Introducing Chrome's Next Generation Sandbox

Discussion in 'all things UNIX' started by Hungry Man, Sep 20, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://blog.cr0.org/2012/09/introducing-chromes-next-generation.html

    A nice writeup about the seccomp based sandboxes.

    Just as an FYI you can use both sandboxes as once. This isn't necessarily the smart move though.

     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    When I saw the title I thought it was a new sandbox to "compete" with IE10's new Enhanced Protected Mode, but in reality it's "Chrome's New Linux Sandbox", not "Chrome's Next Generation Sandbox". But I guess it's great for those that use Chrome on Linux.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Has there been any comparison between the Chrome sandbox and IE10 sandbox? A whitepaper or anything like that? I'd be interested. The IE9 sandbox was clearly lacking by comparison.

    I would call this a 'next generation' or 'new' sandbox, whichever. It's not the typical sandbox that restricts file access like Windows MIAC or Apparmor. It's meant to compliment that.

    It definitely is great though.
     
  4. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I have both the legacy and the BPF sandbox enabled, but I have the feeling that the legacy sandbox is really not needed.
    What would be the drawbacks or advantages in having them both enabled ? (In laymans terms please Hungry, if you have some spare time).
     
  5. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677

    Attached Files:

    Last edited: Oct 13, 2012
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I don't think the "legacy" sandbox is needed if you have the BPF sandbox enabled. They both do the same thing, the only difference is the BPF sandbox is sort of the newer generation (using BPF filtering).
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    They're pretty different actually. The legacy sandbox only whitelists 4 system calls and uses a trusted thread to make other calls.

    The BPF sandbox (based on seccomp mode 2 filters) whitelists numerous calls and removes the need for the trusted thread (sort of, there are third party library issues potentially and in the future we may see that model back).

    Regardless the legacy sandbox is removed from Chrome 24.
     
  8. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks for that info. I am only running BPF now, sounds like it is more efficient with less 'overhead'.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Exactly.

    The way it worked before included splitting the renderer process threads into trusted and untrusted. The untrusted threads were only able to use read(), write(), exit(), and sigreturn(). Anything else led to the process being killed. All other calls were offloaded to the trusted threat.

    There's some overhead here because they have to communicate multiple times. There's more to it because to remain trusted it has to store values on registers and constantly pop them off.

    The two actually work fine together, they're completely compatible. But there's no need for the first if you've got the BPF filters.

    If you combine the two you end up with (for simplicity's sake) two threads for the renderer process, one trusted and one untrusted. The untrusted can only make 4 syscalls and the trusted shouldn't be able to make mroe than what's whitelisted.

    At least conceptually taht's hwo it should work. The issue is, as you said, overhead.
     
Loading...
Thread Status:
Not open for further replies.