Adds diagnostics for sandbox policy rules.

This copies policy rule opcodes when snapshotting policies, and serializes them for display in chrome://sandbox's raw view. Example rule: "NtQueryAttributesFile": [ "!(p[1] & 1) && !(prefix(p[0], '\\??\\')) -> askBroker", "!(p[1] & 1) && scan(p[0], '~') -> askBroker", "prefix_i(p[0], '\\??\\pipe\\chrome.') -> askBroker", "prefix_i(p[0], '\\??\\C:\\src\\chromium\\src\\out\\release-x86\\') && ends_i(p[0], '.pdb') -> askBroker" ], Bug: 997273 Change-Id: I54f82b0a9523fa1ed94cecf982f2b25203ae7351 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1872304 Commit-Queue: Alex Gough <ajgo@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#710437}

Adds diagnostics for sandbox policy rules.
This copies policy rule opcodes when snapshotting policies, and serializes them for display in chrome://sandbox's raw view. Example rule: "NtQueryAttributesFile": [ "!(p[1] & 1) && !(prefix(p[0], '\\??\\')) -> askBroker", "!(p[1] & 1) && scan(p[0], '~') -> askBroker", "prefix_i(p[0], '\\??\\pipe\\chrome.') -> askBroker", "prefix_i(p[0], '\\??\\C:\\src\\chromium\\src\\out\\release-x86\\') && ends_i(p[0], '.pdb') -> askBroker" ], Bug: 997273 Change-Id: I54f82b0a9523fa1ed94cecf982f2b25203ae7351 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1872304 Commit-Queue: Alex Gough <ajgo@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#710437}
9a8fdbed · Alex Gough · Commit Bot · 30815427 · 9a8fdbed · 9a8fdbed
Commit 9a8fdbed authored Oct 29, 2019 by Alex Gough Committed by Commit Bot Oct 29, 2019
5 changed files
--- a/sandbox/win/src/policy_engine_opcodes.h
+++ b/sandbox/win/src/policy_engine_opcodes.h
@@ -195,6 +195,9 @@ class PolicyOpcode {
  // Sets the stored options such as kPolNegateEval.
  void SetOptions(uint32_t options) { options_ = options; }
+  // Returns the parameter of the function the opcode concerns.
+  uint16_t GetParameter() const { return parameter_; }
 private:
  static const size_t kArgumentCount = 4;  // The number of supported argument.

--- a/sandbox/win/src/sandbox_constants.cc
+++ b/sandbox/win/src/sandbox_constants.cc
@@ -13,5 +13,6 @@ extern const char kJobLevel[] = "jobLevel";
 extern const char kLockdownLevel[] = "lockdownLevel";
 extern const char kLowboxSid[] = "lowboxSid";
 extern const char kPlatformMitigations[] = "platformMitigations";
+extern const char kPolicyRules[] = "policyRules";
 extern const char kProcessIds[] = "processIds";
 }  // namespace sandbox
--- a/sandbox/win/src/sandbox_constants.h
+++ b/sandbox/win/src/sandbox_constants.h
@@ -14,8 +14,8 @@ extern const char kJobLevel[];
 extern const char kLockdownLevel[];
 extern const char kLowboxSid[];
 extern const char kPlatformMitigations[];
+extern const char kPolicyRules[];
 extern const char kProcessIds[];
 }  // namespace sandbox
 #endif  // SANDBOX_WIN_SRC_SANDBOX_CONSTANTS_H_
--- a/sandbox/win/src/sandbox_policy_diagnostic.cc
+++ b/sandbox/win/src/sandbox_policy_diagnostic.cc
--- a/sandbox/win/src/sandbox_policy_diagnostic.h
+++ b/sandbox/win/src/sandbox_policy_diagnostic.h
@@ -13,6 +13,7 @@
 #include "base/macros.h"
 #include "base/values.h"
+#include "sandbox/win/src/policy_low_level.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/security_level.h"
@@ -42,6 +43,7 @@ class PolicyDiagnostic final : public PolicyInfo {
  MitigationFlags desired_mitigations_ = 0;
  std::unique_ptr<Sid> app_container_sid_ = nullptr;
  std::unique_ptr<Sid> lowbox_sid_ = nullptr;
+  std::unique_ptr<PolicyGlobal> policy_rules_ = nullptr;
  DISALLOW_COPY_AND_ASSIGN(PolicyDiagnostic);
 };