Skip to content

GitLab

T
tangled
Commit 1ef7ee1e authored by rickyz's avatar rickyz Committed by Commit bot
Browse files
Options

Add namespace sandbox to about page. 

This unindents the lines about PID/network namespaces, since those now
apply to both the setuid or unprivileged namespace sandbox.

BUG=312380

Review URL: https://codereview.chromium.org/873283004

Cr-Commit-Position: refs/heads/master@{#315116}
parent e6f0c87c
Hide whitespace changes
Inline Side-by-side
Showing with 32 additions and 27 deletions
chrome/app/generated_resources.grd
View file @ 1ef7ee1e
......@@ -13538,16 +13538,19 @@ Some features may be unavailable. Please check that the profile exists and you
<message name="IDS_ABOUT_SANDBOX_SUID_SANDBOX" desc="The name of a type of sandbox used by Chrome on UNIX like systems. The name 'SUID' stands for 'Set User ID', however it's a technical term and may be best left untranslated.">
SUID Sandbox
</message>
<message name="IDS_ABOUT_SANDBOX_PID_NAMESPACES" desc="This a technical term for an attribute of the SUID sandbox. PID stands for 'Process ID' but, as a technical term, may be best left untranslated. A namespace is another technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
<message name="IDS_ABOUT_SANDBOX_NAMESPACE_SANDBOX" desc="The name of a type of sandbox used by Chrome on Linux systems. A namespace is a technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
Namespace Sandbox
</message>
<message name="IDS_ABOUT_SANDBOX_PID_NAMESPACES" desc="This a technical term for an attribute of the SUID or namespace sandboxes. PID stands for 'Process ID' but, as a technical term, may be best left untranslated. A namespace is another technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
PID namespaces
</message>
<message name="IDS_ABOUT_SANDBOX_NET_NAMESPACES" desc="This a technical term for an attribute of the SUID sandbox. A namespace is a technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
<message name="IDS_ABOUT_SANDBOX_NET_NAMESPACES" desc="This a technical term for an attribute of the SUID or namespace sandboxes. A namespace is a technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
Network namespaces
</message>
<message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX" desc="The name of a type of sandbox used by Chrome on UNIX like systems. 'Seccomp-BPF' is a technical term which should be left untranslated.">
<message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX" desc="The name of a type of sandbox used by Chrome on Linux systems. 'Seccomp-BPF' is a technical term which should be left untranslated.">
Seccomp-BPF sandbox
</message>
<message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC" desc="The name of a type of sandbox used by Chrome on UNIX like systems. 'Seccomp-BPF' is a technical term which should be left untranslated. TSYNC is a technical term which should be left untranslated.">
<message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC" desc="The name of a type of sandbox used by Chrome on Linux systems. 'Seccomp-BPF' is a technical term which should be left untranslated. TSYNC is a technical term which should be left untranslated.">
Seccomp-BPF sandbox supports TSYNC
</message>
<message name="IDS_ABOUT_SANDBOX_YAMA_LSM" desc="The name of a Linux security module. It is a technical term that should be left untranslated.">
......
chrome/browser/ui/webui/about_ui.cc
View file @ 1ef7ee1e
......@@ -843,10 +843,8 @@ std::string AboutLinuxProxyConfig() {
return data;
}
void AboutSandboxRow(std::string* data, const std::string& prefix, int name_id,
bool good) {
void AboutSandboxRow(std::string* data, int name_id, bool good) {
data->append("<tr><td>");
data->append(prefix);
data->append(l10n_util::GetStringUTF8(name_id));
if (good) {
data->append("</td><td style='color: green;'>");
