Chromium(Chrome) Sandbox Details

What Sandbox Do?

　　Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. 

What the Sandbox's structure is?

　　Sandbox operates at process-level granularity. Anything that needs to be sandboxed needs to live on a separate process.

　　The minimal sandbox configuration has two processes: one that is a privileged controller known as the broker, and one or more sandboxed processes known as the target. 

　　

Broker 

　　 Browser process(Chromium):

1. Specify the policy for each target process
2. Spawn the target processes
3. Host the sandbox policy engine service
4. Host the sandbox interception manager
5. Host the sandbox IPC service (to the target processes)
6. Perform the policy-allowed actions on behalf of the target process

Target

　　 Renderers process, hosts all the code that is going to run inside the sandbox:

1. All code to be sandboxed
2. The sandbox IPC client
3. The sandbox policy engine client
4. The sandbox interceptions

　　Target process restrictions:

• • Forbid per-use system-wide changes using SystemParametersInfo(), which can be used to swap the mouse buttons or set the screen saver timeout
  • Forbid the creation or switch of Desktops
  • Forbid changes to the per-user display configuration such as resolution and primary display
  • No read or write to the clipboard
  • Forbid Windows message broadcasts
  • Forbid setting global Windows hooks (using SetWindowsHookEx())
  • Forbid access to the global atoms table
  • Forbid access to USER handles created outside the Job object
  • One active process limit (disallows creating child processes)

　　Allowed resource access:

• • Read access to most files
  • Write access to %USER PROFILE%AppDataLocalLow
  • Read access to most of the registry
  • Write access to HKEY_CURRENT_USERSoftwareAppDataLow
  • Clipboard (copy and paste for certain formats)
  • Remote procedure call (RPC)
  • TCP/IP Sockets
  • Window messages exposed via ChangeWindowMessageFilter
  • Shared memory exposed via LI (low integrity) labels
  • COM interfaces with LI (low integrity) launch activation rights
  • Named pipes exposed via LI (low integrity) labels

refers:

https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md