Linux sandbox: cleanup sandbox-bpf naming.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/net.h>
 #include <signal.h>
@@ skipping 28 matching lines @@
 #include "base/posix/eintr_wrapper.h"
 #include "content/common/sandbox_bpf_base_policy_linux.h"
 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
-using playground2::arch_seccomp_data;
-using playground2::ErrorCode;
-using playground2::Sandbox;
+using sandbox::BaselinePolicy;
 using sandbox::BrokerProcess;
-using sandbox::BaselinePolicy;
+using sandbox::ErrorCode;
+using sandbox::SandboxBPF;
 using sandbox::SyscallSets;
+using sandbox::arch_seccomp_data;

[Robert Sesek, 2013/12/10 21:15:26]

nit: alphabetize

[jln (very slow on Chromium), 2013/12/10 21:36:38]

I'll keep lowercase -> last. It's what "sort" does, so it's also convenient to
keep it that way.

 
 namespace content {
 
 namespace {
 
-void StartSandboxWithPolicy(playground2::SandboxBpfPolicy* policy);
+void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy);
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
 inline bool IsArchitectureX86_64() {
@@ skipping 63 matching lines @@
                                  static_cast<int>(args.args[2]));
       } else {
         return -EPERM;
       }
     default:
       RAW_CHECK(false);
       return -ENOSYS;
   }
 }
 
-class GpuProcessPolicy : public SandboxBpfBasePolicy {
+class GpuProcessPolicy : public SandboxBPFBasePolicy {
  public:
   explicit GpuProcessPolicy(void* broker_process)
       : broker_process_(broker_process) {}
   virtual ~GpuProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   const void* broker_process_;  // Non-owning pointer.
   DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy);
 };
 
 // Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy.
-ErrorCode GpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox, int sysno) const {
+ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                            int sysno) const {
   switch (sysno) {
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     // The Nvidia driver uses flags not in the baseline policy
     // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
     case __NR_mmap:
 #endif
     // We also hit this on the linux_chromeos bot but don't yet know what
     // weird flags were involved.
     case __NR_mprotect:
     case __NR_sched_getaffinity:
     case __NR_sched_setaffinity:
     case __NR_setpriority:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return sandbox->Trap(GpuSIGSYS_Handler, broker_process_);
     default:
       if (SyscallSets::IsEventFd(sysno))
         return ErrorCode(ErrorCode::ERR_ALLOWED);
 
       // Default on the baseline policy.
-      return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno);
+      return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
  public:
   GpuBrokerProcessPolicy() : GpuProcessPolicy(NULL) {}
   virtual ~GpuBrokerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
 };
 
 // x86_64/i386.
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                   int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class ArmGpuProcessPolicy : public GpuProcessPolicy {
  public:
   explicit ArmGpuProcessPolicy(void* broker_process, bool allow_shmat)
       : GpuProcessPolicy(broker_process), allow_shmat_(allow_shmat) {}
   virtual ~ArmGpuProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   const bool allow_shmat_;  // Allow shmat(2).
   DISALLOW_COPY_AND_ASSIGN(ArmGpuProcessPolicy);
 };
 
 // Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy.
-ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                int sysno) const {
 #if defined(__arm__)
   if (allow_shmat_ && sysno == __NR_shmat)
     return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif  // defined(__arm__)
 
   switch (sysno) {
 #if defined(__arm__)
     // ARM GPU sandbox is started earlier so we need to allow networking
     // in the sandbox.
@@ skipping 18 matching lines @@
       // Default to the generic GPU policy.
       return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class ArmGpuBrokerProcessPolicy : public ArmGpuProcessPolicy {
  public:
   ArmGpuBrokerProcessPolicy() : ArmGpuProcessPolicy(NULL, false) {}
   virtual ~ArmGpuBrokerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(ArmGpuBrokerProcessPolicy);
 };
 
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                      int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return ArmGpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 // Policy for renderer and worker processes.
 // TODO(jln): move to renderer/
 
