Re: Site Isolation for Utility Processes

[Alex Moshchuk]

+Site Isolation Development 

Hi Emily,

Thanks for reaching out! On a high level, it would be great to better support site-isolated utility processes. I think this has been discussed before, and so far features that needed this kind of did it in an ad-hoc way. Here's one example I found for video decoding, and maybe others in site-isolation-dev@ can point to any other context.

For a project like this, it's probably best to put together a design doc with your motivation, goals, and proposals, so we can all iterate on the design together to see if it makes sense. That would give us more context to answer your questions.

For your specific questions, while ChildProcessSecurityPolicy can probably track generic child processes, I wonder how you propose using it for utility processes. It's primarily designed to validate IPCs coming from renderer processes; would utility processes also send IPCs that would need to be validated? I'd envision site isolation for utility processes to involve keeping a map of utility processes, keyed by utility process type and security principal (SiteInfo), and making utility process creation be more systematic about its security principal. I don't see how things like browsing_instance_default_isolation_states_, which is about Origin-Agent-Cluster status, would matter for utility processes, along with things like CanCommitURL, etc (utility processes wouldn't ever need to commit navigations). Similarly, IsolationContext is mostly relevant as a BrowsingInstanceId carrier for deciding whether something is isolated in a particular BrowsingInstance, based on things like site isolation triggers on Android, but I don't see why utility processes would need that, as they aren't hosting any documents or workers that belong in a BrowsingInstance.  (Aside, IsolationContext was intended to support querying BrowsingInstance info cross-thread, but that may no longer be necessary now that we've restricted ChildProcessSecurityPolicy security checks to the UI thread, so IsolationContext as a concept may go away at some point.)

Thanks,

Alex

On Wed, Nov 6, 2024 at 9:11 AM Emily Andrews (LEDBETTER) <emi...@microsoft.com> wrote:

Hi,

Edge would love to help contribute to Chromium by implementing this. I was looking into the lay of the land and noticed a few objects.

ChildProcessSecurityPolicyImpl seems like it was built as a general solution for all the child processes, which I think is a great design!

The snag I'm noticing is you really need an IsolationContext in addition to the SiteInfo to properly take advantage of the ChildProcessSecurityPolicyImpl and this object is tightly coupled with the SiteInstance to the point where the RenderProcessHost and RenderFrameHost don't even own that object and call into SiteInstance to handle locking itself. It seems by design the IsolationContext is not copyable or movable and it's tightly coupled with that, but the way ServiceProcessHost::Options are implemented is you just pass that into the Launch function so all the settings need to be movable or copyable.

I was wondering how you felt about ChildProcessSecurityPolicyImpl's browsing_instance_default_isolation_states_ being augmented to be a map of the BrowsingInstanceId to the Isolation context. Then instead of passing the Isolation context around, we can just pass the BrowsingInstanceId around and do a lookup for the isolation context. This would avoid the potential lifetime problems involved in passing the IsolationContext or the SiteInstance or the BrowsingInstance.

Thanks,

Emily

Sent from Outlook

[Emily Andrews (LEDBETTER)]

Hi,

I'm working on putting together a design document, but I wanted to make sure I understood what Point A was to make a good suggestion for how to get to Point B.

As for our motivations, Edge has been experimenting with hosting multiple services in a particular process. Most services are not tied to a particular site, but there are some which are. Services tied to a site probably shouldn't be hosted in the same process if they don't match with their process lock since this breaks site isolation promises with regards to some data. I wanted to take advantage of the ProcessLock decision tree, so I've been looking into how this works. I have a rusty proposal for upstreaming this I'm about to dust off (Service Process Pooling - Google Docs) and an appropriate bug Investigate pooling services [41493609] - Chromium

I know utility processes don't host "documents", but some of them do handle data that's tightly coupled with a particular site and profile. The site alone is not sufficient, but you also need profile data. I just noticed ChildProcessSecurityPolicy seemed to be tracking the ProcessLock information and was used to query the process lock based on the PID. From a debugging perspective, it can be helpful to have a particular object that gives you insight into all the processes active and how they map together. 

Thanks,

Emily

Sent from Outlook

---

From: Alex Moshchuk <ale...@chromium.org>
Sent: Thursday, November 7, 2024 7:48 PM
To: Emily Andrews (LEDBETTER) <emi...@microsoft.com>; Site Isolation Development <site-isol...@chromium.org>
Subject: [EXTERNAL] Re: Site Isolation for Utility Processes

 

+Site Isolation Development 

Hi Emily,

Thanks for reaching out! On a high level, it would be great to better support site-isolated utility processes. I think this has been discussed before, and so far features that needed this kind of did it in an ad-hoc way. Here's one example I found for video decoding, and maybe others in site-isolation-dev@ can point to any other context.

For a project like this, it's probably best to put together a design doc with your motivation, goals, and proposals, so we can all iterate on the design together to see if it makes sense. That would give us more context to answer your questions.

For your specific questions, while ChildProcessSecurityPolicy can probably track generic child processes, I wonder how you propose using it for utility processes. It's primarily designed to validate IPCs coming from renderer processes; would utility processes also send IPCs that would need to be validated? I'd envision site isolation for utility processes to involve keeping a map of utility processes, keyed by utility process type and security principal (SiteInfo), and making utility process creation be more systematic about its security principal. I don't see how things like browsing_instance_default_isolation_states_, which is about Origin-Agent-Cluster status, would matter for utility processes, along with things like CanCommitURL, etc (utility processes wouldn't ever need to commit navigations). Similarly, IsolationContext is mostly relevant as a BrowsingInstanceId carrier for deciding whether something is isolated in a particular BrowsingInstance, based on things like site isolation triggers on Android, but I don't see why utility processes would need that, as they aren't hosting any documents or workers that belong in a BrowsingInstance.  (Aside, IsolationContext was intended to support querying BrowsingInstance info cross-thread, but that may no longer be necessary now that we've [/]restricted ChildProcessSecurityPolicy security checks to the UI thread, so IsolationContext as a concept may go away at some point.)