Google's Chromium sandbox

Posted Aug 23, 2009 14:49 UTC (Sun) by i3839 (guest, #31386)
Parent article: Google's Chromium sandbox

As part of my bachelor project I have worked on rewriting a ptrace based jailer. The old implementation was too big and complicated, the new one is only a few thousand lines of code big. This is a generic jailer which is not racy. Among other things it prevents time-of-check-to-time-of-use race conditions, but it also prevents races between different system calls like rename and open, and symlink trickery. The current version supports Linux 2.6, but 2.4 or BSD support can be added too. Adding support for other architectures than x86 is trivial.

For its design see http://www.cs.vu.nl/~guido/publications/ps/secrypt07.pdf
The rewritten version does some things differently and doesn't yet support all features of the original one. The code isn't released yet, but we plan to release it under a BSD-like license. If interested email Guido or me (indan@nul.nu).

Google's Chromium sandbox

Posted Aug 29, 2009 5:20 UTC (Sat) by gmatht (guest, #58961) [Link]

I am not the person to which your question was addressed (my contribution to
chrome is limited to one patch to an install script).

However, I am "interested" in packaging this for Ubuntu. I really don't have
time now, but I may drop you an email in a few months. Having an easy to use
sandbox tool would be very nice.

Google's Chromium sandbox

Posted Oct 12, 2009 21:01 UTC (Mon) by cwitty (guest, #4600) [Link] (1 responses)

Sounds interesting, but:

"Forbidden

You don't have permission to access /~guido/publications/ps/secrypt07.pdf on this server."

Google's Chromium sandbox

Posted Oct 21, 2009 10:36 UTC (Wed) by i3839 (guest, #31386) [Link]

Weird, works for me. Perhaps a temporary server glitch? Please try again.