diff options
Diffstat (limited to 'chromium/chrome/browser/resources/sandbox_internals')
6 files changed, 182 insertions, 7 deletions
diff --git a/chromium/chrome/browser/resources/sandbox_internals/BUILD.gn b/chromium/chrome/browser/resources/sandbox_internals/BUILD.gn new file mode 100644 index 00000000000..121a5e8f54e --- /dev/null +++ b/chromium/chrome/browser/resources/sandbox_internals/BUILD.gn @@ -0,0 +1,38 @@ +# Copyright 2019 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +import("//third_party/closure_compiler/compile_js.gni") + +js_type_check("closure_compile") { + if (is_win) { + deps = [ + ":sandbox_internals_win", + ] + } + if (is_android || is_linux) { + deps = [ + ":sandbox_internals", + ] + } +} + +js_library("sandbox_internals") { + # Android & Linux both need _externs for type checks as they share a js file. + deps = [ + ":sandbox_android_externs", + "//ui/webui/resources/js:cr", + "//ui/webui/resources/js:load_time_data", + "//ui/webui/resources/js:util", + ] +} + +js_library("sandbox_android_externs") { +} + +js_library("sandbox_internals_win") { + deps = [ + "//ui/webui/resources/js:cr", + "//ui/webui/resources/js:util", + ] +} diff --git a/chromium/chrome/browser/resources/sandbox_internals/OWNERS b/chromium/chrome/browser/resources/sandbox_internals/OWNERS new file mode 100644 index 00000000000..058ee25caec --- /dev/null +++ b/chromium/chrome/browser/resources/sandbox_internals/OWNERS @@ -0,0 +1,3 @@ +file://sandbox/OWNERS +# COMPONENT: Internals>Sandbox +# TEAM: security-dev@chromium.org diff --git a/chromium/chrome/browser/resources/sandbox_internals/sandbox_android_externs.js b/chromium/chrome/browser/resources/sandbox_internals/sandbox_android_externs.js new file mode 100644 index 00000000000..a6f170cf1c3 --- /dev/null +++ b/chromium/chrome/browser/resources/sandbox_internals/sandbox_android_externs.js @@ -0,0 +1,9 @@ +// Copyright 2019 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +/** + * This function is only exposed to the Android chrome://sandbox webui. + * @param {!function(!AndroidSandboxStatus)=} callback + */ +chrome.getAndroidSandboxStatus = function(callback) {}; diff --git a/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.html b/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.html index 7f4816b4bbe..c5c269faa9c 100644 --- a/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.html +++ b/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.html @@ -30,10 +30,13 @@ } </style> <script src="chrome://resources/js/cr.js"></script> - <if expr="not is_android"> +<if expr="is_linux"> <script src="chrome://resources/js/load_time_data.js"></script> <script src="chrome://sandbox/strings.js"></script> - </if> +</if> +<if expr="is_win"> + <script src="chrome://resources/js/promise_resolver.js"></script> +</if> <script src="chrome://resources/js/util.js"></script> <script src="sandbox_internals.js"></script> </head> @@ -42,7 +45,9 @@ <table id="sandbox-status"> </table> - <p id="evaluation"></p> +<if expr="is_win"> + <pre id="raw-info"></pre> +</if> </body> </html> diff --git a/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.js b/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.js index ab15fb20587..dbee2331bc4 100644 --- a/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.js +++ b/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals.js @@ -2,6 +2,18 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +/** + * @typedef {{ + * seccompStatus: number, + * pid: string, + * uid: string, + * secontext: string, + * procStatus: string, + * androidBuildId: string + * }} + */ +let AndroidSandboxStatus; + (function() { /** * CSS classes for different statuses. @@ -22,10 +34,10 @@ const StatusClass = { * @return {Element} The newly added TR. */ function addStatusRow(name, value, cssClass) { - const row = cr.doc.createElement('tr'); + const row = document.createElement('tr'); - const nameCol = row.appendChild(cr.doc.createElement('td')); - const valueCol = row.appendChild(cr.doc.createElement('td')); + const nameCol = row.appendChild(document.createElement('td')); + const valueCol = row.appendChild(document.createElement('td')); nameCol.textContent = name; valueCol.textContent = value; @@ -52,7 +64,7 @@ function addGoodBadRow(name, result) { /** * Reports the overall sandbox status evaluation message. - * @param {boolean} + * @param {boolean} result */ function setEvaluation(result) { const message = result ? 'You are adequately sandboxed.' : diff --git a/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals_win.js b/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals_win.js new file mode 100644 index 00000000000..100b04e20f6 --- /dev/null +++ b/chromium/chrome/browser/resources/sandbox_internals/sandbox_internals_win.js @@ -0,0 +1,108 @@ +// Copyright 2019 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +/** + * @typedef {{ + * processId: number, + * processType: string, + * name: string, + * metricsName: string + * }} + */ +let BrowserHostProcess; + +/** + * @typedef {{ + * processId: number + * }} + */ +let RendererHostProcess; + +/** + * This may have additional fields displayed in the JSON output. + * See //sandbox/win/src/sandbox_constants.cc for keys in policy. + * @typedef {{ + * processIds: !Array<number>, + * lockdownLevel: string, + * desiredIntegrityLevel: string, + * platformMitigations: string + * }} + */ +let PolicyDiagnostic; + +/** + * @typedef {{ + * browser: !Array<!BrowserHostProcess>, + * renderer: !Array<!RendererHostProcess>, + * policies: !Array<!PolicyDiagnostic> + * }} + */ +let SandboxDiagnostics; + +/** + * Adds a row to the sandbox-status table. + * @param {!Array<string>} args + */ +function addRow(args) { + const row = document.createElement('tr'); + for (const text of args) { + const col = row.appendChild(document.createElement('td')); + col.textContent = text; + } + $('sandbox-status').appendChild(row); +} + +/** + * Adds policy information for a process to the sandbox-status table. + * @param {number} pid + * @param {string} type + * @param {string} name + * @param {PolicyDiagnostic} policy + */ +function addRowForProcess(pid, type, name, policy) { + if (policy) { + addRow([ + pid, type, name, policy.lockdownLevel, policy.desiredIntegrityLevel, + policy.platformMitigations + ]); + } else { + addRow([pid, type, name, 'Not Sandboxed', '', '']); + } +} + +/** @param {!SandboxDiagnostics} results */ +function onGetSandboxDiagnostics(results) { + // Make it easy to look up policies. + /** @type {!Map<number,!PolicyDiagnostic>} */ + const policies = new Map(); + for (const policy of results.policies) { + // At present only one process per TargetPolicy object. + const pid = policy.processIds[0]; + policies.set(pid, policy); + } + + // Titles. + addRow(['Process', 'Type', 'Name', 'Sandbox', 'Intregity', 'Mitigations']); + + // Browser Processes. + for (const process of results.browser) { + const pid = process.processId; + const name = process.name || process.metricsName; + addRowForProcess(pid, process.processType, name, policies.get(pid)); + } + + // Renderer Processes. + for (const process of results.renderer) { + const pid = process.processId; + addRowForProcess(pid, 'Renderer', '', policies.get(pid)); + } + + // Raw Diagnostics. + $('raw-info').textContent = + 'policies: ' + JSON.stringify(results.policies, null, 2); +} + +document.addEventListener('DOMContentLoaded', () => { + cr.sendWithPromise('requestSandboxDiagnostics').then(onGetSandboxDiagnostics); +}); |