1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_COMMON_SANDBOX_LINUX_BPF_GPU_POLICY_LINUX_H_ 6 #define CONTENT_COMMON_SANDBOX_LINUX_BPF_GPU_POLICY_LINUX_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/callback_forward.h" 12 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h" 13 14 namespace sandbox { 15 class BrokerProcess; 16 } 17 18 namespace content { 19 20 class GpuProcessPolicy : public SandboxBPFBasePolicy { 21 public: 22 GpuProcessPolicy(); 23 virtual ~GpuProcessPolicy(); 24 25 virtual sandbox::bpf_dsl::ResultExpr EvaluateSyscall( 26 int system_call_number) const OVERRIDE; 27 28 virtual bool PreSandboxHook() OVERRIDE; 29 30 protected: 31 // Start a broker process to handle open() inside the sandbox. 32 // |broker_sandboxer_allocator| is a function pointer which can allocate a 33 // suitable sandbox policy for the broker process itself. 34 // |read_whitelist_extra| and |write_whitelist_extra| are lists of file 35 // names that should be whitelisted by the broker process, in addition to 36 // the basic ones. 37 void InitGpuBrokerProcess( 38 sandbox::bpf_dsl::SandboxBPFDSLPolicy* (*broker_sandboxer_allocator)( 39 void), 40 const std::vector<std::string>& read_whitelist_extra, 41 const std::vector<std::string>& write_whitelist_extra); 42 43 sandbox::BrokerProcess* broker_process() { return broker_process_; } 44 45 private: 46 // A BrokerProcess is a helper that is started before the sandbox is engaged 47 // and will serve requests to access files over an IPC channel. The client of 48 // this runs from a SIGSYS handler triggered by the seccomp-bpf sandbox. 49 // This should never be destroyed, as after the sandbox is started it is 50 // vital to the process. 51 // This is allocated by InitGpuBrokerProcess, called from PreSandboxHook(), 52 // which executes iff the sandbox is going to be enabled afterwards. 53 sandbox::BrokerProcess* broker_process_; 54 DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy); 55 }; 56 57 } // namespace content 58 59 #endif // CONTENT_COMMON_SANDBOX_LINUX_BPF_GPU_POLICY_LINUX_H_ 60