1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ 6 #define CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/memory/scoped_ptr.h" 12 13 namespace sandbox { 14 namespace bpf_dsl { 15 class SandboxBPFDSLPolicy; 16 } 17 } 18 19 namespace content { 20 21 // This class has two main sets of APIs. One can be used to start the sandbox 22 // for internal content process types, the other is indirectly exposed as 23 // a public content/ API and uses a supplied policy. 24 class SandboxSeccompBPF { 25 public: 26 // This is the API to enable a seccomp-bpf sandbox for content/ 27 // process-types: 28 // Is the sandbox globally enabled, can anything use it at all ? 29 // This looks at global command line flags to see if the sandbox 30 // should be enabled at all. 31 static bool IsSeccompBPFDesired(); 32 // Should the sandbox be enabled for process_type ? 33 static bool ShouldEnableSeccompBPF(const std::string& process_type); 34 // Check if the kernel supports this sandbox. It's useful to "prewarm" 35 // this, part of the result will be cached. 36 static bool SupportsSandbox(); 37 // Start the sandbox and apply the policy for process_type, depending on 38 // command line switches. 39 static bool StartSandbox(const std::string& process_type); 40 41 // This is the API to enable a seccomp-bpf sandbox by using an 42 // external policy. 43 static bool StartSandboxWithExternalPolicy( 44 scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> policy); 45 // The "baseline" policy can be a useful base to build a sandbox policy. 46 static scoped_ptr<sandbox::bpf_dsl::SandboxBPFDSLPolicy> GetBaselinePolicy(); 47 48 private: 49 DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBPF); 50 }; 51 52 } // namespace content 53 54 #endif // CONTENT_COMMON_SANDBOX_LINUX_SANDBOX_SECCOMP_BPF_LINUX_H_ 55