Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h |
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..9d45c84c595e868c380108e0e49bbae53ac93d81 |
--- /dev/null |
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy_android.h |
@@ -0,0 +1,33 @@ |
+// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_ANDROID_H_ |
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_ANDROID_H_ |
+ |
+#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" |
+#include "sandbox/linux/seccomp-bpf/errorcode.h" |
+ |
+namespace sandbox { |
+ |
+class SandboxBPF; |
+ |
+// This class builds on top of the generic Linux baseline policy to reduce |
+// Linux kernel attack surface. It augments the list of allowed syscalls to |
+// allow ones required by the Android runtime. |
+class BaselinePolicyAndroid : public BaselinePolicy { |
+ public: |
+ BaselinePolicyAndroid(); |
+ virtual ~BaselinePolicyAndroid(); |
+ |
+ // SandboxBPFPolicy: |
+ virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
+ int system_call_number) const OVERRIDE; |
+ |
+ private: |
+ DISALLOW_COPY_AND_ASSIGN(BaselinePolicyAndroid); |
+}; |
+ |
+} // namespace sandbox |
+ |
+#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_ANDROID_H_ |