Add namespace sandbox to about page.

This unindents the lines about PID/network namespaces, since those now apply to both the setuid or unprivileged namespace sandbox. BUG=312380 Review URL: https://codereview.chromium.org/873283004 Cr-Commit-Position: refs/heads/master@{#315116}

Add namespace sandbox to about page.
This unindents the lines about PID/network namespaces, since those now apply to both the setuid or unprivileged namespace sandbox. BUG=312380 Review URL: https://codereview.chromium.org/873283004 Cr-Commit-Position: refs/heads/master@{#315116}
1ef7ee1e · rickyz · Commit bot · e6f0c87c · 1ef7ee1e · 1ef7ee1e
Commit 1ef7ee1e authored Feb 06, 2015 by rickyz Committed by Commit bot Feb 06, 2015
4 changed files
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -13538,16 +13538,19 @@ Some features may be unavailable.  Please check that the profile exists and you
        <message name="IDS_ABOUT_SANDBOX_SUID_SANDBOX" desc="The name of a type of sandbox used by Chrome on UNIX like systems. The name 'SUID' stands for 'Set User ID', however it's a technical term and may be best left untranslated.">
          SUID Sandbox
        </message>
-        <message name="IDS_ABOUT_SANDBOX_PID_NAMESPACES" desc="This a technical term for an attribute of the SUID sandbox. PID stands for 'Process ID' but, as a technical term, may be best left untranslated. A namespace is another technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
+        <message name="IDS_ABOUT_SANDBOX_NAMESPACE_SANDBOX" desc="The name of a type of sandbox used by Chrome on Linux systems. A namespace is a technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
+          Namespace Sandbox
+        </message>
+        <message name="IDS_ABOUT_SANDBOX_PID_NAMESPACES" desc="This a technical term for an attribute of the SUID or namespace sandboxes. PID stands for 'Process ID' but, as a technical term, may be best left untranslated. A namespace is another technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
          PID namespaces
        </message>
-        <message name="IDS_ABOUT_SANDBOX_NET_NAMESPACES" desc="This a technical term for an attribute of the SUID sandbox. A namespace is a technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
+        <message name="IDS_ABOUT_SANDBOX_NET_NAMESPACES" desc="This a technical term for an attribute of the SUID or namespace sandboxes. A namespace is a technical term which refers to set of names for objects which are disjoint from the members of all other namespaces.">
          Network namespaces
        </message>
-        <message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX" desc="The name of a type of sandbox used by Chrome on UNIX like systems. 'Seccomp-BPF' is a technical term which should be left untranslated.">
+        <message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX" desc="The name of a type of sandbox used by Chrome on Linux systems. 'Seccomp-BPF' is a technical term which should be left untranslated.">
          Seccomp-BPF sandbox
        </message>
-        <message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC" desc="The name of a type of sandbox used by Chrome on UNIX like systems. 'Seccomp-BPF' is a technical term which should be left untranslated. TSYNC is a technical term which should be left untranslated.">
+        <message name="IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC" desc="The name of a type of sandbox used by Chrome on Linux systems. 'Seccomp-BPF' is a technical term which should be left untranslated. TSYNC is a technical term which should be left untranslated.">
          Seccomp-BPF sandbox supports TSYNC
        </message>
        <message name="IDS_ABOUT_SANDBOX_YAMA_LSM" desc="The name of a Linux security module. It is a technical term that should be left untranslated.">

