Tinnes: Introducing Chrome's next-generation Linux sandbox
[Security] Posted Sep 7, 2012 13:28 UTC (Fri) by corbet
Julien Tinnes describes
the new sandbox mechanism for the Chrome browser under Linux.
"In a similar, but very limited, fashion, this is what we have now in
Chrome: we stacked the seccomp-bpf sandbox on top of the setuid
sandbox. The setuid sandbox gives a few easy to understand semantic
properties: no file system access, no process access outside of the
sandbox, no network access. It makes it much easier to layer a seccomp-bpf
sandbox on top."
Comments (5 posted)