Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(573)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: docs/linux_sandboxing.md

Issue 2545363002: Use HTTPS links for Google domains in docs (Closed)
Patch Set: Modify two more files in subdirectories Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « docs/linux_profiling.md ('k') | docs/linux_suid_sandbox.md » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Linux Sandboxing 1 # Linux Sandboxing
2 2
3 Chromium uses a multiprocess model, which allows to give different privileges 3 Chromium uses a multiprocess model, which allows to give different privileges
4 and restrictions to different parts of the browser. For instance, we want 4 and restrictions to different parts of the browser. For instance, we want
5 renderers to run with a limited set of privileges since they process untrusted 5 renderers to run with a limited set of privileges since they process untrusted
6 input and are likely to be compromised. Renderers will use an IPC mechanism to 6 input and are likely to be compromised. Renderers will use an IPC mechanism to
7 request access to resource from a more privileged (browser process). 7 request access to resource from a more privileged (browser process).
8 You can find more about this general design 8 You can find more about this general design
9 [here](http://dev.chromium.org/developers/design-documents/sandbox). 9 [here](https://dev.chromium.org/developers/design-documents/sandbox).
10 10
11 We use different sandboxing techniques on Linux and Chrome OS, in combination, 11 We use different sandboxing techniques on Linux and Chrome OS, in combination,
12 to achieve a good level of sandboxing. You can see which sandboxes are currently 12 to achieve a good level of sandboxing. You can see which sandboxes are currently
13 engaged by looking at chrome://sandbox (renderer processes) and chrome://gpu 13 engaged by looking at chrome://sandbox (renderer processes) and chrome://gpu
14 (gpu process). 14 (gpu process).
15 15
16 We have a two layers approach: 16 We have a two layers approach:
17 17
18 * Layer-1 (also called the "semantics" layer) prevents access to most 18 * Layer-1 (also called the "semantics" layer) prevents access to most
19 resources from a process where it's engaged. The setuid sandbox is used for 19 resources from a process where it's engaged. The setuid sandbox is used for
(...skipping 14 matching lines...) Expand all
34 using `open()` on `/proc` entries. 34 using `open()` on `/proc` entries.
35 35
36 Our layer-1 guarantees the integrity of processes running under different 36 Our layer-1 guarantees the integrity of processes running under different
37 `seccomp-bpf` policies. In addition, it allows restricting access to the 37 `seccomp-bpf` policies. In addition, it allows restricting access to the
38 network, something that is difficult to perform at the layer-2. 38 network, something that is difficult to perform at the layer-2.
39 39
40 ## Sandbox types summary 40 ## Sandbox types summary
41 41
42 | **Name** | **Layer and process** | **Linux flavors where available** | **State ** | 42 | **Name** | **Layer and process** | **Linux flavors where available** | **State ** |
43 |:---------|:----------------------|:----------------------------------|:------- ---| 43 |:---------|:----------------------|:----------------------------------|:------- ---|
44 | [Setuid sandbox](#The_setuid_sandbox.md) | Layer-1 in Zygote processes (render ers, PPAPI, [NaCl](http://www.chromium.org/nativeclient), some utility processes ) | Linux distributions and Chrome OS | Enabled by default (old kernels) and mai ntained | 44 | [Setuid sandbox](#The_setuid_sandbox.md) | Layer-1 in Zygote processes (render ers, PPAPI, [NaCl](https://www.chromium.org/nativeclient), some utility processe s) | Linux distributions and Chrome OS | Enabled by default (old kernels) and ma intained |
45 | [User namespaces sandbox](#User_namespaces_sandbox.md) | Modern alternative to the setuid sandbox. Layer-1 in Zygote processes (renderers, PPAPI, [NaCl](http: //www.chromium.org/nativeclient), some utility processes) | Linux distributions and Chrome OS (kernel >= 3.8) | Enabled by default (modern kernels) and actively developed | 45 | [User namespaces sandbox](#User_namespaces_sandbox.md) | Modern alternative to the setuid sandbox. Layer-1 in Zygote processes (renderers, PPAPI, [NaCl](https ://www.chromium.org/nativeclient), some utility processes) | Linux distributions and Chrome OS (kernel >= 3.8) | Enabled by default (modern kernels) and activel y developed |
