Index: sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
index aa1e0d101053488ea6277413c0582082c88770b7..5283b490c3d4bca4bfc61efa770ddc2f2ba6ec60 100644 |
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h |
@@ -5,6 +5,8 @@ |
#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |
+#include <unistd.h> |
+ |
#include "build/build_config.h" |
#include "sandbox/linux/sandbox_export.h" |
@@ -55,6 +57,11 @@ SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); |
SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); |
#endif |
+// Restrict |sysno| (which must be kill, tkill or tgkill) by allowing tgkill or |
+// kill iff the first parameter is |target_pid|, crashing otherwise or if |
+// |sysno| is tkill. |
+ErrorCode RestrictKillTarget(pid_t target_pid, SandboxBPF* sandbox, int sysno); |
+ |
} // namespace sandbox. |
#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_ |