1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ 6 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ 7 8 #include "base/basictypes.h" 9 #include "sandbox/sandbox_export.h" 10 11 namespace sandbox { 12 13 class ErrorCode; 14 class SandboxBPF; 15 16 // This is the interface to implement to define a BPF sandbox policy. 17 class SANDBOX_EXPORT SandboxBPFPolicy { 18 public: SandboxBPFPolicy()19 SandboxBPFPolicy() {} ~SandboxBPFPolicy()20 virtual ~SandboxBPFPolicy() {} 21 22 // The EvaluateSyscall method is called with the system call number. It can 23 // decide to allow the system call unconditionally by returning ERR_ALLOWED; 24 // it can deny the system call unconditionally by returning an appropriate 25 // "errno" value; or it can request inspection of system call argument(s) by 26 // returning a suitable ErrorCode. 27 // Will only be called for valid system call numbers. 28 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, 29 int system_call_number) const = 0; 30 31 // The InvalidSyscall method specifies the behavior used for invalid 32 // system calls. The default implementation is to return ENOSYS. 33 virtual ErrorCode InvalidSyscall(SandboxBPF* sandbox_compiler) const; 34 35 private: 36 DISALLOW_COPY_AND_ASSIGN(SandboxBPFPolicy); 37 }; 38 39 } // namespace sandbox 40 41 #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ 42