Need inputs on using chromium zygote
61 views
Skip to first unread message
vishnu vardhan reddy.p Reddy
May 12, 2022, 1:34:08 PM5/12/22
to Chromium-dev
I need to start/run linux chromium zygote with a different entry point than the actual exe which started the browser app, for a valid reason. I was able to do it but facing issues enabling sandbox.
EnabledLayerOneSandbox() asserts at multiple places that the process IsSingleThreaded(). In my case it is not and I might not be able to get rid of other threads. Any options to make this work? Appreciate any inputs, thanks
re:fi.64
May 14, 2022, 12:43:57 PM5/14/22
to vishnuvar...@gmail.com, Chromium-dev
(Obligatory "I am not a Chromium developer" here.)
AFAIK it's not really possible to safely use the namespace sandbox at
all with multiple threads, for various reasons:
- `unshare(CLONE_NEWUSER)`, used to enter the namespace sandbox, fails
with multiple threads.
- `capset()`, used by the namespace sandbox to drop capabilities, only
drops them for the current thread (attempting to work around it for
multiple threads is inherently racy without some awful workarounds)
- The BPF sandbox seems to generally assume a single thread, but I'm
not aware of the reasons why
Your best bet would just be to try and spawn any threads *after* the
sandbox is entered, or kill any other threads if/when they're no
longer needed.
> --
> --
> Chromium Developers mailing list: chromi...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-dev
> ---
> You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
> To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/da32a147-3223-49ab-8efc-1babf5f174cdn%40chromium.org.
AFAIK it's not really possible to safely use the namespace sandbox at
all with multiple threads, for various reasons:
- `unshare(CLONE_NEWUSER)`, used to enter the namespace sandbox, fails
with multiple threads.
- `capset()`, used by the namespace sandbox to drop capabilities, only
drops them for the current thread (attempting to work around it for
multiple threads is inherently racy without some awful workarounds)
- The BPF sandbox seems to generally assume a single thread, but I'm
not aware of the reasons why
Your best bet would just be to try and spawn any threads *after* the
sandbox is entered, or kill any other threads if/when they're no
longer needed.
> --
> Chromium Developers mailing list: chromi...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-dev
> ---
> You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
> To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/da32a147-3223-49ab-8efc-1babf5f174cdn%40chromium.org.
vishnu vardhan reddy.p Reddy
May 16, 2022, 6:04:21 PM5/16/22
to Chromium-dev, rym...@gmail.com, Chromium-dev, vishnu vardhan reddy.p Reddy
BPF sandboxing(layer2) is not part of the zygote process and I think it is part of renderer process. Hope this is not dependent on renderer process being single threaded. At least thats what I see from code.
If not able to use chromium zygote for layer1 sandboxing due to non-single threaded reason, are there any options to achieve the layer1 sandboxing.
Thanks,
Vishnu
Reply all
Reply to author
Forward
0 new messages