Roll src/third_party/WebKit f36d5e0:68b67cd (svn 193299:193303)
[chromium-blink-merge.git] / components / nacl / loader / sandbox_linux / nacl_sandbox_linux.h
blob8c91d4367e9ecbe75ccf4ff280e832754bb11507
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_
6 #define COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_
8 #include "base/files/scoped_file.h"
9 #include "base/macros.h"
10 #include "base/memory/scoped_ptr.h"
12 namespace sandbox {
13 class SetuidSandboxClient;
16 namespace nacl {
18 // NaClSandbox supports two independent layers of sandboxing.
19 // layer-1 uses a chroot. It requires both InitializeLayerOneSandbox() and
20 // SealLayerOneSandbox() to have been called to be enforcing.
21 // layer-2 uses seccomp-bpf. It requires the layer-1 sandbox to not yet be
22 // sealed when being engaged.
23 // For the layer-1 sandbox to work, the current process must be a child of
24 // the setuid sandbox. InitializeLayerOneSandbox() can only be called once
25 // per instance of the setuid sandbox.
27 // A typical use case of this class would be:
28 // 1. Load libraries and do some pre-initialization
29 // 2. InitializeLayerOneSandbox();
30 // 3. Do some more initializations (it is ok to fork() here).
31 // 4. CHECK(!HasOpenDirectory));
32 // (This check is not strictly necessary, as the only possibility for a
33 // new directory descriptor to exist after (2) has been called is via IPC)).
34 // 5. InitializeLayerTwoSandbox();
35 // 6. SealLayerOneSandbox();
36 // 7. CheckSandboxingStateWithPolicy();
37 class NaClSandbox {
38 public:
39 NaClSandbox();
40 ~NaClSandbox();
42 // This API will only work if the layer-1 sandbox is not sealed and the
43 // layer-2 sandbox is not engaged.
44 bool IsSingleThreaded();
45 // Check whether the current process owns any directory file descriptors. This
46 // will ignore any directory file descriptor owned by this object (i.e. those
47 // that will be closed after SealLayerOneSandbox()) is called.
48 // This API will only work if the layer-1 sandbox is not sealed and the
49 // layer-2 sandbox is not engaged.
50 bool HasOpenDirectory();
51 // Will attempt to initialize the layer-1 sandbox, depending on flags and the
52 // environment. It can only succeed if the current process is a child of the
53 // setuid sandbox or was started by the namespace sandbox.
54 void InitializeLayerOneSandbox();
55 // Will attempt to initialize the layer-2 sandbox, depending on flags and the
56 // environment. |uses_nonsfi_mode| describes which seccomp-bpf policy is
57 // appropriate.
58 // This layer will also add a limit to how much of the address space can be
59 // used.
60 void InitializeLayerTwoSandbox(bool uses_nonsfi_mode);
61 // Seal the layer-1 sandbox, making it enforcing.
62 void SealLayerOneSandbox();
63 // Check that the current sandboxing state matches the level of sandboxing
64 // expected for NaCl in the current configuration. Crash if it does not.
65 void CheckSandboxingStateWithPolicy();
67 bool layer_one_enabled() { return layer_one_enabled_; }
68 bool layer_two_enabled() { return layer_two_enabled_; }
70 private:
71 void CheckForExpectedNumberOfOpenFds();
73 bool layer_one_enabled_;
74 bool layer_one_sealed_;
75 bool layer_two_enabled_;
76 bool layer_two_is_nonsfi_;
77 // |proc_fd_| must be released before the layer-1 sandbox is considered
78 // enforcing.
79 base::ScopedFD proc_fd_;
80 scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;
81 DISALLOW_COPY_AND_ASSIGN(NaClSandbox);
84 } // namespace nacl
86 #endif // COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_