-class RendererOrWorkerProcessPolicy : public SandboxBpfBasePolicy {
+class RendererOrWorkerProcessPolicy : public SandboxBPFBasePolicy {
  public:
   RendererOrWorkerProcessPolicy() {}
   virtual ~RendererOrWorkerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(RendererOrWorkerProcessPolicy);
 };
 
-ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                          int sysno) const {
   switch (sysno) {
     case __NR_clone:
       return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox);
     case __NR_ioctl:
       return sandbox::RestrictIoctl(sandbox);
     case __NR_prctl:
       return sandbox::RestrictPrctl(sandbox);
     // Allow the system calls below.
     case __NR_fdatasync:
@@ skipping 27 matching lines @@
         if (SyscallSets::IsSystemVSharedMemory(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
 #if defined(__i386__)
         if (SyscallSets::IsSystemVIpc(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
       }
 
       // Default on the content baseline policy.
-      return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno);
+      return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 // Policy for PPAPI plugins.
 // TODO(jln): move to ppapi_plugin/.
-class FlashProcessPolicy : public SandboxBpfBasePolicy {
+class FlashProcessPolicy : public SandboxBPFBasePolicy {
  public:
   FlashProcessPolicy() {}
   virtual ~FlashProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(FlashProcessPolicy);
 };
 
-ErrorCode FlashProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode FlashProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                               int sysno) const {
   switch (sysno) {
     case __NR_clone:
       return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox);
     case __NR_pread64:
     case __NR_pwrite64:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
     case __NR_sched_getaffinity:
     case __NR_sched_getparam:
     case __NR_sched_getscheduler:
     case __NR_sched_setscheduler:
     case __NR_times:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     case __NR_ioctl:
       return ErrorCode(ENOTTY);  // Flash Access.
     default:
       if (IsUsingToolKitGtk()) {
 #if defined(__x86_64__) || defined(__arm__)
         if (SyscallSets::IsSystemVSharedMemory(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
 #if defined(__i386__)
         if (SyscallSets::IsSystemVIpc(sysno))
           return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif
       }
 
       // Default on the baseline policy.
-      return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno);
+      return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
-class BlacklistDebugAndNumaPolicy : public SandboxBpfBasePolicy {
+class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy {
  public:
   BlacklistDebugAndNumaPolicy() {}
   virtual ~BlacklistDebugAndNumaPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy);
 };
 
-ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                        int sysno) const {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   }
   if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno))
     return sandbox->Trap(sandbox::CrashSIGSYS_Handler, NULL);
 
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
-class AllowAllPolicy : public SandboxBpfBasePolicy {
+class AllowAllPolicy : public SandboxBPFBasePolicy {
  public:
   AllowAllPolicy() {}
   virtual ~AllowAllPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
 };
 
 // Allow all syscalls.
 // This will still deny x32 or IA32 calls in 64 bits mode or
 // 64 bits system calls in compatibility mode.
-ErrorCode AllowAllPolicy::EvaluateSyscall(Sandbox*, int sysno) const {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 // If a BPF policy is engaged for |process_type|, run a few sanity checks.
 void RunSandboxSanityChecks(const std::string& process_type) {
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess ||
       process_type == switches::kGpuProcess ||
       process_type == switches::kPpapiPluginProcess) {
     int syscall_ret;
     errno = 0;
 
     // Without the sandbox, this would EBADF.
     syscall_ret = fchmod(-1, 07777);
     CHECK_EQ(-1, syscall_ret);
     CHECK_EQ(EPERM, errno);
 
     // Run most of the sanity checks only in DEBUG mode to avoid a perf.
     // impact.
 #if !defined(NDEBUG)
     // open() must be restricted.
     syscall_ret = open("/etc/passwd", O_RDONLY);
     CHECK_EQ(-1, syscall_ret);
-    CHECK_EQ(SandboxBpfBasePolicy::GetFSDeniedErrno(), errno);
+    CHECK_EQ(SandboxBPFBasePolicy::GetFSDeniedErrno(), errno);
 
