content/common/sandbox_linux/sandbox_linux.h - Issue 915823002: Namespace sandbox: add important security checks

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_linux/sandbox_linux.h

Issue 915823002: Namespace sandbox: add important security checks (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Rebase Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_linux/sandbox_linux.h

diff --git a/content/common/sandbox_linux/sandbox_linux.h b/content/common/sandbox_linux/sandbox_linux.h

index b3a0d6df94675e00a61f400db5d74e0e3472cf89..6f5242a48e064bbce50ba48e161561cb44a6745d 100644

--- a/content/common/sandbox_linux/sandbox_linux.h

+++ b/content/common/sandbox_linux/sandbox_linux.h

@@ -29,6 +29,14 @@ namespace content {

// A singleton class to represent and change our sandboxing state for the

// three main Linux sandboxes.

+// The sandboxing model allows using two layers of sandboxing. The first layer

+// can be implemented either with unprivileged namespaces or with the setuid

+// sandbox. This class provides a way to engage the namespace sandbox, but does

+// not deal with the legacy setuid sandbox directly.

+// The second layer is mainly based on seccomp-bpf and is engaged with

+// InitializeSandbox(). InitializeSandbox() is also responsible for "sealing"

+// the first layer of sandboxing. That is, InitializeSandbox must always be

+// called to have any meaningful sandboxing at all.

class LinuxSandbox {

public:

// This is a list of sandbox IPC methods which the renderer may send to the

@@ -58,15 +66,24 @@ class LinuxSandbox {

// a fork().

void PreinitializeSandbox();

+ // Check that the current process is the init process of a new PID

+ // namespace and then proceed to drop access to the file system by using

+ // a new unprivileged namespace. This is a layer-1 sandbox.

+ // In order for this sandbox to be effective, it must be "sealed" by calling

+ // InitializeSandbox().

+ void EngageNamespaceSandbox();

// Return a list of file descriptors to close if PreinitializeSandbox() ran

// but InitializeSandbox() won't. Avoid using.

// TODO(jln): get rid of this hack.

std::vector<int> GetFileDescriptorsToClose();

- // Initialize the sandbox with the given pre-built configuration. Currently

- // seccomp-bpf and address space limitations (the setuid sandbox works

- // differently and is set-up in the Zygote). This will instantiate the

- // LinuxSandbox singleton if it doesn't already exist.

+ // Seal an eventual layer-1 sandbox and initialize the layer-2 sandbox with

+ // an adequate policy depending on the process type and command line

+ // arguments.

+ // Currently the layer-2 sandbox is composed of seccomp-bpf and address space

+ // limitations. This will instantiate the LinuxSandbox singleton if it

+ // doesn't already exist.

// This function should only be called without any thread running.

static bool InitializeSandbox();

« no previous file with comments | « content/common/sandbox_linux/sandbox_debug_handling_linux.cc ('k') | content/common/sandbox_linux/sandbox_linux.cc » ('j') | no next file with comments »