Sandbox the network service on Windows |
|||||||
Issue descriptionThis ticket is for tracking CLs related to turning on a new sandbox (SANDBOX_NETWORK_TYPE) for the new network process (NP). Windows will be the first platform for rollout of both. Feature to enable for network service: "NetworkService" Feature to enable for the Windows sandbox on the network service: "NetworkServiceWindowsSandbox" --enable-features=NetworkService,NetworkServiceWindowsSandbox (Note to track infinite failure-loop ticket: crbug/837389, which really becomes an issue when adjusting sandbox configurations.)
,
May 15 2018
Worth noting we still do file I/O in the network process - anything that tries to upload a file using SimpleURLLoaderImpl::AttachFileForUpload or using URLLoader directly will try to open the file in the network process.
,
May 17 2018
,
May 17 2018
Thanks Matt - there are a lot of system interactions that affect sandboxing, as we discussed in meetings and emails. First config of the sandbox is wide open for file access, until code is changed to do most file access from outside of the NP (handles passed in). This ticket will track all CLs as we slowly increase the lockdown.
,
May 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dad9bdb50b90120b05cd876f0642f06e743e7cff commit dad9bdb50b90120b05cd876f0642f06e743e7cff Author: Penny MacNeil <pennymac@chromium.org> Date: Thu May 17 19:53:57 2018 [Network Process Windows Sandbox] Finch default off. First round of network service sandboxing on Windows. Seems to be working with very basic manual testing. This configuration is also very open for file & reg access, but with plans to lock it down more as the network service code is adjusted. Service and sandbox are currently off by default. --enable-features=NetworkService,NetworkServiceWindowsSandbox. BUG=841001 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ia958026482d833a8a3a86eb4e1d679d6a201c987 Reviewed-on: https://chromium-review.googlesource.com/1050703 Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Penny MacNeil <pennymac@chromium.org> Cr-Commit-Position: refs/heads/master@{#559648} [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/content/browser/utility_process_host.cc [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/sandbox/win/src/security_level.h [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/network/BUILD.gn [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/network/OWNERS [add] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/network/network_sandbox_win.cc [add] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/network/network_sandbox_win.h [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/service_manager/sandbox/features.cc [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/service_manager/sandbox/features.h [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/service_manager/sandbox/sandbox_type.cc [modify] https://crrev.com/dad9bdb50b90120b05cd876f0642f06e743e7cff/services/service_manager/sandbox/win/sandbox_win.cc
,
May 22 2018
,
May 22 2018
,
Aug 30
hot potato. over to you wfh!
,
Sep 6
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by penny...@chromium.org
, May 15 2018