I am a beginner in writing Chrome extensions and NaCl. I have a basic extension with an app written in C#.
Using the C# application (which is being called by my Chrome extension), I can freely read/write files from/to my Windows file system. I can also launch installed applications on the client machine. How this is sandboxed as I have access to the whole file system? Is my C# app called a Native Client? Not sure, maybe I am misunderstanding Sandboxing.
One more comment: I can see e.g from here that my C# application is called a "native application". I am guessing I am confusing it with "Native Client". If so, could anyone explain what are the differences between those two.
Thanks for your comments.
You are confusing Native Client (which is a separate language / compiler with the result being executed sandboxed) with Native Messaging Host (which is explicitly not sandboxed).
An extension can use both: it can use (but not bundle) a Native Host, and can include NaCl/PNaCl modules.
Answering the titular question, the code is sandboxed by restricting what is allowed in the language and using static analysis to ensure code safety:
Since Native Client permits the execution of native code on client machines, special security measures have to be implemented:
- The NaCl sandbox ensures that code accesses system resources only through safe, whitelisted APIs, and operates within its limits without attempting to interfere with other code running either within the browser or outside it.
- The NaCl validator statically analyzes code before running it to make sure it only uses code and data patterns that are permitted and safe.
These security measures are in addition to the existing sandbox in the Chrome browser. The Native Client module always executes in a process with restricted permissions. The only interaction between this process and the outside world is through defined browser interfaces. Because of the combination of the NaCl sandbox and the Chrome sandbox, we say that Native Client employs a double sandbox design.
You wouldn't be able to directly access the filesystem, for instance, because standard file I/O is not available; instead, a restricted version is provided by the sandbox.
"Native" here is just an ambiguous term, just like "application" (compare: Chrome App is also a thing).
Native Messaging = Messaging with "native" (i.e. outside the browser) applications.
Native Client is a proper name of a technology to execute "native code" (as opposed to scripts interpreted by the browser).
Native Messaging has explicitly nothing to do with NaCl platform.