Home | History | Annotate | Download | only in services 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SERVICES_YAMA_H_
      6 #define SANDBOX_LINUX_SERVICES_YAMA_H_
      7 
      8 #include "base/basictypes.h"
      9 #include "base/process/process_handle.h"
     10 #include "sandbox/sandbox_export.h"
     11 
     12 namespace sandbox {
     13 
     14 // Yama is a LSM kernel module which can restrict ptrace().
     15 // This class provides ways to detect if Yama is present and enabled
     16 // and to restrict which processes can ptrace the current process.
     17 class SANDBOX_EXPORT Yama {
     18  public:
     19   // This enum should be used to set or check a bitmask.
     20   // A value of 0 would indicate that the status is not known.
     21   enum GlobalStatus {
     22     STATUS_KNOWN = 1 << 0,
     23     STATUS_PRESENT = 1 << 1,
     24     STATUS_ENFORCING = 1 << 2,
     25     // STATUS_STRICT_ENFORCING corresponds to either mode 2 or mode 3 of Yama.
     26     // Ptrace could be entirely denied, or restricted to CAP_SYS_PTRACE
     27     // and PTRACE_TRACEME.
     28     STATUS_STRICT_ENFORCING = 1 << 3
     29   };
     30 
     31   // Restrict who can ptrace() the current process to its ancestors.
     32   // If this succeeds, then Yama is available on this kernel.
     33   // However, Yama may not be enforcing at this time.
     34   static bool RestrictPtracersToAncestors();
     35 
     36   // Disable Yama restrictions for the current process.
     37   // This will fail if Yama is not available on this kernel.
     38   // This is meant for testing only. If you need this, implement
     39   // a per-pid authorization instead.
     40   static bool DisableYamaRestrictions();
     41 
     42   // Checks if Yama is currently in enforcing mode for the machine (not the
     43   // current process). This requires access to the filesystem and will use
     44   // /proc/sys/kernel/yama/ptrace_scope.
     45   static int GetStatus();
     46 
     47   // Helper for checking for STATUS_PRESENT in GetStatus().
     48   static bool IsPresent();
     49   // Helper for checkking for STATUS_ENFORCING in GetStatus().
     50   static bool IsEnforcing();
     51 
     52  private:
     53   DISALLOW_IMPLICIT_CONSTRUCTORS(Yama);
     54 };
     55 
     56 }  // namespace sandbox
     57 
     58 #endif  // SANDBOX_LINUX_SERVICES_YAMA_H_
     59