Chromium Blog: Google Chrome, Sandboxing, and Mac OS X

Google Chrome, Sandboxing, and Mac OS X

Monday, June 01, 2009

Sandboxing is a technique that Google Chrome employs to help make the browser more secure, and was discussed in a previous blog post. On Windows, getting a process sandboxed in a way that's useful to us is a pretty complicated affair. The relevant source code consists of over 100 files and is located under the sandbox/ directory in Chromium's Open Source repository. But for our Mac and Linux ports, sandboxing is a very different story. On Linux there are a number of different sandboxing mechanisms available. Different Linux distributions ship with different (or no) sandboxing APIs, and finding a mechanism that is guaranteed to work on end-user's machines is a challenge. Fortunately, on Mac OS X, the OS APIs for sandboxing a process are easy to use and straightforward.

Sandboxing on the Mac

Starting a sandbox involves a single call to sandbox_init() specifying which resources to block for a specific process. In our case we lock down the process pretty tightly. That means no network access, and very limited or no access to files and Mach ports.

When Chromium starts a renderer process, we open an IPC channel (a UNIX socketpair) back to the browser process before turning on the sandbox. Any resources a process owns before turning on the sandbox stay with the process, so this channel can still be used after the sandbox is enabled. When we want to pass a shared memory area between processes, we send it over as an mmaped file handle using the sendmsg() API. We don't need to do anything else, as Apple's sandbox API is smart enough to allow access to file descriptors passed between processes in this manner even if the receiving process itself is forbidden from calling open().

One sticky point we run into is that the sandboxed process calls through to OS X system APIs. There is no documentation available about which privileges each API needs, such as whether they need access to on-disk files, or call other APIs to which the sandbox restricts access. Our approach to date has been to "warm up" any problematic API calls before turning the sandbox on. This means that we call through to the API, to allow it to cache whatever resource it needs. For example, color profiles and shared libraries can be loaded from disk before we "lock down" the process. To get a more complete understanding of our use of the sandbox in OSX, you can read the OSX sandboxing design doc.

As we continue the porting efforts for Chromium on the Mac, it's very satisfying to see the puzzle pieces fit into place alongside the native system APIs. It's important to us that the Mac port of Chromium feels and performs like a native Mac application, and that it provides the kind of high-quality experience Mac users expect.

Posted by Jeremy Moskovich, Software Engineer

27 comments:

Juvenn said...: So, what about Linux?; June 1, 2009 11:48 PM
Aviad Rozenhek said...: sounds like chrome is light years ahead of the competition in terms of architecture & security.

its amazing to think that after doing all this hard work described in the article, you still have time to actually implement the browser functionality

kudos!; June 2, 2009 12:05 AM
tomas said...: @Juvenn
Linux -> http://code.google.com/p/chromium/wiki/LinuxSandboxing; June 2, 2009 12:48 AM
Daniel Kvasnička jr. said...: "It's important to us that the Mac port of Chromium feels and performs like a native Mac application, and that it provides the kind of high-quality experience Mac users expect."So how come the UI is so ugly and non-native looking? :-) I've heard that the author of Camino is working on Mac Chrome, so maybe you could make it as native as Camino is and still retain all the advantages of Chrome...?; June 2, 2009 12:49 PM
Arasmus said...: But when are we going to get it. It has been ages. And please tell me that you are not going to exclude Power PC Macs as happened with Picasa.; June 2, 2009 1:31 PM
i5m said...: @Arasmus, The V8 javascript engine doesn't run on PPC, so I've read, so I sincerely doubt we'll get a PPC version of Chrome. And that's fair enough really, it's dead technology (this from a PPC user, no Intel mac for me yet either); June 2, 2009 1:50 PM
jehiah said...: @Arasmus current builds are already available http://build.chromium.org/buildbot/snapshots/sub-rel-mac/ and a script to auto-install the latest build nightly is here http://bit.ly/21bWP; June 2, 2009 1:56 PM
Semil said...: one problem of many:
when i watched a viemo video clip in one chrome window, it used the processor ~100%
i openned up another crome window, dragged it to the other screen/monitor and tried to access google and nothing happend until i stopped the video in first tab.

tried to access google first by just typing text (in the address bar) and hitting enter when that didn't seem to work i tried by pressing the google bookmark, waited several minutes and nothing happened.

tried the same thing/senario in firefox and it just worked, google page loaded slow but at least it loaded.

is the backend in chrome not working right? i (clueless) guess it's something to do with the renderer, is redesign/tweak of architecture needed ?
chrome is fast but it doesn't work at all under it's on load (when chrome itself is using the processor 100%) or when another application is using the processor 100%

and some more salt in the wound, firefox doesn't have this problem.

long story short: chrome still sucks and firefox still rules, as expected, long disappointing sigh. Stop rushing things it will only make chrome look bad in the end

there are more "bugs" ( i call them bugs ) that i too tired to remember them right now.
Like switching to another tab (by clicking it with the mouse) then moving the mouse and boom chrome thought i was dragging the tab out of the current window.

btw i would be nice if you could add a simple send feedback menu option in chrome so i don't have to waste time finding some place to post this.
i hate to be forced to login to send feedback and most of the time i just don't send feedback because i can't find a place and dont have time to waste finding a place. Happens all the time.