     // We should never allow the creation of netlink sockets.
     syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0);
     CHECK_EQ(-1, syscall_ret);
     CHECK_EQ(EPERM, errno);
 #endif  // !defined(NDEBUG)
   }
 }
 
 bool EnableGpuBrokerPolicyCallback() {
@@ skipping 98 matching lines @@
 
   if (for_chromeos_arm) {
     // We shouldn't be using this policy on non-ARM architectures.
     DCHECK(IsArchitectureArm());
     AddArmGpuWhitelist(&read_whitelist, &write_whitelist);
     sandbox_callback = EnableArmGpuBrokerPolicyCallback;
   } else {
     sandbox_callback = EnableGpuBrokerPolicyCallback;
   }
 
-  *broker_process = new BrokerProcess(SandboxBpfBasePolicy::GetFSDeniedErrno(),
+  *broker_process = new BrokerProcess(SandboxBPFBasePolicy::GetFSDeniedErrno(),
                                       read_whitelist,
                                       write_whitelist);
   // Initialize the broker process and give it a sandbox callback.
   CHECK((*broker_process)->Init(sandbox_callback));
 }
 
 // Warms up/preloads resources needed by the policies.
 // Eventually start a broker process and return it in broker_process.
 void WarmupPolicy(bool chromeos_arm_gpu,
                   BrokerProcess** broker_process) {
@@ skipping 55 matching lines @@
 
   // This should never be destroyed, as after the sandbox is started it is
   // vital to the process. Ownership is transfered to the policies and then to
   // the BPF sandbox which will keep it around to service SIGSYS traps from the
   // kernel.
   BrokerProcess* broker_process = NULL;
   // Warm up resources needed by the policy we're about to enable and
   // eventually start a broker process.
   WarmupPolicy(chromeos_arm_gpu, &broker_process);
 
-  scoped_ptr<SandboxBpfBasePolicy> gpu_policy;
+  scoped_ptr<SandboxBPFBasePolicy> gpu_policy;
   if (chromeos_arm_gpu) {
     gpu_policy.reset(new ArmGpuProcessPolicy(broker_process, allow_sysv_shm));
   } else {
     gpu_policy.reset(new GpuProcessPolicy(broker_process));
   }
   StartSandboxWithPolicy(gpu_policy.release());
 }
 
 // This function takes ownership of |policy|.
-void StartSandboxWithPolicy(playground2::SandboxBpfPolicy* policy) {
+void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy) {
   // Starting the sandbox is a one-way operation. The kernel doesn't allow
   // us to unload a sandbox policy after it has been started. Nonetheless,
   // in order to make the use of the "Sandbox" object easier, we allow for
   // the object to be destroyed after the sandbox has been started. Note that
   // doing so does not stop the sandbox.
-  Sandbox sandbox;
+  SandboxBPF sandbox;
   sandbox.SetSandboxPolicy(policy);
   sandbox.StartSandbox();
 }
 
 void StartNonGpuSandbox(const std::string& process_type) {
-  scoped_ptr<SandboxBpfBasePolicy> policy;
+  scoped_ptr<SandboxBPFBasePolicy> policy;
 
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess) {
     policy.reset(new RendererOrWorkerProcessPolicy);
   } else if (process_type == switches::kPpapiPluginProcess) {
     policy.reset(new FlashProcessPolicy);
   } else if (process_type == switches::kUtilityProcess) {
     policy.reset(new BlacklistDebugAndNumaPolicy);
   } else {
     NOTREACHED();
     policy.reset(new AllowAllPolicy);
   }
 
   StartSandboxWithPolicy(policy.release());
 }
 
 // Initialize the seccomp-bpf sandbox.
-bool StartBpfSandbox(const CommandLine& command_line,
+bool StartBPFSandbox(const CommandLine& command_line,
                      const std::string& process_type) {
 
   if (process_type == switches::kGpuProcess) {
     StartGpuProcessSandbox(command_line, process_type);
   } else {
     StartNonGpuSandbox(process_type);
   }
 