46 | [Seccomp-BPF](#The_seccomp-bpf_sandbox.md) | Layer-2 in some Zygote processes (renderers, PPAPI, [NaCl](http://www.chromium.org/nativeclient)), Layer-1 + Laye r-2 in GPU process | Linux kernel >= 3.5, Chrome OS and Ubuntu | Enabled by defa ult and actively developed | 46 | [Seccomp-BPF](#The_seccomp-bpf_sandbox.md) | Layer-2 in some Zygote processes (renderers, PPAPI, [NaCl](https://www.chromium.org/nativeclient)), Layer-1 + Lay er-2 in GPU process | Linux kernel >= 3.5, Chrome OS and Ubuntu | Enabled by def ault and actively developed |
47 | [Seccomp-legacy](#The_seccomp_sandbox.md) | Layer-2 in renderers | All | [Deprecated](https://src.chromium.org/viewvc/chrome?re vision=197301&view=revision) | 47 | [Seccomp-legacy](#The_seccomp_sandbox.md) | Layer-2 in renderers | All | [Deprecated](https://src.chromium.org/viewvc/chrome?re vision=197301&view=revision) |
48 | [SELinux](#SELinux.md) | Layer-1 in Zygote processes (renderers, PPAPI) | SELi nux distributions | [Deprecated](https://src.chromium.org/viewvc/chr ome?revision=200838&view=revision) | 48 | [SELinux](#SELinux.md) | Layer-1 in Zygote processes (renderers, PPAPI) | SELi nux distributions | [Deprecated](https://src.chromium.org/viewvc/chr ome?revision=200838&view=revision) |
49 | AppArmor | Outer layer-1 in Zygote processes (renderers, PPAPI) | Not used | Deprecated | 49 | AppArmor | Outer layer-1 in Zygote processes (renderers, PPAPI) | Not used | Deprecated |
50 50
51 ## The setuid sandbox 51 ## The setuid sandbox
52 52
53 Also called SUID sandbox, our main layer-1 sandbox. 53 Also called SUID sandbox, our main layer-1 sandbox.
54 54
55 A SUID binary that will create a new network and PID namespace, as well as 55 A SUID binary that will create a new network and PID namespace, as well as
56 `chroot()` the process to an empty directory on request. 56 `chroot()` the process to an empty directory on request.
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
124 [Deprecated](https://src.chromium.org/viewvc/chrome?revision=200838&view=revisio n). 124 [Deprecated](https://src.chromium.org/viewvc/chrome?revision=200838&view=revisio n).
125 Was designed to be used instead of the SUID sandbox. 125 Was designed to be used instead of the SUID sandbox.
126 126
127 Old information for archival purposes: 127 Old information for archival purposes:
128 128
129 One can build Chromium with `selinux=1` and the Zygote (which starts the 129 One can build Chromium with `selinux=1` and the Zygote (which starts the
130 renderers and PPAPI processes) will do a dynamic transition. audit2allow will 130 renderers and PPAPI processes) will do a dynamic transition. audit2allow will
131 quickly build a usable module. 131 quickly build a usable module.
132 132
133 Available since 133 Available since
134 [r26257](http://src.chromium.org/viewvc/chrome?view=rev&revision=26257), 134 [r26257](https://src.chromium.org/viewvc/chrome?view=rev&revision=26257),
135 more information in 135 more information in
136 [this blog post](http://www.imperialviolet.org/2009/07/14/selinux.html) (grep 136 [this blog post](http://www.imperialviolet.org/2009/07/14/selinux.html) (grep
137 for 'dynamic' since dynamic transitions are a little obscure in SELinux) 137 for 'dynamic' since dynamic transitions are a little obscure in SELinux)
138 138
139 ## Developing and debugging with sandboxing 139 ## Developing and debugging with sandboxing
140 140
141 Sandboxing can make developing harder, see: 141 Sandboxing can make developing harder, see:
142 142
143 * [this page](linux_suid_sandbox_development.md) for the `setuid` sandbox 143 * [this page](linux_suid_sandbox_development.md) for the `setuid` sandbox
144 * [this page](http://www.chromium.org/for-testers/bug-reporting-guidelines/han ging-tabs) 144 * [this page](https://www.chromium.org/for-testers/bug-reporting-guidelines/ha nging-tabs)
145 for triggering crashes 145 for triggering crashes
146 * [this page for debugging tricks](linux_debugging.md) 146 * [this page for debugging tricks](linux_debugging.md)
147 147
148 ## See also 148 ## See also
149 149
150 * [LinuxSandboxIPC](linux_sandbox_ipc.md) 150 * [LinuxSandboxIPC](linux_sandbox_ipc.md)
151 * [How Chromium's Linux sandbox affects Native Client](https://chromium.google source.com/native_client/src/native_client.git/+/master/docs/linux_outer_sandbox .md) 151 * [How Chromium's Linux sandbox affects Native Client](https://chromium.google source.com/native_client/src/native_client.git/+/master/docs/linux_outer_sandbox .md)
OLDNEW
« no previous file with comments | « docs/linux_profiling.md ('k') | docs/linux_suid_sandbox.md » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698