Conversation

Nathan Crandall
@natecray
Replying to
@maddiestone
and
@natashenka
Thanks for sharing, awesome work! The exploit table really shows how effective the Android/Linux sandboxing model is for chrome. Other platforms seem to go renderer->kernel, but the tight seccomp policy on Linux makes that jump extremely tough.
1
5
Daniel Micay
@DanielMicay
Replying to
@natecray
@maddiestone
and
@natashenka
By the way, the Layer-1 Chromium sandbox on Android is available to every other app via isolatedProcess="true" on service processes. It's massively underused. It would be nice if it gave you an easy way to set up a comparable seccomp-bpf filter too. It's tricky to do yourself.
1
5
Nathan Crandall
@natecray
Replying to
@DanielMicay
@maddiestone
and
@natashenka
Setting up seccomp filters is extremely tough, especially on an active code base. Requires a lot of maintenance if you want to be strict. Even if the code base is static, updating libraries/dependencies means updating the policy. Edge case violations are really hard to find.
1
1
Daniel Micay
@DanielMicay
Replying to
@natecray
@maddiestone
and
@natashenka
It's particularly hard to do it in a way that's portable across a bunch of OS variants without the OS helping you do it. It's really hard for an app or library to do it. It's ideally provided by the OS. Android does use seccomp-bpf for app sandboxes but not strict/fine-grained.
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@natecray
and 2 others
It could use a much better filter than it currently does for a newer revision of isolatedProcess. Lack of isolatedProcess adoption probably leads to them not attempting to bring benefits of Chromium's seccomp-bpf filter to other apps. Unfortunate that few apps/libraries care.
1