Chrome os system5/15/2023 Use the libraries provided by the system/SDK. If you need to use third-party code that you didn’t write, you should definitely not run it as root. Therefore, code should only be given the absolute minimum level of privilege needed to perform its function.Īim to keep your code lean, and your privileges low. An attacker can then do anything the original code was allowed to do. Just remember that code has bugs, and these bugs can be used to take control of the code. Best practices for writing secure system services In other cases, Minijail wrappers are used if a service wants to apply restrictions to the programs that it launches, or to itself. In most cases, Minijail is used in the service's init script. We use a helper program called Minijail (executable minijail0). For example, by having a separate network manager, we can reduce the functionality exposed to an attacker to just querying interfaces and performing pre-determined actions on them.Ĭhrome OS uses a few different mechanisms to isolate system services from Chrome and from each other. If Chrome were able to directly control network interfaces, a compromise in Chrome would give the attacker almost full control over the system. Separating functionality like this prevents an attacker exploiting the Chrome browser through a malicious website to be able to access OS-level functionality directly. These system services have greater system and hardware access than the Chrome browser. In Chrome OS, OS-level functionality (such as configuring network interfaces) is implemented by a collection of system services, and provided to Chrome over D-Bus.
0 Comments
Leave a Reply. |