Sandboxing of renderer on webview

[Vishnu]

Can you pls help me to understand how sandboxing for renderer is achieved on webview. Is it through android:isolatedProcess service attribute on the renderer service component or is it part of the renderer process start-up

[Torne (Richard Coles)]

There's multiple layers of sandboxing. The android:isolatedProcess service attribute runs the renderer process in Android's isolated_app sandbox, which gives it a unique UID not shared with any app and restricts its access to the filesystem and to system services, but we then also apply a seccomp-bpf sandbox to the process once it's launched which restricts which Linux system calls it can invoke and with which parameters to restrict it further.

On Tue, 26 Oct 2021 at 19:17, vishnu vardhan reddy.p Reddy <vishnuvar...@gmail.com> wrote:

Can you pls help me to understand how sandboxing for renderer is achieved on webview. Is it through android:isolatedProcess service attribute on the renderer service component or is it part of the renderer process start-up

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/9e2f55f6-b97c-48da-9d86-1244aa4b6cdfn%40chromium.org.