Move Sandbox::Status flags to SandboxLinux::Status

This is a small bit of overdue tidying, in that the flags should be
in the header with the method that returns them.

Change-Id: I8f9e8290a3ec36b53fa64ca69fcc3a11ac3b0e7c
Reviewed-on: https://chromium-review.googlesource.com/773508Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517465}

chrome/browser/ui/webui/sandbox_internals_ui.cc

@@ -28,23 +28,23 @@ static void SetSandboxStatusData(content::WebUIDataSource* source) {
   const int status =
       content::ZygoteHost::GetInstance()->GetRendererSandboxStatus();
 
-  source->AddBoolean("suid", status & service_manager::Sandbox::kSUID);
-  source->AddBoolean("userNs", status & service_manager::Sandbox::kUserNS);
-  source->AddBoolean("pidNs", status & service_manager::Sandbox::kPIDNS);
-  source->AddBoolean("netNs", status & service_manager::Sandbox::kNetNS);
+  source->AddBoolean("suid", status & service_manager::SandboxLinux::kSUID);
+  source->AddBoolean("userNs", status & service_manager::SandboxLinux::kUserNS);
+  source->AddBoolean("pidNs", status & service_manager::SandboxLinux::kPIDNS);
+  source->AddBoolean("netNs", status & service_manager::SandboxLinux::kNetNS);
   source->AddBoolean("seccompBpf",
-                     status & service_manager::Sandbox::kSeccompBPF);
+                     status & service_manager::SandboxLinux::kSeccompBPF);
   source->AddBoolean("seccompTsync",
-                     status & service_manager::Sandbox::kSeccompTSYNC);
-  source->AddBoolean("yama", status & service_manager::Sandbox::kYama);
+                     status & service_manager::SandboxLinux::kSeccompTSYNC);
+  source->AddBoolean("yama", status & service_manager::SandboxLinux::kYama);
 
   // Require either the setuid or namespace sandbox for our first-layer sandbox.
-  bool good_layer1 = (status & service_manager::Sandbox::kSUID ||
-                      status & service_manager::Sandbox::kUserNS) &&
-                     status & service_manager::Sandbox::kPIDNS &&
-                     status & service_manager::Sandbox::kNetNS;
+  bool good_layer1 = (status & service_manager::SandboxLinux::kSUID ||
+                      status & service_manager::SandboxLinux::kUserNS) &&
+                     status & service_manager::SandboxLinux::kPIDNS &&
+                     status & service_manager::SandboxLinux::kNetNS;
   // A second-layer sandbox is also required to be adequately sandboxed.
-  bool good_layer2 = status & service_manager::Sandbox::kSeccompBPF;
+  bool good_layer2 = status & service_manager::SandboxLinux::kSeccompBPF;
   source->AddBoolean("sandboxGood", good_layer1 && good_layer2);
 }
 #endif

content/renderer/renderer_main_platform_delegate_linux.cc

@@ -47,13 +47,13 @@ bool RendererMainPlatformDelegate::EnableSandbox() {
   // Here, we test that the status of SeccompBpf in the renderer is consistent
   // with what SandboxLinux::GetStatus() said we would do.
   auto* linux_sandbox = service_manager::SandboxLinux::GetInstance();
-  if (linux_sandbox->GetStatus() & service_manager::Sandbox::kSeccompBPF) {
+  if (linux_sandbox->GetStatus() & service_manager::SandboxLinux::kSeccompBPF) {
     CHECK(linux_sandbox->seccomp_bpf_started());
   }
 
   // Under the setuid sandbox, we should not be able to open any file via the
   // filesystem.
-  if (linux_sandbox->GetStatus() & service_manager::Sandbox::kSUID) {
+  if (linux_sandbox->GetStatus() & service_manager::SandboxLinux::kSUID) {
     CHECK(!base::PathExists(base::FilePath("/proc/cpuinfo")));
   }
 

content/zygote/zygote_linux.cc

@@ -225,11 +225,11 @@ bool Zygote::GetProcessInfo(base::ProcessHandle pid,
 }
 
 bool Zygote::UsingSUIDSandbox() const {
-  return sandbox_flags_ & service_manager::Sandbox::kSUID;
+  return sandbox_flags_ & service_manager::SandboxLinux::kSUID;
 }
 