   RunSandboxSanityChecks(process_type);
   return true;
 }
 
 }  // namespace
 
 #endif  // SECCOMP_BPF_SANDBOX
 
 // Is seccomp BPF globally enabled?
-bool SandboxSeccompBpf::IsSeccompBpfDesired() {
+bool SandboxSeccompBPF::IsSeccompBPFDesired() {
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   if (!command_line.HasSwitch(switches::kNoSandbox) &&
       !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
     return true;
   } else {
     return false;
   }
 }
 
-bool SandboxSeccompBpf::ShouldEnableSeccompBpf(
+bool SandboxSeccompBPF::ShouldEnableSeccompBPF(
     const std::string& process_type) {
 #if defined(SECCOMP_BPF_SANDBOX)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   if (process_type == switches::kGpuProcess)
     return !command_line.HasSwitch(switches::kDisableGpuSandbox);
 
   return true;
 #endif  // SECCOMP_BPF_SANDBOX
   return false;
 }
 
-bool SandboxSeccompBpf::SupportsSandbox() {
+bool SandboxSeccompBPF::SupportsSandbox() {
 #if defined(SECCOMP_BPF_SANDBOX)
   // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
   // here.
-  Sandbox::SandboxStatus bpf_sandbox_status =
-      Sandbox::SupportsSeccompSandbox(-1);
+  SandboxBPF::SandboxStatus bpf_sandbox_status =
+      SandboxBPF::SupportsSeccompSandbox(-1);
   // Kernel support is what we are interested in here. Other status
   // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support.
   // We make this a negative check, since if there is a bug, we would rather
   // "fail closed" (expect a sandbox to be available and try to start it).
-  if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) {
+  if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) {
     return true;
   }
 #endif
   return false;
 }
 
-bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) {
+bool SandboxSeccompBPF::StartSandbox(const std::string& process_type) {
 #if defined(SECCOMP_BPF_SANDBOX)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
 
-  if (IsSeccompBpfDesired() &&  // Global switches policy.
-      ShouldEnableSeccompBpf(process_type) &&  // Process-specific policy.
+  if (IsSeccompBPFDesired() &&  // Global switches policy.
+      ShouldEnableSeccompBPF(process_type) &&  // Process-specific policy.
       SupportsSandbox()) {
     // If the kernel supports the sandbox, and if the command line says we
     // should enable it, enable it or die.
-    bool started_sandbox = StartBpfSandbox(command_line, process_type);
+    bool started_sandbox = StartBPFSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
-bool SandboxSeccompBpf::StartSandboxWithExternalPolicy(
-    scoped_ptr<playground2::SandboxBpfPolicy> policy) {
+bool SandboxSeccompBPF::StartSandboxWithExternalPolicy(
+    scoped_ptr<sandbox::SandboxBPFPolicy> policy) {
 #if defined(SECCOMP_BPF_SANDBOX)
-  if (IsSeccompBpfDesired() && SupportsSandbox()) {
+  if (IsSeccompBPFDesired() && SupportsSandbox()) {
     CHECK(policy);
     StartSandboxWithPolicy(policy.release());
     return true;
   }
 #endif  // defined(SECCOMP_BPF_SANDBOX)
   return false;
 }
 
-scoped_ptr<playground2::SandboxBpfPolicy>
-SandboxSeccompBpf::GetBaselinePolicy() {
+scoped_ptr<sandbox::SandboxBPFPolicy>
+SandboxSeccompBPF::GetBaselinePolicy() {
 #if defined(SECCOMP_BPF_SANDBOX)
-  return scoped_ptr<playground2::SandboxBpfPolicy>(new BaselinePolicy);
+  return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy);
 #else
-  return scoped_ptr<playground2::SandboxBpfPolicy>();
+  return scoped_ptr<sandbox::SandboxBPFPolicy>();
 #endif  // defined(SECCOMP_BPF_SANDBOX)
 }
 
 }  // namespace content