// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef SANDBOX_LINUX_SERVICES_YAMA_H_
#define SANDBOX_LINUX_SERVICES_YAMA_H_
#include "base/basictypes.h"
#include "base/process/process_handle.h"
#include "sandbox/sandbox_export.h"
namespace sandbox {
// Yama is a LSM kernel module which can restrict ptrace().
// This class provides ways to detect if Yama is present and enabled
// and to restrict which processes can ptrace the current process.
class SANDBOX_EXPORT Yama {
public:
// This enum should be used to set or check a bitmask.
// A value of 0 would indicate that the status is not known.
enum GlobalStatus {
STATUS_KNOWN = 1 << 0,
STATUS_PRESENT = 1 << 1,
STATUS_ENFORCING = 1 << 2,
// STATUS_STRICT_ENFORCING corresponds to either mode 2 or mode 3 of Yama.
// Ptrace could be entirely denied, or restricted to CAP_SYS_PTRACE
// and PTRACE_TRACEME.
STATUS_STRICT_ENFORCING = 1 << 3
};
// Restrict who can ptrace() the current process to its ancestors.
// If this succeeds, then Yama is available on this kernel.
// However, Yama may not be enforcing at this time.
static bool RestrictPtracersToAncestors();
// Disable Yama restrictions for the current process.
// This will fail if Yama is not available on this kernel.
// This is meant for testing only. If you need this, implement
// a per-pid authorization instead.
static bool DisableYamaRestrictions();
// Checks if Yama is currently in enforcing mode for the machine (not the
// current process). This requires access to the filesystem and will use
// /proc/sys/kernel/yama/ptrace_scope.
static int GetStatus();
// Helper for checking for STATUS_PRESENT in GetStatus().
static bool IsPresent();
// Helper for checkking for STATUS_ENFORCING in GetStatus().
static bool IsEnforcing();
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(Yama);
};
} // namespace sandbox
#endif // SANDBOX_LINUX_SERVICES_YAMA_H_