 bool Zygote::UsingNSSandbox() const {
-  return sandbox_flags_ & service_manager::Sandbox::kUserNS;
+  return sandbox_flags_ & service_manager::SandboxLinux::kUserNS;
 }
 
 bool Zygote::HandleRequestFromBrowser(int fd) {
@@ -445,8 +445,8 @@ int Zygote::ForkWithRealPid(const std::string& process_type,
     CHECK_NE(pid, 0);
   } else {
     CreatePipe(&read_pipe, &write_pipe);
-    if (sandbox_flags_ & service_manager::Sandbox::kPIDNS &&
-        sandbox_flags_ & service_manager::Sandbox::kUserNS) {
+    if (sandbox_flags_ & service_manager::SandboxLinux::kPIDNS &&
+        sandbox_flags_ & service_manager::SandboxLinux::kUserNS) {
       pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(
           /*drop_capabilities_in_child=*/true);
     } else {

content/zygote/zygote_main_linux.cc

@@ -615,11 +615,11 @@ bool ZygoteMain(
   const int sandbox_flags = linux_sandbox->GetStatus();
 
   const bool setuid_sandbox_engaged =
-      sandbox_flags & service_manager::Sandbox::kSUID;
+      sandbox_flags & service_manager::SandboxLinux::kSUID;
   CHECK_EQ(using_setuid_sandbox, setuid_sandbox_engaged);
 
   const bool namespace_sandbox_engaged =
-      sandbox_flags & service_manager::Sandbox::kUserNS;
+      sandbox_flags & service_manager::SandboxLinux::kUserNS;
   CHECK_EQ(using_namespace_sandbox, namespace_sandbox_engaged);
 
   Zygote zygote(sandbox_flags, std::move(fork_delegates), extra_children,

services/service_manager/sandbox/linux/sandbox_linux.cc

@@ -132,7 +132,7 @@ bool UpdateProcessTypeAndEnableSandbox(
 SandboxLinux::SandboxLinux()
     : proc_fd_(-1),
       seccomp_bpf_started_(false),
-      sandbox_status_flags_(Sandbox::kInvalid),
+      sandbox_status_flags_(kInvalid),
       pre_initialized_(false),
       seccomp_bpf_supported_(false),
       seccomp_bpf_with_tsync_supported_(false),
@@ -230,35 +230,35 @@ int SandboxLinux::GetStatus() {
   if (!pre_initialized_) {
     return 0;
   }
-  if (sandbox_status_flags_ == Sandbox::kInvalid) {
+  if (sandbox_status_flags_ == kInvalid) {
     // Initialize sandbox_status_flags_.
     sandbox_status_flags_ = 0;
     if (setuid_sandbox_client_->IsSandboxed()) {
-      sandbox_status_flags_ |= Sandbox::kSUID;
+      sandbox_status_flags_ |= kSUID;
       if (setuid_sandbox_client_->IsInNewPIDNamespace())
-        sandbox_status_flags_ |= Sandbox::kPIDNS;
+        sandbox_status_flags_ |= kPIDNS;
       if (setuid_sandbox_client_->IsInNewNETNamespace())
-        sandbox_status_flags_ |= Sandbox::kNetNS;
+        sandbox_status_flags_ |= kNetNS;
     } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
-      sandbox_status_flags_ |= Sandbox::kUserNS;
+      sandbox_status_flags_ |= kUserNS;
       if (sandbox::NamespaceSandbox::InNewPidNamespace())
-        sandbox_status_flags_ |= Sandbox::kPIDNS;
+        sandbox_status_flags_ |= kPIDNS;
       if (sandbox::NamespaceSandbox::InNewNetNamespace())
-        sandbox_status_flags_ |= Sandbox::kNetNS;
+        sandbox_status_flags_ |= kNetNS;
     }
 
     // We report whether the sandbox will be activated when renderers, workers
     // and PPAPI plugins go through sandbox initialization.
     if (seccomp_bpf_supported()) {
-      sandbox_status_flags_ |= Sandbox::kSeccompBPF;
+      sandbox_status_flags_ |= kSeccompBPF;
     }
 
     if (seccomp_bpf_with_tsync_supported()) {
-      sandbox_status_flags_ |= Sandbox::kSeccompTSYNC;
+      sandbox_status_flags_ |= kSeccompTSYNC;
     }
 
     if (yama_is_enforcing_) {
-      sandbox_status_flags_ |= Sandbox::kYama;
+      sandbox_status_flags_ |= kYama;
     }
   }
 
