1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_
6 #define COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_
8 #include "base/files/scoped_file.h"
9 #include "base/macros.h"
10 #include "base/memory/scoped_ptr.h"
13 class SetuidSandboxClient
;
18 // NaClSandbox supports two independent layers of sandboxing.
19 // layer-1 uses a chroot. It requires both InitializeLayerOneSandbox() and
20 // SealLayerOneSandbox() to have been called to be enforcing.
21 // layer-2 uses seccomp-bpf. It requires the layer-1 sandbox to not yet be
22 // sealed when being engaged.
23 // For the layer-1 sandbox to work, the current process must be a child of
24 // the setuid sandbox. InitializeLayerOneSandbox() can only be called once
25 // per instance of the setuid sandbox.
27 // A typical use case of this class would be:
28 // 1. Load libraries and do some pre-initialization
29 // 2. InitializeLayerOneSandbox();
30 // 3. Do some more initializations (it is ok to fork() here).
31 // 4. CHECK(!HasOpenDirectory));
32 // (This check is not strictly necessary, as the only possibility for a
33 // new directory descriptor to exist after (2) has been called is via IPC)).
34 // 5. InitializeLayerTwoSandbox();
35 // 6. SealLayerOneSandbox();
36 // 7. CheckSandboxingStateWithPolicy();
42 // This API will only work if the layer-1 sandbox is not sealed and the
43 // layer-2 sandbox is not engaged.
44 bool IsSingleThreaded();
45 // Check whether the current process owns any directory file descriptors. This
46 // will ignore any directory file descriptor owned by this object (i.e. those
47 // that will be closed after SealLayerOneSandbox()) is called.
48 // This API will only work if the layer-1 sandbox is not sealed and the
49 // layer-2 sandbox is not engaged.
50 bool HasOpenDirectory();
51 // Will attempt to initialize the layer-1 sandbox, depending on flags and the
52 // environment. It can only succeed if the current process is a child of the
53 // setuid sandbox or was started by the namespace sandbox.
54 void InitializeLayerOneSandbox();
55 // Will attempt to initialize the layer-2 sandbox, depending on flags and the
56 // environment. |uses_nonsfi_mode| describes which seccomp-bpf policy is
58 // This layer will also add a limit to how much of the address space can be
60 void InitializeLayerTwoSandbox(bool uses_nonsfi_mode
);
61 // Seal the layer-1 sandbox, making it enforcing.
62 void SealLayerOneSandbox();
63 // Check that the current sandboxing state matches the level of sandboxing
64 // expected for NaCl in the current configuration. Crash if it does not.
65 void CheckSandboxingStateWithPolicy();
67 bool layer_one_enabled() { return layer_one_enabled_
; }
68 bool layer_two_enabled() { return layer_two_enabled_
; }
71 void CheckForExpectedNumberOfOpenFds();
73 bool layer_one_enabled_
;
74 bool layer_one_sealed_
;
75 bool layer_two_enabled_
;
76 bool layer_two_is_nonsfi_
;
77 // |proc_fd_| must be released before the layer-1 sandbox is considered
79 base::ScopedFD proc_fd_
;
80 scoped_ptr
<sandbox::SetuidSandboxClient
> setuid_sandbox_client_
;
81 DISALLOW_COPY_AND_ASSIGN(NaClSandbox
);
86 #endif // COMPONENTS_NACL_LOADER_SANDBOX_LINUX_NACL_SANDBOX_LINUX_H_