0

Reland "One process per policy in chrome://sandbox"

This is a reland of 23a41c068e

Original change was backed out to allow a dependent CL to be reverted.

Original change's description:
> One process per policy in chrome://sandbox
>
> Policies now only apply to a single process so processIds can be
> processId. (There was only ever one pid in the list, now there can
> be only one.)
>
> No change to the main output on chrome://sandbox.
>
> Bug: 1270309
> Change-Id: I6851c622c89699cfe14f55f21930c4d5787d4d87
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3419521
> Reviewed-by: Will Harris <wfh@chromium.org>
> Commit-Queue: Alex Gough <ajgo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#964450}

Bug: 1270309
Change-Id: I2ac2d045556761a3209386b5e53c63c46e39e1d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3440053
Auto-Submit: Alex Gough <ajgo@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#968484}
This commit is contained in:
Alex Gough
2022-02-08 19:33:35 +00:00
committed by Chromium LUCI CQ
parent 43e95bc86c
commit ac0f573a36
3 changed files with 6 additions and 17 deletions
chrome/browser/resources/sandbox_internals
sandbox/win/src

@ -36,7 +36,7 @@ let RendererHostProcess;
* This may have additional fields displayed in the JSON output.
* See //sandbox/win/src/sandbox_constants.cc for keys in policy.
* @typedef {{
* processIds: !Array<number>,
* processId: number,
* lockdownLevel: string,
* desiredIntegrityLevel: string,
* platformMitigations: string,
@ -511,9 +511,7 @@ function onGetSandboxDiagnostics(results) {
/** @type {!Map<number,!PolicyDiagnostic>} */
const policies = new Map();
for (const policy of results.policies) {
// At present only one process per TargetPolicy object.
const pid = policy.processIds[0];
policies.set(pid, policy);
policies.set(policy.processId, policy);
}
// Titles.

@ -45,20 +45,12 @@ const char kLockdownLevel[] = "lockdownLevel";
const char kLowboxSid[] = "lowboxSid";
const char kPlatformMitigations[] = "platformMitigations";
const char kPolicyRules[] = "policyRules";
const char kProcessIds[] = "processIds";
const char kProcessId[] = "processId";
// Values in snapshots of Policies.
const char kDisabled[] = "disabled";
const char kEnabled[] = "enabled";
base::Value ProcessIdList(std::vector<uint32_t> process_ids) {
base::Value results(base::Value::Type::LIST);
for (const auto pid : process_ids) {
results.Append(base::strict_cast<double>(pid));
}
return results;
}
std::string GetTokenLevelInEnglish(TokenLevel token) {
switch (token) {
case USER_LOCKDOWN:
@ -379,8 +371,7 @@ base::Value GetHandlesToClose(const HandleMap& handle_map) {
PolicyDiagnostic::PolicyDiagnostic(PolicyBase* policy) {
DCHECK(policy);
// TODO(crbug/997273) Add more fields once webui plumbing is complete.
process_ids_.push_back(
base::strict_cast<uint32_t>(policy->target_->ProcessId()));
process_id_ = base::strict_cast<uint32_t>(policy->target_->ProcessId());
lockdown_level_ = policy->lockdown_level_;
job_level_ = policy->job_level_;
@ -435,7 +426,7 @@ const char* PolicyDiagnostic::JsonString() {
return json_string_->c_str();
base::Value value(base::Value::Type::DICTIONARY);
value.SetKey(kProcessIds, ProcessIdList(process_ids_));
value.SetKey(kProcessId, base::Value(base::strict_cast<double>(process_id_)));
value.SetKey(kLockdownLevel,
base::Value(GetTokenLevelInEnglish(lockdown_level_)));
value.SetKey(kJobLevel, base::Value(GetJobLevelInEnglish(job_level_)));

@ -41,7 +41,7 @@ class PolicyDiagnostic final : public PolicyInfo {
private:
// |json_string_| is lazily constructed.
std::unique_ptr<std::string> json_string_;
std::vector<uint32_t> process_ids_;
uint32_t process_id_;
TokenLevel lockdown_level_ = USER_LAST;
JobLevel job_level_ = JOB_NONE;
IntegrityLevel desired_integrity_level_ = INTEGRITY_LEVEL_LAST;