components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h - Issue 250773003: NaCl Linux: create NaClSandbox class

Side by Side Diff: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.h

Issue 250773003: NaCl Linux: create NaClSandbox class (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Minor namespace cleanup. Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « components/nacl/loader/sandbox_linux/nacl_bpf_sandbox_linux.cc ('k') | components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc » ('j') | components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2014 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #ifndef COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_

	6 #define COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_

	7

	8 #include "base/files/scoped_file.h"

	9 #include "base/macros.h"

	10

	11 namespace nacl {

	12

	13 // NaClSandbox supports two independant layers of sandboxing.
	Mark Seaborn 2014/04/29 00:28:22 "independent" "independent" jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > "independent" Done.
	14 // layer-1 uses a chroot. It requires both InitializeLayerOneSandbox() and

	15 // SealLayerOneSandbox() to have been called to be enforcing.

	16 // layer-2 uses seccomp-bpf. It requires the layer-1 sandbox to not yet be

	17 // sealed when being engaged.

	18 // For the layer-1 sandbox to work, the current process must be a child of

	19 // the setuid sandbox. InitializeLayerOneSandbox() can only be called once

	20 // per instance of the setuid sandbox.

	21 //

	22 // A typical use case of this class would be:

	23 // 1. Load libraries and do some pre-initialization

	24 // 2. InitializeLayerOneSandbox();

	25 // 3. Do some more initializations (it ok to fork() here).
	Mark Seaborn 2014/04/29 00:28:22 Missing "is" ("it is OK") Missing "is" ("it is OK") jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > Missing "is" ("it is OK") Done.
	26 // 4. CHECK(!HasOpenDirectory));

	27 // (This check is not strictly necessary, as the only possibility for a

	28 // new directory descriptor to exist after (2) has been called is via IPC).
	Mark Seaborn 2014/04/29 00:28:22 Nit: ".)" Nit: ".)" jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > Nit: ".)" Done.
	29 // 5. InitializeLayerTwoSandbox();

	30 // 6. SealLayerOneSandbox();

	31 // 7. CheckSandboxingStateWithPolicy();

	32 class NaClSandbox {

	33 public:

	34 NaClSandbox();

	35 ~NaClSandbox();

	36

	37 // This API will only work if the layer-1 sandbox is not sealed and the

	38 // layer-2 sandbox is not engaged.

	39 bool IsSingleThreaded();

	40 // Check whether the current process owns any directory file descriptor. This
	Mark Seaborn 2014/04/29 00:28:22 Nit: "descriptors" plural Nit: "descriptors" plural jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > Nit: "descriptors" plural Done.
	41 // will ignore any directory file descriptor owned by this object (i.e. those

	42 // that will be closed after SealLayerOneSandbox() is called.
	Mark Seaborn 2014/04/29 00:28:22 Missing ")" Missing ")" jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > Missing ")" Done.
	43 // This API will only work if the layer-1 sandbox is not sealed and the

	44 // layer-2 sandbox is not engaged.

	45 bool HasOpenDirectory();

	46 // Will attempt to initialize the layer-1 sandbox, depending on flags and the

	47 // environment. It can only succeed if the current process is a child of the

	48 // setuid sandbox.

	49 void InitializeLayerOneSandbox();

	50 // Will attempt to initialize the layer-2 sandbox, depending on flags and the

	51 // environment. \|uses_nonsfi_mode\| describes which seccomp-bpf policy is

	52 // appropriate.

	53 void InitializeLayerTwoSandbox(bool uses_nonsfi_mode);

	54 // Seal the layer-one sandbox, making it enforcing.
	Mark Seaborn 2014/04/29 00:28:22 Nit: "layer-1" for consistency Nit: "layer-1" for consistency jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > Nit: "layer-1" for consistency Done.
	55 void SealLayerOneSandbox();

	56 // Check that the current sandboxing state matches the level of sandboxing

	57 // expected for NaCl in the current configuration. Crash if it does not.

	58 void CheckSandboxingStateWithPolicy();

	59

	60 bool layer_one_enabled() { return layer_one_enabled_; }

	61 bool layer_two_enabled() { return layer_two_enabled_; }

	62

	63 private:

	64 bool layer_one_enabled_;

	65 bool layer_one_sealed_;

	66 bool layer_two_enabled_;

	67 bool layer_two_is_non_sfi_;
	Mark Seaborn 2014/04/29 00:28:22 Can you make this "nonsfi" for consistency with ex Can you make this "nonsfi" for consistency with existing names? jln (very slow on Chromium) 2014/04/29 01:28:32 Done. Show quoted text On 2014/04/29 00:28:22, Mark Seaborn wrote: > Can you make this "nonsfi" for consistency with existing names? Done.
	68 // \|proc_fd_\| must be released before the layer-1 sandbox is considered

	69 // enforcing.

	70 base::ScopedFD proc_fd_;

	71 DISALLOW_COPY_AND_ASSIGN(NaClSandbox);

	72 };

	73

	74 } // namespace nacl

	75

	76 #endif // COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_

OLD	NEW