@@ -519,8 +519,7 @@ void SandboxLinux::CheckForBrokenPromises(SandboxType sandbox_type) {
   }
   // Make sure that any promise made with GetStatus() wasn't broken.
   bool promised_seccomp_bpf_would_start =
-      (sandbox_status_flags_ != Sandbox::kInvalid) &&
-      (GetStatus() & Sandbox::kSeccompBPF);
+      (sandbox_status_flags_ != kInvalid) && (GetStatus() & kSeccompBPF);
   CHECK(!promised_seccomp_bpf_would_start || seccomp_bpf_started_);
 }
 

services/service_manager/sandbox/linux/sandbox_linux.h

@@ -65,6 +65,35 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxLinux {
     METHOD_MATCH_WITH_FALLBACK = 37,
   };
 
+  // These form a bitmask which describes the conditions of the Linux sandbox.
+  // Note: this doesn't strictly give you the current status, it states
+  // what will be enabled when the relevant processes are initialized.
+  enum Status {
+    // SUID sandbox active.
+    kSUID = 1 << 0,
+
+    // Sandbox is using a new PID namespace.
+    kPIDNS = 1 << 1,
+
+    // Sandbox is using a new network namespace.
+    kNetNS = 1 << 2,
+
+    // seccomp-bpf sandbox active.
+    kSeccompBPF = 1 << 3,
+
+    // The Yama LSM module is present and enforcing.
+    kYama = 1 << 4,
+
+    // seccomp-bpf sandbox is active and the kernel supports TSYNC.
+    kSeccompTSYNC = 1 << 5,
+
+    // User namespace sandbox active.
+    kUserNS = 1 << 6,
+
+    // A flag that denotes an invalid sandbox status.
+    kInvalid = 1 << 31,
+  };
+
   // SandboxLinux Options are a superset of SandboxSecompBPF Options.
   struct Options : public SandboxSeccompBPF::Options {
     // When running with a zygote, the namespace sandbox will have already
@@ -121,15 +150,17 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxLinux {
 
   // Returns the status of the renderer, worker and ppapi sandbox. Can only
   // be queried after going through PreinitializeSandbox(). This is a bitmask
-  // and uses the constants defined in "enum LinuxSandboxStatus". Since the
+  // and uses the constants defined in "enum Status" above. Since the
   // status needs to be provided before the sandboxes are actually started,
   // this returns what will actually happen once InitializeSandbox()
   // is called from inside these processes.
   int GetStatus();
+
   // Returns true if the current process is single-threaded or if the number
   // of threads cannot be determined.
   bool IsSingleThreaded() const;
-  // Did we start Seccomp BPF?
+
+  // Returns true if we started Seccomp BPF.
   bool seccomp_bpf_started() const;
 
   // Simple accessor for our instance of the setuid sandbox. Will never return

services/service_manager/sandbox/sandbox.h

@@ -36,35 +36,6 @@ namespace service_manager {
 class SERVICE_MANAGER_SANDBOX_EXPORT Sandbox {
  public:
 #if defined(OS_LINUX)
-  // These form a bitmask which describes the conditions of the Linux sandbox.
-  // Note: this doesn't strictly give you the current status, it states
-  // what will be enabled when the relevant processes are initialized.
-  enum Status {
-    // SUID sandbox active.
-    kSUID = 1 << 0,
-
-    // Sandbox is using a new PID namespace.
-    kPIDNS = 1 << 1,
-
-    // Sandbox is using a new network namespace.
-    kNetNS = 1 << 2,
-
-    // seccomp-bpf sandbox active.
-    kSeccompBPF = 1 << 3,
-
-    // The Yama LSM module is present and enforcing.
-    kYama = 1 << 4,
-
-    // seccomp-bpf sandbox is active and the kernel supports TSYNC.
-    kSeccompTSYNC = 1 << 5,
-
-    // User namespace sandbox active.
-    kUserNS = 1 << 6,
-
-    // A flag that denotes an invalid sandbox status.
-    kInvalid = 1 << 31,
-  };
-
   static bool Initialize(SandboxType sandbox_type,
                          SandboxLinux::PreSandboxHook hook,
                          const SandboxLinux::Options& options);