• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef SANDBOX_LINUX_SERVICES_YAMA_H_
6 #define SANDBOX_LINUX_SERVICES_YAMA_H_
7 
8 #include "base/basictypes.h"
9 #include "base/process/process_handle.h"
10 #include "sandbox/sandbox_export.h"
11 
12 namespace sandbox {
13 
14 // Yama is a LSM kernel module which can restrict ptrace().
15 // This class provides ways to detect if Yama is present and enabled
16 // and to restrict which processes can ptrace the current process.
17 class SANDBOX_EXPORT Yama {
18  public:
19   // This enum should be used to set or check a bitmask.
20   // A value of 0 would indicate that the status is not known.
21   enum GlobalStatus {
22     STATUS_KNOWN = 1 << 0,
23     STATUS_PRESENT = 1 << 1,
24     STATUS_ENFORCING = 1 << 2,
25     // STATUS_STRICT_ENFORCING corresponds to either mode 2 or mode 3 of Yama.
26     // Ptrace could be entirely denied, or restricted to CAP_SYS_PTRACE
27     // and PTRACE_TRACEME.
28     STATUS_STRICT_ENFORCING = 1 << 3
29   };
30 
31   // Restrict who can ptrace() the current process to its ancestors.
32   // If this succeeds, then Yama is available on this kernel.
33   // However, Yama may not be enforcing at this time.
34   static bool RestrictPtracersToAncestors();
35 
36   // Disable Yama restrictions for the current process.
37   // This will fail if Yama is not available on this kernel.
38   // This is meant for testing only. If you need this, implement
39   // a per-pid authorization instead.
40   static bool DisableYamaRestrictions();
41 
42   // Checks if Yama is currently in enforcing mode for the machine (not the
43   // current process). This requires access to the filesystem and will use
44   // /proc/sys/kernel/yama/ptrace_scope.
45   static int GetStatus();
46 
47   // Helper for checking for STATUS_PRESENT in GetStatus().
48   static bool IsPresent();
49   // Helper for checkking for STATUS_ENFORCING in GetStatus().
50   static bool IsEnforcing();
51 
52  private:
53   DISALLOW_IMPLICIT_CONSTRUCTORS(Yama);
54 };
55 
56 }  // namespace sandbox
57 
58 #endif  // SANDBOX_LINUX_SERVICES_YAMA_H_
59