File: landlock_gpu_policy_android.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (55 lines) | stat: -rw-r--r-- 2,306 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
// Copyright 2025 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Landlock functions and constants.

#ifndef SANDBOX_POLICY_LINUX_LANDLOCK_GPU_POLICY_ANDROID_H_
#define SANDBOX_POLICY_LINUX_LANDLOCK_GPU_POLICY_ANDROID_H_

#include "sandbox/linux/services/syscall_wrappers.h"
#include "sandbox/linux/system_headers/linux_landlock.h"
#include "sandbox/policy/export.h"
#include "sandbox/policy/mojom/sandbox.mojom.h"

namespace sandbox::landlock {

#define LANDLOCK_ACCESS_FS_ROUGHLY_READ \
  (LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR)

#define LANDLOCK_ACCESS_FS_ROUGHLY_READ_EXECUTE                \
  (LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_READ_FILE | \
   LANDLOCK_ACCESS_FS_READ_DIR)

#define LANDLOCK_ACCESS_FS_ROUGHLY_BASIC_WRITE                     \
  (LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | \
   LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_DIR |  \
   LANDLOCK_ACCESS_FS_MAKE_REG)

#define LANDLOCK_ACCESS_FS_ROUGHLY_EDIT                            \
  (LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | \
   LANDLOCK_ACCESS_FS_REMOVE_FILE)

#define LANDLOCK_ACCESS_FS_ROUGHLY_FULL_WRITE                      \
  (LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | \
   LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_MAKE_CHAR | \
   LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG |     \
   LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO |   \
   LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM)

#define LANDLOCK_ACCESS_FILE                                    \
  (LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE | \
   LANDLOCK_ACCESS_FS_READ_FILE)

#define LANDLOCK_HANDLED_ACCESS_TYPES        \
  (LANDLOCK_ACCESS_FS_ROUGHLY_READ_EXECUTE | \
   LANDLOCK_ACCESS_FS_ROUGHLY_FULL_WRITE)

// Applies a basic Landlock sandbox policy to the current process.
// Returns true if the policy was applied successfully, false otherwise.
// This function is a no-op and returns false on non-Android platforms.
SANDBOX_POLICY_EXPORT bool ApplyLandlock(mojom::Sandbox sandbox_type);

}  // namespace sandbox::landlock

#endif  // SANDBOX_POLICY_LINUX_LANDLOCK_GPU_POLICY_ANDROID_H_