--- a/chrome/browser/ui/webui/about_ui.cc
+++ b/chrome/browser/ui/webui/about_ui.cc
@@ -843,10 +843,8 @@ std::string AboutLinuxProxyConfig() {
  return data;
 }
-void AboutSandboxRow(std::string* data, const std::string& prefix, int name_id,
+void AboutSandboxRow(std::string* data, int name_id, bool good) {
-                     bool good) {
  data->append("<tr><td>");
-  data->append(prefix);
  data->append(l10n_util::GetStringUTF8(name_id));
  if (good) {
    data->append("</td><td style='color: green;'>");
@@ -873,31 +871,26 @@ std::string AboutSandbox() {
  data.append("<table>");
-  AboutSandboxRow(&data,
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_SUID_SANDBOX,
-                  std::string(),
-                  IDS_ABOUT_SANDBOX_SUID_SANDBOX,
                  status & content::kSandboxLinuxSUID);
-  AboutSandboxRow(&data, "&nbsp;&nbsp;", IDS_ABOUT_SANDBOX_PID_NAMESPACES,
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_NAMESPACE_SANDBOX,
+                  status & content::kSandboxLinuxUserNS);
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_PID_NAMESPACES,
                  status & content::kSandboxLinuxPIDNS);
-  AboutSandboxRow(&data, "&nbsp;&nbsp;", IDS_ABOUT_SANDBOX_NET_NAMESPACES,
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_NET_NAMESPACES,
                  status & content::kSandboxLinuxNetNS);
-  AboutSandboxRow(&data,
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX,
-                  std::string(),
-                  IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX,
                  status & content::kSandboxLinuxSeccompBPF);
-  AboutSandboxRow(&data,
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC,
-                  std::string(),
-                  IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX_TSYNC,
                  status & content::kSandboxLinuxSeccompTSYNC);
-  AboutSandboxRow(&data,
+  AboutSandboxRow(&data, IDS_ABOUT_SANDBOX_YAMA_LSM,
-                  std::string(),
-                  IDS_ABOUT_SANDBOX_YAMA_LSM,
                  status & content::kSandboxLinuxYama);
  data.append("</table>");
-  // The setuid sandbox is required as our first-layer sandbox.
+  // Require either the setuid or namespace sandbox for our first-layer sandbox.
-  bool good_layer1 = status & content::kSandboxLinuxSUID &&
+  bool good_layer1 = (status & content::kSandboxLinuxSUID ||
+                      status & content::kSandboxLinuxUserNS) &&
                     status & content::kSandboxLinuxPIDNS &&
                     status & content::kSandboxLinuxNetNS;
  // A second-layer sandbox is also required to be adequately sandboxed.

--- a/content/common/sandbox_linux/sandbox_linux.cc
+++ b/content/common/sandbox_linux/sandbox_linux.cc
@@ -32,6 +32,7 @@
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/sandbox_linux.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
 #include "sandbox/linux/services/proc_util.h"
 #include "sandbox/linux/services/thread_helpers.h"
 #include "sandbox/linux/services/yama.h"
@@ -115,8 +116,7 @@ LinuxSandbox::LinuxSandbox()
      seccomp_bpf_with_tsync_supported_(false),
      yama_is_enforcing_(false),
      initialize_sandbox_ran_(false),
-      setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create())
+      setuid_sandbox_client_(sandbox::SetuidSandboxClient::Create()) {
-{
  if (setuid_sandbox_client_ == NULL) {
    LOG(FATAL) << "Failed to instantiate the setuid sandbox client.";
  }
@@ -213,6 +213,12 @@ int LinuxSandbox::GetStatus() {
        sandbox_status_flags_ |= kSandboxLinuxPIDNS;
      if (setuid_sandbox_client_->IsInNewNETNamespace())
        sandbox_status_flags_ |= kSandboxLinuxNetNS;
+    } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
+      sandbox_status_flags_ |= kSandboxLinuxUserNS;
+      if (sandbox::NamespaceSandbox::InNewPidNamespace())
+        sandbox_status_flags_ |= kSandboxLinuxPIDNS;
+      if (sandbox::NamespaceSandbox::InNewNetNamespace())
+        sandbox_status_flags_ |= kSandboxLinuxNetNS;
    }
    // We report whether the sandbox will be activated when renderers, workers

--- a/content/public/common/sandbox_linux.h
+++ b/content/public/common/sandbox_linux.h
@@ -14,10 +14,10 @@ enum LinuxSandboxStatus {
  // SUID sandbox active.
  kSandboxLinuxSUID = 1 << 0,
-  // SUID sandbox is using the PID namespace.
+  // Sandbox is using a new PID namespace.
  kSandboxLinuxPIDNS = 1 << 1,
-  // SUID sandbox is using the network namespace.
+  // Sandbox is using a new network namespace.
  kSandboxLinuxNetNS = 1 << 2,
  // seccomp-bpf sandbox active.
@@ -29,6 +29,9 @@ enum LinuxSandboxStatus {
  // seccomp-bpf sandbox is active and the kernel supports TSYNC.
  kSandboxLinuxSeccompTSYNC = 1 << 5,
+  // User namespace sandbox active.
+  kSandboxLinuxUserNS = 1 << 6,
  // A flag that denotes an invalid sandbox status.
  kSandboxLinuxInvalid = 1 << 31,
 };