File: sandbox_internals_ui.cc

package info (click to toggle)
chromium 138.0.7204.183-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 6,080,960 kB
  • sloc: cpp: 34,937,079; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,954; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,811; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (107 lines) | stat: -rw-r--r-- 4,236 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/ui/webui/sandbox/sandbox_internals_ui.h"

#include <string>

#include "build/build_config.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/common/url_constants.h"
#include "chrome/grit/sandbox_internals_resources.h"
#include "chrome/grit/sandbox_internals_resources_map.h"
#include "content/public/browser/render_frame_host.h"
#include "content/public/browser/web_contents.h"
#include "content/public/browser/web_ui.h"
#include "content/public/browser/web_ui_data_source.h"
#include "services/network/public/mojom/content_security_policy.mojom.h"

#if BUILDFLAG(IS_WIN)
#include "chrome/browser/ui/webui/sandbox/sandbox_handler.h"
#endif

#if BUILDFLAG(IS_ANDROID)
#include "chrome/common/sandbox_status_extension_android.mojom.h"
#include "third_party/blink/public/common/associated_interfaces/associated_interface_provider.h"
#endif

#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#include "content/public/browser/zygote_host/zygote_host_linux.h"
#include "sandbox/policy/sandbox.h"
#endif

namespace {

#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
static void SetSandboxStatusData(content::WebUIDataSource* source) {
  // Get expected sandboxing status of renderers.
  const int status =
      content::ZygoteHost::GetInstance()->GetRendererSandboxStatus();

  source->AddBoolean("suid", status & sandbox::policy::SandboxLinux::kSUID);
  source->AddBoolean("userNs", status & sandbox::policy::SandboxLinux::kUserNS);
  source->AddBoolean("pidNs", status & sandbox::policy::SandboxLinux::kPIDNS);
  source->AddBoolean("netNs", status & sandbox::policy::SandboxLinux::kNetNS);
  source->AddBoolean("seccompBpf",
                     status & sandbox::policy::SandboxLinux::kSeccompBPF);
  source->AddBoolean("seccompTsync",
                     status & sandbox::policy::SandboxLinux::kSeccompTSYNC);
  source->AddBoolean("yamaBroker",
                     status & sandbox::policy::SandboxLinux::kYama);

  // Yama does not enforce in user namespaces.
  bool enforcing_yama_nonbroker =
      status & sandbox::policy::SandboxLinux::kYama &&
      !(status & sandbox::policy::SandboxLinux::kUserNS);
  source->AddBoolean("yamaNonbroker", enforcing_yama_nonbroker);

  // Require either the setuid or namespace sandbox for our first-layer sandbox.
  bool good_layer1 = (status & sandbox::policy::SandboxLinux::kSUID ||
                      status & sandbox::policy::SandboxLinux::kUserNS) &&
                     status & sandbox::policy::SandboxLinux::kPIDNS &&
                     status & sandbox::policy::SandboxLinux::kNetNS;
  // A second-layer sandbox is also required to be adequately sandboxed.
  bool good_layer2 = status & sandbox::policy::SandboxLinux::kSeccompBPF;
  source->AddBoolean("sandboxGood", good_layer1 && good_layer2);
}
#endif

void CreateAndAddDataSource(Profile* profile) {
  content::WebUIDataSource* source = content::WebUIDataSource::CreateAndAdd(
      profile, chrome::kChromeUISandboxHost);
  source->AddResourcePaths(kSandboxInternalsResources);
  source->SetDefaultResource(IDR_SANDBOX_INTERNALS_SANDBOX_INTERNALS_HTML);

  source->OverrideContentSecurityPolicy(
      network::mojom::CSPDirectiveName::ScriptSrc,
      "script-src chrome://resources chrome://webui-test 'self';");

#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
  SetSandboxStatusData(source);
  source->UseStringsJs();
#endif
}

}  // namespace

SandboxInternalsUI::SandboxInternalsUI(content::WebUI* web_ui)
    : content::WebUIController(web_ui) {
#if BUILDFLAG(IS_WIN)
  web_ui->AddMessageHandler(
      std::make_unique<sandbox_handler::SandboxHandler>());
#endif
  CreateAndAddDataSource(Profile::FromWebUI(web_ui));
}

void SandboxInternalsUI::WebUIRenderFrameCreated(
    content::RenderFrameHost* render_frame_host) {
#if BUILDFLAG(IS_ANDROID)
  mojo::AssociatedRemote<chrome::mojom::SandboxStatusExtension> sandbox_status;
  render_frame_host->GetRemoteAssociatedInterfaces()->GetInterface(
      &sandbox_status);
  sandbox_status->AddSandboxStatusExtension();
#endif
}

SandboxInternalsUI::~SandboxInternalsUI() = default;