Index: content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h |
diff --git a/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..0eaa6b56d7449adee55f84f70178f4b12acb1942 |
--- /dev/null |
+++ b/content/common/sandbox_linux/android/sandbox_bpf_base_policy_android.h |
@@ -0,0 +1,32 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_ |
+#define CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_ |
+ |
+#include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" |
+#include "sandbox/linux/seccomp-bpf/errorcode.h" |
+ |
+namespace content { |
+ |
+// This class builds on top of the generic Linux baseline policy to reduce |
+// Linux kernel attack surface. It augments the list of allowed syscalls to |
+// allow ones required by the Android runtime. |
+class SandboxBPFBasePolicyAndroid : public SandboxBPFBasePolicy { |
+ public: |
+ SandboxBPFBasePolicyAndroid(); |
+ virtual ~SandboxBPFBasePolicyAndroid(); |
+ |
+ // sandbox::SandboxBPFPolicy: |
+ virtual sandbox::ErrorCode EvaluateSyscall( |
+ sandbox::SandboxBPF* sandbox_compiler, |
+ int system_call_number) const OVERRIDE; |
+ |
+ private: |
+ DISALLOW_COPY_AND_ASSIGN(SandboxBPFBasePolicyAndroid); |
+}; |
+ |
+} // namespace content |
+ |
+#endif // CONTENT_COMMON_SANDBOX_LINUX_ANDROID_SANDBOX_BPF_BASE_POLICY_ANDROID_H_ |