Chromium's sandbox on Windows is built on top of Windows features (tokens, jobs, desktops, integrity levels, app containers)
Just like how their sandbox on Linux is built on top of Linux features (setuid, user namespaces, seccomp, SELinux, AppArmor)
For both Linux and Windows, the OS kernel gives you a bunch of features you can use to construct sandboxes, but the choice of exactly which of those features you use, and how you put them together, is up to you. Chromium worked out how to combine those features to meet their own security requirements, and has documented that in detail, and open sourced the implementation – there's nothing stopping you from copying the same approach, assuming your requirements are sufficiently similar
With macOS, Apple ships a sandboxing mechanism in the OS, known as "sandbox" or "seatbelt", which is what Chromium uses there
skissane|2 years ago
Chromium's sandbox on Windows is built on top of Windows features (tokens, jobs, desktops, integrity levels, app containers)
Just like how their sandbox on Linux is built on top of Linux features (setuid, user namespaces, seccomp, SELinux, AppArmor)
For both Linux and Windows, the OS kernel gives you a bunch of features you can use to construct sandboxes, but the choice of exactly which of those features you use, and how you put them together, is up to you. Chromium worked out how to combine those features to meet their own security requirements, and has documented that in detail, and open sourced the implementation – there's nothing stopping you from copying the same approach, assuming your requirements are sufficiently similar
With macOS, Apple ships a sandboxing mechanism in the OS, known as "sandbox" or "seatbelt", which is what Chromium uses there