1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_COMMON_SANDBOX_SECCOMP_BPF_LINUX_H_ 6 #define CONTENT_COMMON_SANDBOX_SECCOMP_BPF_LINUX_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h" 12 13 namespace content { 14 15 // This class has two main sets of APIs. One can be used to start the sandbox 16 // for internal content process types, the other is indirectly exposed as 17 // a public content/ API and uses a supplied policy. 18 class SandboxSeccompBpf { 19 public: 20 // This is the API to enable a seccomp-bpf sandbox for content/ 21 // process-types: 22 // Is the sandbox globally enabled, can anything use it at all ? 23 // This looks at global command line flags to see if the sandbox 24 // should be enabled at all. 25 static bool IsSeccompBpfDesired(); 26 // Should the sandbox be enabled for process_type ? 27 static bool ShouldEnableSeccompBpf(const std::string& process_type); 28 // Check if the kernel supports this sandbox. It's useful to "prewarm" 29 // this, part of the result will be cached. 30 static bool SupportsSandbox(); 31 // Start the sandbox and apply the policy for process_type, depending on 32 // command line switches. 33 static bool StartSandbox(const std::string& process_type); 34 35 // This is the API to enable a seccomp-bpf sandbox by using an 36 // external policy. 37 static bool StartSandboxWithExternalPolicy( 38 playground2::BpfSandboxPolicy policy); 39 // The "baseline" policy can be a useful base to build a sandbox policy. 40 static playground2::BpfSandboxPolicyCallback GetBaselinePolicy(); 41 42 private: 43 DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBpf); 44 }; 45 46 } // namespace content 47 48 #endif // CONTENT_COMMON_SANDBOX_SECCOMP_BPF_LINUX_H_ 49 50
