| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_ |
| 6 #define COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_ |
| 7 |
| 8 #include "base/files/scoped_file.h" |
| 9 #include "base/macros.h" |
| 10 |
| 11 namespace nacl { |
| 12 |
| 13 // NaClSandbox supports two independent layers of sandboxing. |
| 14 // layer-1 uses a chroot. It requires both InitializeLayerOneSandbox() and |
| 15 // SealLayerOneSandbox() to have been called to be enforcing. |
| 16 // layer-2 uses seccomp-bpf. It requires the layer-1 sandbox to not yet be |
| 17 // sealed when being engaged. |
| 18 // For the layer-1 sandbox to work, the current process must be a child of |
| 19 // the setuid sandbox. InitializeLayerOneSandbox() can only be called once |
| 20 // per instance of the setuid sandbox. |
| 21 // |
| 22 // A typical use case of this class would be: |
| 23 // 1. Load libraries and do some pre-initialization |
| 24 // 2. InitializeLayerOneSandbox(); |
| 25 // 3. Do some more initializations (it is ok to fork() here). |
| 26 // 4. CHECK(!HasOpenDirectory)); |
| 27 // (This check is not strictly necessary, as the only possibility for a |
| 28 // new directory descriptor to exist after (2) has been called is via IPC)). |
| 29 // 5. InitializeLayerTwoSandbox(); |
| 30 // 6. SealLayerOneSandbox(); |
| 31 // 7. CheckSandboxingStateWithPolicy(); |
| 32 class NaClSandbox { |
| 33 public: |
| 34 NaClSandbox(); |
| 35 ~NaClSandbox(); |
| 36 |
| 37 // This API will only work if the layer-1 sandbox is not sealed and the |
| 38 // layer-2 sandbox is not engaged. |
| 39 bool IsSingleThreaded(); |
| 40 // Check whether the current process owns any directory file descriptors. This |
| 41 // will ignore any directory file descriptor owned by this object (i.e. those |
| 42 // that will be closed after SealLayerOneSandbox()) is called. |
| 43 // This API will only work if the layer-1 sandbox is not sealed and the |
| 44 // layer-2 sandbox is not engaged. |
| 45 bool HasOpenDirectory(); |
| 46 // Will attempt to initialize the layer-1 sandbox, depending on flags and the |
| 47 // environment. It can only succeed if the current process is a child of the |
| 48 // setuid sandbox. |
| 49 void InitializeLayerOneSandbox(); |
| 50 // Will attempt to initialize the layer-2 sandbox, depending on flags and the |
| 51 // environment. |uses_nonsfi_mode| describes which seccomp-bpf policy is |
| 52 // appropriate. |
| 53 void InitializeLayerTwoSandbox(bool uses_nonsfi_mode); |
| 54 // Seal the layer-1 sandbox, making it enforcing. |
| 55 void SealLayerOneSandbox(); |
| 56 // Check that the current sandboxing state matches the level of sandboxing |
| 57 // expected for NaCl in the current configuration. Crash if it does not. |
| 58 void CheckSandboxingStateWithPolicy(); |
| 59 |
| 60 bool layer_one_enabled() { return layer_one_enabled_; } |
| 61 bool layer_two_enabled() { return layer_two_enabled_; } |
| 62 |
| 63 private: |
| 64 bool layer_one_enabled_; |
| 65 bool layer_one_sealed_; |
| 66 bool layer_two_enabled_; |
| 67 bool layer_two_is_nonsfi_; |
| 68 // |proc_fd_| must be released before the layer-1 sandbox is considered |
| 69 // enforcing. |
| 70 base::ScopedFD proc_fd_; |
| 71 DISALLOW_COPY_AND_ASSIGN(NaClSandbox); |
| 72 }; |
| 73 |
| 74 } // namespace nacl |
| 75 |
| 76 #endif // COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 250773003:
NaCl Linux: create NaClSandbox class (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src