Chromium OS Sandboxing

This document can now be found here:

The content below are the pieces not yet included there.

Just tell me what I need to do

  • Use as many namespaces as possible. See section Namespaces.


Many resources in the Linux world can be isolated now such that a process has its own view of things. For example, it has its own list of mount points, and any changes it makes (unmounting, mounting more devices, etc...) are only visible to it. This helps keep a broken process from messing up the settings of other processes.

For more in-depth details, see the namespaces overview.

In Chromium OS, we like to see every process/daemon run under as many unique namespaces as possible. Many are easy to enable/rationalize about: if you don't use a particular resource, then isolating it is straight forward. If you do rely on it though, it can take more effort.

Here's a quick overview. Use the command line option if the statement true (or if you don't know what functionality it's talking about -- most likely you aren't using it!).

  • -e: If your process doesn't need network access
  • -N: If your process doesn't need to modify control groups settings
  • -p -r: If your process doesn't need to access other processes in the system
  • -v: If your process doesn't need access to user mounts
  • -l: If your process doesn't use SysV shared memory or IPC