1 + Lay
er-2 in GPU process | Linux kernel >= 3.5, Chrome OS and Ubuntu | Enabled by def
ault and actively developed | |
47 | [Seccomp-legacy](#The_seccomp_sandbox.md) | Layer-2 in renderers | All
| [Deprecated](https://src.chromium.org/viewvc/chrome?re
vision=197301&view=revision) | | 47 | [Seccomp-legacy](#The_seccomp_sandbox.md) | Layer-2 in renderers | All
| [Deprecated](https://src.chromium.org/viewvc/chrome?re
vision=197301&view=revision) | |
48 | [SELinux](#SELinux.md) | Layer-1 in Zygote processes (renderers, PPAPI) | SELi
nux distributions | [Deprecated](https://src.chromium.org/viewvc/chr
ome?revision=200838&view=revision) | | 48 | [SELinux](#SELinux.md) | Layer-1 in Zygote processes (renderers, PPAPI) | SELi
nux distributions | [Deprecated](https://src.chromium.org/viewvc/chr
ome?revision=200838&view=revision) | |
49 | AppArmor | Outer layer-1 in Zygote processes (renderers, PPAPI) | Not used
| Deprecated | | 49 | AppArmor | Outer layer-1 in Zygote processes (renderers, PPAPI) | Not used
| Deprecated | |
50 | 50 |
51 ## The setuid sandbox | 51 ## The setuid sandbox |
52 | 52 |
53 Also called SUID sandbox, our main layer-1 sandbox. | 53 Also called SUID sandbox, our main layer-1 sandbox. |
54 | 54 |
55 A SUID binary that will create a new network and PID namespace, as well as | 55 A SUID binary that will create a new network and PID namespace, as well as |
56 `chroot()` the process to an empty directory on request. | 56 `chroot()` the process to an empty directory on request. |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
124 [Deprecated](https://src.chromium.org/viewvc/chrome?revision=200838&view=revisio
n). | 124 [Deprecated](https://src.chromium.org/viewvc/chrome?revision=200838&view=revisio
n). |
125 Was designed to be used instead of the SUID sandbox. | 125 Was designed to be used instead of the SUID sandbox. |
126 | 126 |
127 Old information for archival purposes: | 127 Old information for archival purposes: |
128 | 128 |
129 One can build Chromium with `selinux=1` and the Zygote (which starts the | 129 One can build Chromium with `selinux=1` and the Zygote (which starts the |
130 renderers and PPAPI processes) will do a dynamic transition. audit2allow will | 130 renderers and PPAPI processes) will do a dynamic transition. audit2allow will |
131 quickly build a usable module. | 131 quickly build a usable module. |
132 | 132 |
133 Available since | 133 Available since |
134 [r26257](http://src.chromium.org/viewvc/chrome?view=rev&revision=26257), | 134 [r26257](https://src.chromium.org/viewvc/chrome?view=rev&revision=26257), |
135 more information in | 135 more information in |
136 [this blog post](http://www.imperialviolet.org/2009/07/14/selinux.html) (grep | 136 [this blog post](http://www.imperialviolet.org/2009/07/14/selinux.html) (grep |
137 for 'dynamic' since dynamic transitions are a little obscure in SELinux) | 137 for 'dynamic' since dynamic transitions are a little obscure in SELinux) |
138 | 138 |
139 ## Developing and debugging with sandboxing | 139 ## Developing and debugging with sandboxing |
140 | 140 |
141 Sandboxing can make developing harder, see: | 141 Sandboxing can make developing harder, see: |
142 | 142 |
143 * [this page](linux_suid_sandbox_development.md) for the `setuid` sandbox | 143 * [this page](linux_suid_sandbox_development.md) for the `setuid` sandbox |
144 * [this page](http://www.chromium.org/for-testers/bug-reporting-guidelines/han
ging-tabs) | 144 * [this page](https://www.chromium.org/for-testers/bug-reporting-guidelines/ha
nging-tabs) |
145 for triggering crashes | 145 for triggering crashes |
146 * [this page for debugging tricks](linux_debugging.md) | 146 * [this page for debugging tricks](linux_debugging.md) |
147 | 147 |
148 ## See also | 148 ## See also |
149 | 149 |
150 * [LinuxSandboxIPC](linux_sandbox_ipc.md) | 150 * [LinuxSandboxIPC](linux_sandbox_ipc.md) |
151 * [How Chromium's Linux sandbox affects Native Client](https://chromium.google
source.com/native_client/src/native_client.git/+/master/docs/linux_outer_sandbox
.md) | 151 * [How Chromium's Linux sandbox affects Native Client](https://chromium.google
source.com/native_client/src/native_client.git/+/master/docs/linux_outer_sandbox
.md) |
OLD | NEW |