Chrome Seccomp-BPF Sandbox

Chrome://sandbox has gotten an update reflecting the newly implemented Mode 2 Seccomp Filters implemented through the Berkley Packet Filter (BPF). To learn more about Syscall and Seccomp Filtering you can read this post¬†and learn about how Chrome’s new sandbox on Linux.

Chrome’s seccomp sandbox is a powerful restriction on how Chrome can interact with the system’s kernel. This limitation is an effective way to prevent kernel exploitation, which is a wonderful reinforcement to Chrome’s SUID sandbox. The seccomp sandbox is ideal for a program like chrome, programs that already implement some form of sandboxing. The best way to escape from a sandbox, outside of a sandbox design issue, is to exploit the kernel – doing so allows you to bypass almost any security implemented, and the seccomp sandbox attempts to mitigate this threat.

Check to make sure that you’re adequately sandboxed by going to chrome://sandbox.

Image