This is a tracking bug for adding the AC sandbox to the GPU process. Link to design document https://docs.google.com/document/d/1YDqgjVaMGbepTHG9xeE10pLoQDLFhlxd3-JsD8jmZNY/edit?usp=sharing
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b3246b3042dec724733164256d0218d4547ed1b9 commit b3246b3042dec724733164256d0218d4547ed1b9 Author: James Forshaw <forshaw@chromium.org> Date: Mon Feb 05 21:57:07 2018 Add AppContainer ACEs to Application folder during installation. This CL adds the AppContainer capability SIDs for chromeInstallFiles and lpacChromeInstallFiles to the Application directory during installation. The purpose of this change is to support the new AppContainer sandbox which will require a second SID to grant access to the main executables. Bug: 807249 Change-Id: I6a42451bee93c574fa293c9d4459f929a1d9cc1b Reviewed-on: https://chromium-review.googlesource.com/897649 Commit-Queue: James Forshaw <forshaw@chromium.org> Reviewed-by: Greg Thompson <grt@chromium.org> Reviewed-by: Jesse Doherty <jwd@chromium.org> Cr-Commit-Position: refs/heads/master@{#534500} [modify] https://crrev.com/b3246b3042dec724733164256d0218d4547ed1b9/chrome/installer/setup/install_worker.cc [modify] https://crrev.com/b3246b3042dec724733164256d0218d4547ed1b9/tools/metrics/histograms/histograms.xml
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8afd3e92925a52b439f9e49eb93e184b0e7515be commit 8afd3e92925a52b439f9e49eb93e184b0e7515be Author: James Forshaw <forshaw@chromium.org> Date: Fri Feb 09 21:42:44 2018 Add AppContainer support to Service Manager. This CL adds AppContainer support to the Service Manager sandbox code. At the moment only the GPU sandbox is supported and in order to enable the sandbox a new member function must be defined on the sandbox delegate which provides an identifier to generate a unique AppContainer profile. This CL does not contain the changes to the GPU code which would enable the AppContainer sandbox, it's only the infrastructure to enable it in a further patch set. Bug: 807249 Change-Id: Iada760c0eab4ff3fae9499bf5310624d964581b7 Reviewed-on: https://chromium-review.googlesource.com/911115 Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Penny MacNeil <pennymac@chromium.org> Commit-Queue: James Forshaw <forshaw@chromium.org> Cr-Commit-Position: refs/heads/master@{#535834} [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/content/public/common/sandboxed_process_launcher_delegate.cc [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/content/public/common/sandboxed_process_launcher_delegate.h [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/sandbox/win/src/sandbox_types.h [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/sandbox/sandbox_delegate.h [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/sandbox/switches.cc [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/sandbox/switches.h [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/sandbox/win/sandbox_win.cc [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/sandbox/win/sandbox_win.h [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/tests/DEPS [modify] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/tests/sandbox/BUILD.gn [add] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/tests/sandbox/OWNERS [add] https://crrev.com/8afd3e92925a52b439f9e49eb93e184b0e7515be/services/service_manager/tests/sandbox/sandbox_win_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fd0ce34715263d9068fb2357c43792661e5e0496 commit fd0ce34715263d9068fb2357c43792661e5e0496 Author: James Forshaw <forshaw@chromium.org> Date: Wed Feb 14 09:55:39 2018 Enable AppContainer support for GPU process. This CL adds the necessary support to the GPU process launcher to enable the AppContainer sandbox as well as UMA metrics and a new entry in chrome://flags. Bug: 807249 Change-Id: I92d1f5ef224e09952b8615a79da639edc83692e7 Reviewed-on: https://chromium-review.googlesource.com/912868 Commit-Queue: James Forshaw <forshaw@chromium.org> Reviewed-by: Jesse Doherty <jwd@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Zhenyao Mo <zmo@chromium.org> Cr-Commit-Position: refs/heads/master@{#536690} [modify] https://crrev.com/fd0ce34715263d9068fb2357c43792661e5e0496/chrome/browser/about_flags.cc [modify] https://crrev.com/fd0ce34715263d9068fb2357c43792661e5e0496/chrome/browser/flag_descriptions.cc [modify] https://crrev.com/fd0ce34715263d9068fb2357c43792661e5e0496/chrome/browser/flag_descriptions.h [modify] https://crrev.com/fd0ce34715263d9068fb2357c43792661e5e0496/content/browser/gpu/gpu_process_host.cc [modify] https://crrev.com/fd0ce34715263d9068fb2357c43792661e5e0496/tools/metrics/histograms/enums.xml [modify] https://crrev.com/fd0ce34715263d9068fb2357c43792661e5e0496/tools/metrics/histograms/histograms.xml
Comment 1 by forshaw@chromium.org
, Feb 1 2018