blob: db30367251bae81241c6f20ee201ce20c7ef2c84 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_COMMON_SECCOMP_SANDBOX_H_
#define CONTENT_COMMON_SECCOMP_SANDBOX_H_
#pragma once
// Seccomp enable/disable logic is centralized here.
// - We define SECCOMP_SANDBOX if seccomp is compiled in at all: currently,
// on non-views (non-ChromeOS) non-ARM non-Clang Linux only.
// - If we have SECCOMP_SANDBOX, we provide SeccompSandboxEnabled() as
// a run-time test to determine whether to turn on seccomp:
// currently, on by default in debug builds and off by default in
// release.
#include "build/build_config.h"
#include "content/public/common/content_switches.h"
#if defined(ARCH_CPU_X86_FAMILY) && !defined(CHROMIUM_SELINUX) && \
!defined(__clang__) && !defined(OS_CHROMEOS) && !defined(TOOLKIT_VIEWS) && \
!defined(OS_OPENBSD)
#define SECCOMP_SANDBOX
#include "seccompsandbox/sandbox.h"
#endif
#if defined(SECCOMP_SANDBOX)
// Return true if seccomp is enabled.
static bool SeccompSandboxEnabled() {
// TODO(evan): turn on for release too once we've flushed out all the bugs,
// allowing us to delete this file entirely and just rely on the "disabled"
// switch.
#ifdef NDEBUG
// Off by default; allow turning on with a switch.
return CommandLine::ForCurrentProcess()->HasSwitch(
switches::kEnableSeccompSandbox);
#else
// On by default; allow turning off with a switch.
return !CommandLine::ForCurrentProcess()->HasSwitch(
switches::kDisableSeccompSandbox);
#endif // NDEBUG
}
#endif // SECCOMP_SANDBOX
#endif // CONTENT_COMMON_SECCOMP_SANDBOX_H_
|
