Index: content/common/sandbox_linux/sandbox_linux.h |
diff --git a/content/common/sandbox_linux/sandbox_linux.h b/content/common/sandbox_linux/sandbox_linux.h |
index b3a0d6df94675e00a61f400db5d74e0e3472cf89..010c44a4bfb48612d352e1a0cde4a23feebaa31a 100644 |
--- a/content/common/sandbox_linux/sandbox_linux.h |
+++ b/content/common/sandbox_linux/sandbox_linux.h |
@@ -29,6 +29,14 @@ namespace content { |
// A singleton class to represent and change our sandboxing state for the |
// three main Linux sandboxes. |
+// The sandboxing model allows using two layers of sandboxing. The first layer |
+// can be implement either with unprivileged namespaces or with the setuid |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
nit: implemented
jln (very slow on Chromium)
2015/02/11 23:13:06
Done.
|
+// sandbox. This class provides a way to engage the namespace sandbox, but does |
+// not deal with the legacy setuid sandbox directly. |
+// The second layer is mainly based on seccomp-bpf and is engaged with |
+// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing" |
+// the first layer of sandboxing. That is, InitializeSandbox must always be |
+// called to have any meaningful sandboxing at all. |
class LinuxSandbox { |
public: |
// This is a list of sandbox IPC methods which the renderer may send to the |
@@ -58,14 +66,22 @@ class LinuxSandbox { |
// a fork(). |
void PreinitializeSandbox(); |
+ // Check that the current process is the init process of a new PID |
+ // namespace and then proceed to drop access to the file system by using |
+ // a new unprivileged namespace. This is a layer-1 sandbox. |
+ // This requires "sealing" the sandbox later to be effective by calling |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
Maybe: In order for this sandbox to be effective,
jln (very slow on Chromium)
2015/02/11 23:13:06
Done.
|
+ // InitializeSandbox(). |
+ void EngageNamespaceSandbox(); |
+ |
// Return a list of file descriptors to close if PreinitializeSandbox() ran |
// but InitializeSandbox() won't. Avoid using. |
// TODO(jln): get rid of this hack. |
std::vector<int> GetFileDescriptorsToClose(); |
- // Initialize the sandbox with the given pre-built configuration. Currently |
- // seccomp-bpf and address space limitations (the setuid sandbox works |
- // differently and is set-up in the Zygote). This will instantiate the |
+ // Seal the layer-1 sandbox and initialize the layer-2 sandbox with the given |
+ // pre-built configuration. |
+ // Currently seccomp-bpf and address space limitations (the setuid sandbox |
rickyz (no longer on Chrome)
2015/02/11 22:59:56
I'm a little confused by this comment and also can
jln (very slow on Chromium)
2015/02/11 23:13:06
Ooch, this comment was a mess. Hopefully it's bett
|
+ // works differently and is set-up in the Zygote). This will instantiate the |
// LinuxSandbox singleton if it doesn't already exist. |
// This function should only be called without any thread running. |
static bool InitializeSandbox(); |