From 6258b1c2c202eda2f3b872ea7e4bdef4b1ace951 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 9 May 2022 16:26:44 -0400
Subject: [PATCH] split sandboxing out of exploit mitigations

---
 static/features.html | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/static/features.html b/static/features.html
index dcf89ef2..5318388b 100644
--- a/static/features.html
+++ b/static/features.html
@@ -96,6 +96,8 @@
                                     reduction</a></li>
                                     <li><a href="#exploit-mitigations">Exploit
                                     mitigations</a></li>
+                                    <li><a href="#improved-sandboxing">Improved
+                                    sandboxing</a></li>
                                     <li><a href="#anti-persistence">Anti-persistence /
                                     detection</a></li>
                                 </ul>
@@ -229,7 +231,6 @@
 
                         <ul>
                             <li>Hardened app runtime</li>
-                            <li>Stronger app sandbox</li>
                             <li><a href="https://github.com/GrapheneOS/platform_bionic">Hardened libc</a>
                             providing defenses against the most common classes of vulnerabilities (memory
                             corruption)</li>
@@ -313,6 +314,20 @@
                         </ul>
                     </section>
 
+                    <section id="improved-sandboxing">
+                        <h4><a href="#improved-sandboxing">Improved sandboxing</a></h4>
+
+                        <p>GrapheneOS improves the app sandbox through hardening SELinux policy
+                        and seccomp-bpf policy along with all the hardening to components like
+                        kernel implementing the app sandbox and providing a path for the attacker
+                        to escape it if they can exploit those components. We primarily focus on
+                        the app sandbox, but we also improve the other sandboxes including making
+                        direct improvements to the web browser renderer sandbox used for both the
+                        default browser and WebView rendering engine provided by the OS and used
+                        by a huge number of other apps from dedicated browsers to messaging
+                        apps.</p>
+                    </section>
+
                     <section id="anti-persistence">
                         <h4><a href="#anti-persistence">Anti-persistence / detection</a></h4>