1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ 6#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ 7 8#include "base/macros.h" 9#include "sandbox/sandbox_export.h" 10 11namespace sandbox { 12 13class ErrorCode; 14class SandboxBPF; 15 16// This is the interface to implement to define a BPF sandbox policy. 17class SANDBOX_EXPORT SandboxBPFPolicy { 18 public: 19 SandboxBPFPolicy() {} 20 virtual ~SandboxBPFPolicy() {} 21 22 // The EvaluateSyscall method is called with the system call number. It can 23 // decide to allow the system call unconditionally by returning ERR_ALLOWED; 24 // it can deny the system call unconditionally by returning an appropriate 25 // "errno" value; or it can request inspection of system call argument(s) by 26 // returning a suitable ErrorCode. 27 // Will only be called for valid system call numbers. 28 virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, 29 int system_call_number) const = 0; 30 31 // The InvalidSyscall method specifies the behavior used for invalid 32 // system calls. The default implementation is to return ENOSYS. 33 virtual ErrorCode InvalidSyscall(SandboxBPF* sandbox_compiler) const; 34 35 private: 36 DISALLOW_COPY_AND_ASSIGN(SandboxBPFPolicy); 37}; 38 39} // namespace sandbox 40 41#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ 42