Linux sandbox: add basic Yama support

sandbox/linux/services/yama.h

Index: sandbox/linux/services/yama.h
diff --git a/sandbox/linux/services/yama.h b/sandbox/linux/services/yama.h
new file mode 100644
index 0000000000000000000000000000000000000000..7d89616e9ae2a0ff54d6d8e7738863e6fe809e48
--- /dev/null
+++ b/sandbox/linux/services/yama.h
@@ -0,0 +1,48 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SERVICES_YAMA_H_
+#define SANDBOX_LINUX_SERVICES_YAMA_H_
+
+#include "base/basictypes.h"
+
+namespace sandbox {
+
+// Yama is a LSM kernel module which can restrict ptrace().
+// This class provides ways to detect if Yama is present and enabled
+// and to restrict which processes can ptrace the current process.
+class Yama {
+ public:
+  enum GlobalStatus {
+    STATUS_DONT_KNOW = -2,
+    STATUS_NOT_PRESENT = -1,
+    STATUS_NOT_ENFORCING = 0,
+    STATUS_ENFORCING = 1,
+  };
+
+  // Restrict who can ptrace() the current process to its ancestors.
+  // If this succeeds, then Yama is available on this kernel.
+  // However, Yama may not be enforcing at this time.
+  static bool RestrictPtracersToAncestors();
+
+  // Disable Yama restrictions for the current process.
+  // This will fail if Yama is not available on this kernel.
+  static bool DisableYamaRestrictions();
+
+  // Checks if Yama is currently in enforcing for the machine (not the current
+  // process). This requires access to the filesystem and will use
+  // /proc/sys/kernel/yama/ptrace_scope.
+  static GlobalStatus GetStatus();
+
+  // Returns whether Yama is present (but it could be disabled). Returns
+  // false if this cannot be determined.
+  static bool IsAvailable();
+
+ private:
+  DISALLOW_IMPLICIT_CONSTRUCTORS(Yama);
+};
+
+}  // namespace sandbox
+
+#endif  // SANDBOX_LINUX_SERVICES_YAMA_H_