Linked by Thom Holwerda on Wed 3rd Jun 2009 11:21 UTC, submitted by Hakime
Google One of the defining features of Google's Chrome web browse is its sandboxing feature. You probably won't realise it's there, but from a security point of view, sand-boxing is one of the most impotant factors in browser security, as it severely limits the amount of damage a security hole can do: sure, you've got a hole in the browser, but thanks to sandboxing, you're pretty much locked in - until you break out of the sandbox, of course. Sandboxing on the Windows variant of Chrome was a "complicated affair", says Chromium developer Jeremy Moskovich, but for the Mac version, it's all a bit easier and more straightforward. On Linux, however, it's a mess.
Thread beginning with comment 366800
To read all comments associated with this story, please click here.
Bit_Rapist
Member since:
2005-11-13

From reading the article it honestly sounds like a bit of a PITA on all operating systems to me.

It takes a load of code on Windows
On Linux, they can't decide which route to go
On OS X, while a framework exists, they are flying blind on knowing which API calls actually work correctly within the framework.

The whole thing sounds like a headache to me on any OS.

Reply Score: 5

ba1l Member since:
2007-09-08

Yeah, that's what I got from it too.

Ideally, it'd be easy on Linux. The obvious candidates are AppArmor and SELinux. They're both configuration-based, and an appropriate profile for each process would allow Chrome's sandboxing to just work.

The problem is that neither are universally supported, but most modern distributions support one or the other. I don't know why they don't just develop and ship profiles for both, and let the OS apply whichever one it supports.

Everything else mentioned on that page involves abusing other features of the OS to provide sandboxing functionality, which is pretty much what they had to do on Windows as well.

For the Windows version, they didn't seem to complain about this in the slightest - they just got on with it. They even seemed proud of it, and published details of all the torture they had to go through to make it work. Interesting reading, by the way.

So why all the complaints about every little problem they have on Mac / Linux? Can't the guys developing the Mac / Linux versions just get on with solving the problems, like they guys who developed the Windows version did?

Reply Parent Score: 5