| // Copyright 2013 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ |
| #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ |
| |
| #include "base/basictypes.h" |
| #include "sandbox/sandbox_export.h" |
| |
| namespace sandbox { |
| |
| class ErrorCode; |
| class SandboxBPF; |
| |
| // This is the interface to implement to define a BPF sandbox policy. |
| class SANDBOX_EXPORT SandboxBPFPolicy { |
| public: |
| SandboxBPFPolicy() {} |
| virtual ~SandboxBPFPolicy() {} |
| |
| // The EvaluateSyscall method is called with the system call number. It can |
| // decide to allow the system call unconditionally by returning ERR_ALLOWED; |
| // it can deny the system call unconditionally by returning an appropriate |
| // "errno" value; or it can request inspection of system call argument(s) by |
| // returning a suitable ErrorCode. |
| // Will only be called for valid system call numbers. |
| virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| int system_call_number) const = 0; |
| |
| // The InvalidSyscall method specifies the behavior used for invalid |
| // system calls. The default implementation is to return ENOSYS. |
| virtual ErrorCode InvalidSyscall(SandboxBPF* sandbox_compiler) const; |
| |
| private: |
| DISALLOW_COPY_AND_ASSIGN(SandboxBPFPolicy); |
| }; |
| |
| } // namespace sandbox |
| |
| #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ |