Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Capsicum enhancements to Google's Chromium web browser
Branch: chromium-capsi…
Failed to load latest commit information.
app Use FreeBSD 8 rather than FreeBSD 7 patches for Chromium.
base libcapability is now libcapsicum, so update includes and linkage.
breakpad Refactoring build configurations - make it clearer and allow better s…
build Add 'capsicum' gyp option, which defines CHROMIUM_CAPSICUM.
chrome libcapability is now libcapsicum, so update includes and linkage.
chrome_frame Marking the following tests as flaky.
courgette Clarify licenses on a bunch of files.
gears Gears 0.5.33.0
google_update Add comments setting emacs and vim tab width and expansion variables.
gpu Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
ipc Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
media Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
net Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
o3d Fix docs typo "steam" -> "stream"
printing Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
rlz Add comments setting emacs and vim tab width and expansion variables.
sandbox Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
sdch Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
site_scons/site_tools GYP deps roll to latest. Remove now-unnecessary code from site_scons.
skia Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
testing Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
third_party Merge http://chromium.jaggeri.com/35870.patch FreeBSD portability cha…
tools Widen Mac intl1 and intl2 expectations.
views Fixes bug in WidgetGtk. WidgetGtk::GetBounds can end up crashing. I
webkit Use FreeBSD 8 rather than FreeBSD 7 patches for Chromium.
.gitignore Ignore /third_party/lighttpd for git because it keep appearing in 'gi…
AUTHORS Allow using system libevent instead of the bundled one.
DEPS WebKit Update 52999:53013.
LICENSE Set svn:eol-style = LF and normalize newlines as on other files
PRESUBMIT.py Remove old files.
README.Capsicum Add note on data pack descriptors: are they needed in sandboxes?
WATCHLISTS Added myself to the WATCHLIST for all files under gpu/. I wasn't able…
codereview.settings Set LINT_IGNORE_REGEX to not try to lint files using webkit coding st…

README.Capsicum

Chromium-Capsicum README
------------------------

Chromium-Capsicum is an adapation of Google's Chromium web browser to use
FreeBSD's Capsicum capability security primitives.  This allows renderers
(and in the future, other components) to execute in tightly-controlled
sandboxes without the need for complex access control manipulations required
when using traditional OS APIs.  This should lead to more complete and more
robust protection with significantly lower code complexity.

Capsicum is a research project at the University of Cambridge Computer
Laboratory, and sponsored by Google, Inc.  Learn more at:

  http://www.cl.cam.ac.uk/research/security/capsicum/

WARNING:

  This is a research prototype, and should be used with caution.

TODO:

- Teach process management code about process descriptors...
- ...allowing the Zygote to run cap_enable() out of EnterSandbox() rather
  than the renderer out of EnableSandbox().
- Fix closing of file descriptors when going from zygote to renderer in order
  to avoid leaking undesired rights into sandboxes.
- Encapsulate desired file descriptors for renderers in constrained
  capabilities.
- Consider switching back to SOCK_DGRAM from SOCK_SEQPACKET, as it appears
  only to be required because of limitations of the sandboxing models
  available on Linux.
- Consider re-enabling X11 SHM and adding explicit copying from the POSIX
  SHM segments.
- Determine whether chrome data packs are actually required in sandboxes,
  either as file descriptors or as memory mappings, and remove if not; they
  are currently wrapped in capabilities but perhaps are not needed at all.

Longer-term considerations:

- Use libcapability to launch sandboxes.
- Delegate font directory capabilities to fontconfig rather than using a
  proxy service.
- Extend X11 to support POSIX shared memory so that a single segment can be
  shared between {X11, browser, renderer} as is done with X11 SHM today when
  unsandboxed.
- Explore additional process sandboxing present in the Mac / Windows models
  but not supported on Linux.

Something went wrong with that request. Please try again.