Modified chrome://sandbox to more accurately describe sandboxing

Originally the chrome://sandbox page displayed "SUID Sandbox" as red
when the SUID sandbox was off, even if the namespace sandbox was on. To
avoid indicating that anything is wrong, this combines "SUID Sandbox"
and "Namespace Sandbox" into one row that displays green for namespace,
yellow for SUID, and red for neither.

Also, when the Chrome renderers are sandboxed with user namespaces,
any process in the parent namespace with the same UID is able to
ptrace the renderer. However, the chrome://sandbox page displays Yama
LSM as enforcing. This makes it clear that Yama LSM is not protecting
the renderer processes from ptrace by adding "Ptrace Protection with
Yama LSM (Non-broker)" to the webpage.

start chrome with all three sandboxing possibilities, run
./browser_tests --gtest_filter="Sandbox*"

Bug: 870527, 870534
Test: start chrome with Yama disabled, enabled, and with SetUID sandbox,
Change-Id: I2e4735363a4dceee4947757a74451e3e102c4250
Commit-Queue: Matthew Denton <>
Reviewed-by: Michael Giuffrida <>
Reviewed-by: Chris Palmer <>
Cr-Commit-Position: refs/heads/master@{#581656}
4 files changed