In my oppinion chrome isn't in version 2 stage, it's still in beta v0.5 ish stage, another long disappointing sigh.

oh and my processor is a single core, amd athlon xp 3200+
old but reliable, just like me ;)
windows xp pro sp 2, 32 bit
if you need more info well then you know what to do.

i know this is the wrong place but im tired so give me a break.; June 2, 2009 5:42 PM
Brian said...: It's important to us that the Mac port of Chromium feels and performs like a native Mac application, and that it provides the kind of high-quality experience Mac users expect.

I actually am hoping that Chrome doesn't entirely feel like every other native Mac app. One of the things I like a lot about Chrome for Windows is that the useless space of the title bar (that is, the space not used by the close/minimize/maximize buttons) and the conventional tool/menu bar are basically eliminated. Space should be allocated roughly in proportion to the frequency of use, and of the time I use a browser, more than 99% of the time I am using the main panel, while I rarely use any menus (especially when there are keyboard shortcuts).

This is a bit of a problem in terms of the Mac, of course, since the toolbar is not just for the application. I use a lot of tabs, usually, and it would be a pain to fit the tabs into the 60% or so of the width of the screen that does not have the Apple menu, toolbar icons, clock, etc. On the other hand, since Mac laptops have wide screens, vertical space is at a premium, so even those few millimeters would be nice to have.

In any case, I can't wait to use a stable, consumer-level version on my Mac.; June 2, 2009 6:24 PM
Michael Quinn said...: "Sandboxing" or "process in a tab" or whatever you call it would be much more useful if it allowed you to long into 2 different (say) Google accounts at the same time on the same browser.

If your going to make "Tabs On Top" - please make it optional. I prefer to have my Tabs where I can get at them quickly and not cross 2-3 bars of menus with the mouse. I think it's terrible UI design but some seem to like it.

If you really want to be a replacement for Safari - please include support for Keychain and syncing bookmarks via MobileMe.; June 2, 2009 7:07 PM
Riot Nrrrd™ said...: "I've heard that the author of Camino is working on Mac Chrome"

Boy, I hope Chrome doesn't end up like Camino, trying so hard to be fast and give "the Mac experience" while forgetting the fundamental stuff - like rendering pages properly.

Camino 1.6.7 can't even render Facebook pages correctly, which is far more important to most of us than whether it's faster at rendering said pages than Safari 4 Beta.

Oh, and try opening up a whole bunch of tabs in Camino 1.6.7, it becomes this lumbering memory hog that causes half-gig swapfiles to be allocated regularly.

Please try and make Chrome on the Mac's memory footprint more miserly. (I only have a 2 GB Core Duo 2.16 GHz MacBook Pro, so I feel the pain of this quicker than most.); June 2, 2009 9:01 PM
Riot Nrrrd™ said...: @jehiah: "a script to auto-install the latest build nightly is here http://bit.ly/21bWP"

You don't need all your getRunningPids and ps and grep - try a simple "killall -HUP Chromium". (Or -TERM, if that isn't enough)

And since you are grabbing "chrome-mac.zip" in the cURL URL and saving to the same exact name, you can just use "curl -O [URL]" instead of "curl -o chrome-mac.zip [URL]".; June 2, 2009 9:17 PM
James said...: Question if Sandboxing is such an easy thing to implemet why is it taking such a long time to come out with a Mac version. I would say a project that has failed to materialize in anything but a crude form, while windows chome is at 2.0, is definitely not "coming along fine" I; June 2, 2009 11:11 PM
Félix said...: @James: obviously, you missed the point that a web browser's main function is not sandboxing.

Keep up the good work, I'm looking forward a final release.; June 3, 2009 12:04 AM
Michael Quinn said...: Don't see what all the fuss is about.

If you want to run a slower browser than Safari there are plenty of options.; June 3, 2009 1:23 AM
Kirill said...: I wonder how I could get involved in developing OS X port?; June 3, 2009 2:52 AM
Fabio Turati said...: @Michael Quinn:
"If your going to make "Tabs On Top" - please make it optional. I prefer to have my Tabs where I can get at them quickly and not cross 2-3 bars of menus with the mouse. I think it's terrible UI design but some seem to like it."

I completely disagree. Having tabs on top means you can move your mouse upwards until it stops (because it has reached the top of the page) and there you are. Instead, if they aren't on the top, you can't do that, you have to stop earlier, which is something that you must control: you must pay attention to where you stop moving your cursor. This forces you to slow down when you are almost there, otherwise you go past them. That's why I think this design is just great: it actually saves time.; June 3, 2009 7:10 AM
François Schiettecatte said...: Any reason why you did not use Sandboxie ( http://www.sandboxie.com/ )?; June 3, 2009 11:19 AM
JNI said...: @Fabio:

Your comments apply to Windows, not OSX, since the top of the screen will be taken up by the menu bar, and most of the time windows in OSX are floating, not maximized.