......@@ -873,31 +871,26 @@ std::string AboutSandbox() {
data.append("<table>");
AboutSandboxRow(&data,
std::string(),
IDS_ABOUT_SANDBOX_SUID_SANDBOX,
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_SUID_SANDBOX,
status & content::kSandboxLinuxSUID);
AboutSandboxRow(&data, "&nbsp;&nbsp;", IDS_ABOUT_SANDBOX_PID_NAMESPACES,
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_NAMESPACE_SANDBOX,
status & content::kSandboxLinuxUserNS);
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_PID_NAMESPACES,
status & content::kSandboxLinuxPIDNS);
AboutSandboxRow(&data, "&nbsp;&nbsp;", IDS_ABOUT_SANDBOX_NET_NAMESPACES,
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_NET_NAMESPACES,
status & content::kSandboxLinuxNetNS);
AboutSandboxRow(&data,
std::string(),
IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX,
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX,
status & content::kSandboxLinuxSeccompBPF);
AboutSandboxRow(&data,
std::string(),
IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC,
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC,
status & content::kSandboxLinuxSeccompTSYNC);
AboutSandboxRow(&data,
std::string(),
IDS_ABOUT_SANDBOX_YAMA_LSM,
AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_YAMA_LSM,
status & content::kSandboxLinuxYama);
data.append("</table>");
// The setuid sandbox is required as our first-layer sandbox.
bool good_layer1 = status & content::kSandboxLinuxSUID &&
// Require either the setuid or namespace sandbox for our first-layer sandbox.
bool good_layer1 = (status & content::kSandboxLinuxSUID ||
status & content::kSandboxLinuxUserNS) &&
status & content::kSandboxLinuxPIDNS &&
status & content::kSandboxLinuxNetNS;
// A second-layer sandbox is also required to be adequately sandboxed.
......
content/common/sandbox_linux/sandbox_linux.cc
View file @ 1ef7ee1e
......@@ -32,6 +32,7 @@
#include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/sandbox_linux.h"
#include "sandbox/linux/services/namespace_sandbox.h"
#include "sandbox/linux/services/proc_util.h"
#include "sandbox/linux/services/thread_helpers.h"
#include "sandbox/linux/services/yama.h"
......@@ -115,8 +116,7 @@ LinuxSandbox::LinuxSandbox()
seccomp_bpf_with_tsync_supported_(false),
yama_is_enforcing_(false),
initialize_sandbox_ran_(false),
setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create())
{
setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
if (setuid_sandbox_client_ == NULL) {
LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
}
......@@ -213,6 +213,12 @@ int LinuxSandbox::GetStatus() {
sandbox_status_flags_ |= kSandboxLinuxPIDNS;
if (setuid_sandbox_client_->IsInNewNETNamespace())
sandbox_status_flags_ |= kSandboxLinuxNetNS;
} else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
sandbox_status_flags_ |= kSandboxLinuxUserNS;
if (sandbox::NamespaceSandbox::InNewPidNamespace())
sandbox_status_flags_ |= kSandboxLinuxPIDNS;
if (sandbox::NamespaceSandbox::InNewNetNamespace())
sandbox_status_flags_ |= kSandboxLinuxNetNS;
}
// We report whether the sandbox will be activated when renderers, workers
......
content/public/common/sandbox_linux.h
View file @ 1ef7ee1e
......@@ -14,10 +14,10 @@ enum LinuxSandboxStatus {
// SUID sandbox active.
kSandboxLinuxSUID = 1 << 0,
// SUID sandbox is using the PID namespace.
// Sandbox is using a new PID namespace.
kSandboxLinuxPIDNS = 1 << 1,
// SUID sandbox is using the network namespace.
// Sandbox is using a new network namespace.
kSandboxLinuxNetNS = 1 << 2,
// seccomp-bpf sandbox active.
......@@ -29,6 +29,9 @@ enum LinuxSandboxStatus {
// seccomp-bpf sandbox is active and the kernel supports TSYNC.
kSandboxLinuxSeccompTSYNC = 1 << 5,
// User namespace sandbox active.
kSandboxLinuxUserNS = 1 << 6,
// A flag that denotes an invalid sandbox status.
kSandboxLinuxInvalid = 1 << 31,
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment