OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ | 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ |
6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ | 6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
(...skipping 14 matching lines...) Expand all Loading... |
25 class SandboxSeccompBPF { | 25 class SandboxSeccompBPF { |
26 public: | 26 public: |
27 // This is the API to enable a seccomp-bpf sandbox for content/ | 27 // This is the API to enable a seccomp-bpf sandbox for content/ |
28 // process-types: | 28 // process-types: |
29 // Is the sandbox globally enabled, can anything use it at all ? | 29 // Is the sandbox globally enabled, can anything use it at all ? |
30 // This looks at global command line flags to see if the sandbox | 30 // This looks at global command line flags to see if the sandbox |
31 // should be enabled at all. | 31 // should be enabled at all. |
32 static bool IsSeccompBPFDesired(); | 32 static bool IsSeccompBPFDesired(); |
33 // Should the sandbox be enabled for process_type ? | 33 // Should the sandbox be enabled for process_type ? |
34 static bool ShouldEnableSeccompBPF(const std::string& process_type); | 34 static bool ShouldEnableSeccompBPF(const std::string& process_type); |
35 // Check if the kernel supports this sandbox. It's useful to "prewarm" | 35 // Check if the kernel supports seccomp-bpf. |
36 // this, part of the result will be cached. | |
37 static bool SupportsSandbox(); | 36 static bool SupportsSandbox(); |
| 37 // Check if the kernel supports TSYNC (thread synchronization) with seccomp. |
| 38 static bool SupportsSandboxWithTsync(); |
38 // Start the sandbox and apply the policy for process_type, depending on | 39 // Start the sandbox and apply the policy for process_type, depending on |
39 // command line switches. | 40 // command line switches. |
40 static bool StartSandbox(const std::string& process_type, | 41 static bool StartSandbox(const std::string& process_type, |
41 base::ScopedFD proc_task_fd); | 42 base::ScopedFD proc_task_fd); |
42 | 43 |
43 // This is the API to enable a seccomp-bpf sandbox by using an | 44 // This is the API to enable a seccomp-bpf sandbox by using an |
44 // external policy. | 45 // external policy. |
45 static bool StartSandboxWithExternalPolicy( | 46 static bool StartSandboxWithExternalPolicy( |
46 scoped_ptr<sandbox::bpf_dsl::Policy> policy, | 47 scoped_ptr<sandbox::bpf_dsl::Policy> policy, |
47 base::ScopedFD proc_task_fd); | 48 base::ScopedFD proc_task_fd); |
48 // The "baseline" policy can be a useful base to build a sandbox policy. | 49 // The "baseline" policy can be a useful base to build a sandbox policy. |
49 static scoped_ptr<sandbox::bpf_dsl::Policy> GetBaselinePolicy(); | 50 static scoped_ptr<sandbox::bpf_dsl::Policy> GetBaselinePolicy(); |
50 | 51 |
51 private: | 52 private: |
52 DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBPF); | 53 DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBPF); |
53 }; | 54 }; |
54 | 55 |
55 } // namespace content | 56 } // namespace content |
56 | 57 |
57 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ | 58 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ |
OLD | NEW |