Granted, UI design has evolved since the menu bar was invented, and it should probably be scrapped, but that's unlikely to happen until OSX 11 at least.; June 3, 2009 11:57 AM
ymerej said...: It crashed twice on day one but has not since. Love it, so fast compared to FF; June 6, 2009 1:25 AM
Ian Rogers said...: The problem of mmapped memory and sendmsg is that you rely on both sides talking with the same pointers. This causes problems if one side is 32bit and the other 64bit, or if endianess changes. The only way to solve this is to recompile or add a nasty emulation fudge. It was for this reason PowerPC macs never saw a 64bit kernel and anything that wanted to talk with the kernel needed to be in the bottom 4gb of memory on a 64bit system. On Intel macs, if you mix PowerPC and Intel software of different address sizes you end up with an abundance of servers in memory, slowing the machine and thrashing the disk. The only really sensible way to solve this problem is to remove pointers and architectural issues from the picture. The best approach is with a portable runtime, of which Java is no doubt the best example. It's hard to contemplate that in 2009 it is more fashionable to talk about the use of sending raw pointers over sockets than it is to using secure managed runtimes, but sadly this is the world that Apple, Linux and Windows have put us in. The problem for chrome on Mac will be when plugins try to dictate the sandbox type (32bit, 64bit..) and potentially running multiple instances of chrome to handle this, or making a mega chrome that can handle all message flavours (and the developer effort that entails). In any case, there is nothing inherently elegant about this design.; June 8, 2009 2:02 AM
ubuntu said...: somente desenvolvam o programa e deixe os bugs para comunidade resolver.; July 8, 2009 11:40 AM
ubuntu said...: only develop the program and allow the community to resolve bugs.; July 8, 2009 11:43 AM
Stephen said...: I've just been experimenting with today's build of Chromium on OSX and I'm hugely impressed with the progress.

Obviously there's still plenty to be done but the work so far is excellent.; July 8, 2009 12:00 PM
ne-yo said...: B N Leather International, Mohalla Boggrah,Post Office Fateh Garh,
Daska Road Sialkot,Pakistan.
TEL:0092-52-3561103/8050973/8050973/8050103/8060941
Mob:0092-346-6755745 Mob:0092-303-6836064 Fax No:-0092-52-3559928
Website:- www.bnleatherint.com E-mail:- info@bnleatherint.com Our
Office in U.K Our Ofifice in K.S.A Our Office in U.A.E More Detail
Please Visit Our Website: www.bnleatherint.com Dear Sir, We are
hoping that this message may get your immediate attention,So we are
going to contact you with full confidence and like to INTRODUCE YOU
THAT OUR COMPANY IS MAJOR PRODUCES OF : Leather Motorbike
Jackets/Leather Motorbike Trousers, Leather Moto Race Replica
Jackets/Trousers,Leather Race Replica Suits. Leather Motorbike
Suits,Leather Coats,Leather Vests,Cordura Jackets Motorbike
Gloves/Cordura Trousers,Sports Wear,Leather Saddle Bags,Toll Rolls,
Shorts , Protectors,Leather Shoes,Helmet Bags & Denim Jeans, etc.; September 5, 2009 10:16 AM
ne-yo said...: B N Leather International, Mohalla Boggrah,Post Office Fateh Garh,
Daska Road Sialkot,Pakistan.
TEL:0092-52-3561103/8050973/8050973/8050103/8060941
Mob:0092-346-6755745 Mob:0092-303-6836064 Fax No:-0092-52-3559928
Website:- www.bnleatherint.com E-mail:- info@bnleatherint.com Our
Office in U.K Our Ofifice in K.S.A Our Office in U.A.E More Detail
Please Visit Our Website: www.bnleatherint.com Dear Sir, We are
hoping that this message may get your immediate attention,So we are
going to contact you with full confidence and like to INTRODUCE YOU
THAT OUR COMPANY IS MAJOR PRODUCES OF : Leather Motorbike
Jackets/Leather Motorbike Trousers, Leather Moto Race Replica
Jackets/Trousers,Leather Race Replica Suits. Leather Motorbike
Suits,Leather Coats,Leather Vests,Cordura Jackets Motorbike
Gloves/Cordura Trousers,Sports Wear,Leather Saddle Bags,Toll Rolls,
Shorts , Protectors,Leather Shoes,Helmet Bags & Denim Jeans, etc.; September 5, 2009 10:18 AM
Kornelius E. said...: When importing data from firefox to chrome during the chrome install, the data on firefox is erased. What gives...; December 10, 2009 2:34 PM

Search our Blog

Archive

Subscribe

More Blogs from Google

Useful links

Pages

Google Chrome, Sandboxing, and Mac OS X

27 comments: