1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef SANDBOX_LINUX_SERVICES_YAMA_H_
6 #define SANDBOX_LINUX_SERVICES_YAMA_H_
7 
8 #include "base/macros.h"
9 #include "sandbox/sandbox_export.h"
10 
11 namespace sandbox {
12 
13 // Yama is a LSM kernel module which can restrict ptrace().
14 // This class provides ways to detect if Yama is present and enabled
15 // and to restrict which processes can ptrace the current process.
16 class SANDBOX_EXPORT Yama {
17  public:
18   // This enum should be used to set or check a bitmask.
19   // A value of 0 would indicate that the status is not known.
20   enum GlobalStatus {
21     STATUS_KNOWN = 1 << 0,
22     STATUS_PRESENT = 1 << 1,
23     STATUS_ENFORCING = 1 << 2,
24     // STATUS_STRICT_ENFORCING corresponds to either mode 2 or mode 3 of Yama.
25     // Ptrace could be entirely denied, or restricted to CAP_SYS_PTRACE
26     // and PTRACE_TRACEME.
27     STATUS_STRICT_ENFORCING = 1 << 3
28   };
29 
30   // Restrict who can ptrace() the current process to its ancestors.
31   // If this succeeds, then Yama is available on this kernel.
32   // However, Yama may not be enforcing at this time.
33   static bool RestrictPtracersToAncestors();
34 
35   // Disable Yama restrictions for the current process.
36   // This will fail if Yama is not available on this kernel.
37   // This is meant for testing only. If you need this, implement
38   // a per-pid authorization instead.
39   static bool DisableYamaRestrictions();
40 
41   // Checks if Yama is currently in enforcing mode for the machine (not the
42   // current process). This requires access to the filesystem and will use
43   // /proc/sys/kernel/yama/ptrace_scope.
44   static int GetStatus();
45 
46   // Helper for checking for STATUS_PRESENT in GetStatus().
47   static bool IsPresent();
48   // Helper for checkking for STATUS_ENFORCING in GetStatus().
49   static bool IsEnforcing();
50 
51  private:
52   DISALLOW_IMPLICIT_CONSTRUCTORS(Yama);
53 };
54 
55 }  // namespace sandbox
56 
57 #endif  // SANDBOX_LINUX_SERVICES_YAMA_H_
58