| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ | 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ |
| 6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ | 6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| (...skipping 14 matching lines...) Expand all Loading... |
| 25 class SandboxSeccompBPF { | 25 class SandboxSeccompBPF { |
| 26 public: | 26 public: |
| 27 // This is the API to enable a seccomp-bpf sandbox for content/ | 27 // This is the API to enable a seccomp-bpf sandbox for content/ |
| 28 // process-types: | 28 // process-types: |
| 29 // Is the sandbox globally enabled, can anything use it at all ? | 29 // Is the sandbox globally enabled, can anything use it at all ? |
| 30 // This looks at global command line flags to see if the sandbox | 30 // This looks at global command line flags to see if the sandbox |
| 31 // should be enabled at all. | 31 // should be enabled at all. |
| 32 static bool IsSeccompBPFDesired(); | 32 static bool IsSeccompBPFDesired(); |
| 33 // Should the sandbox be enabled for process_type ? | 33 // Should the sandbox be enabled for process_type ? |
| 34 static bool ShouldEnableSeccompBPF(const std::string& process_type); | 34 static bool ShouldEnableSeccompBPF(const std::string& process_type); |
| 35 // Check if the kernel supports this sandbox. It's useful to "prewarm" | 35 // Check if the kernel supports seccomp-bpf. |
| 36 // this, part of the result will be cached. | |
| 37 static bool SupportsSandbox(); | 36 static bool SupportsSandbox(); |
| 37 // Check if the kernel supports TSYNC (thread synchronization) with seccomp. |
| 38 static bool SupportsSandboxWithTsync(); |
| 38 // Start the sandbox and apply the policy for process_type, depending on | 39 // Start the sandbox and apply the policy for process_type, depending on |
| 39 // command line switches. | 40 // command line switches. |
| 40 static bool StartSandbox(const std::string& process_type, | 41 static bool StartSandbox(const std::string& process_type, |
| 41 base::ScopedFD proc_task_fd); | 42 base::ScopedFD proc_task_fd); |
| 42 | 43 |
| 43 // This is the API to enable a seccomp-bpf sandbox by using an | 44 // This is the API to enable a seccomp-bpf sandbox by using an |
| 44 // external policy. | 45 // external policy. |
| 45 static bool StartSandboxWithExternalPolicy( | 46 static bool StartSandboxWithExternalPolicy( |
| 46 scoped_ptr<sandbox::bpf_dsl::Policy> policy, | 47 scoped_ptr<sandbox::bpf_dsl::Policy> policy, |
| 47 base::ScopedFD proc_task_fd); | 48 base::ScopedFD proc_task_fd); |
| 48 // The "baseline" policy can be a useful base to build a sandbox policy. | 49 // The "baseline" policy can be a useful base to build a sandbox policy. |
| 49 static scoped_ptr<sandbox::bpf_dsl::Policy> GetBaselinePolicy(); | 50 static scoped_ptr<sandbox::bpf_dsl::Policy> GetBaselinePolicy(); |
| 50 | 51 |
| 51 private: | 52 private: |
| 52 DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBPF); | 53 DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBPF); |
| 53 }; | 54 }; |
| 54 | 55 |
| 55 } // namespace content | 56 } // namespace content |
| 56 | 57 |
| 57 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ | 58 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 758063005:
Linux sandbox: report TSYNC status in chrome://sandbox (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master