| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef SANDBOX_LINUX_SERVICES_YAMA_H_ |
| 6 #define SANDBOX_LINUX_SERVICES_YAMA_H_ |
| 7 |
| 8 #include "base/basictypes.h" |
| 9 |
| 10 namespace sandbox { |
| 11 |
| 12 // Yama is a LSM kernel module which can restrict ptrace(). |
| 13 // This class provides ways to detect if Yama is present and enabled |
| 14 // and to restrict which processes can ptrace the current process. |
| 15 class Yama { |
| 16 public: |
| 17 enum GlobalStatus { |
| 18 STATUS_DONT_KNOW = -2, |
| 19 STATUS_NOT_PRESENT = -1, |
| 20 STATUS_NOT_ENFORCING = 0, |
| 21 STATUS_ENFORCING = 1, |
| 22 }; |
| 23 |
| 24 // Restrict who can ptrace() the current process to its ancestors. |
| 25 // If this succeeds, then Yama is available on this kernel. |
| 26 // However, Yama may not be enforcing at this time. |
| 27 static bool RestrictPtracersToAncestors(); |
| 28 |
| 29 // Disable Yama restrictions for the current process. |
| 30 // This will fail if Yama is not available on this kernel. |
| 31 static bool DisableYamaRestrictions(); |
| 32 |
| 33 // Checks if Yama is currently in enforcing for the machine (not the current |
| 34 // process). This requires access to the filesystem and will use |
| 35 // /proc/sys/kernel/yama/ptrace_scope. |
| 36 static GlobalStatus GetStatus(); |
| 37 |
| 38 // Returns whether Yama is present (but it could be disabled). Returns |
| 39 // false if this cannot be determined. |
| 40 static bool IsAvailable(); |
| 41 |
| 42 private: |
| 43 DISALLOW_IMPLICIT_CONSTRUCTORS(Yama); |
| 44 }; |
| 45 |
| 46 } // namespace sandbox |
| 47 |
| 48 #endif // SANDBOX_LINUX_SERVICES_YAMA_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 188193002:
Linux sandbox: add basic Yama support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src