xref: /aosp_15_r20/external/sandboxed-api/sandboxed_api/sandbox2/sanitizer.h (revision ec63e07ab9515d95e79c211197c445ef84cefa6a) 
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 // The sandbox2::sanitizer namespace provides functions which bring a process
16 // into a state in which it can be safely sandboxed.
17 
18 #ifndef SANDBOXED_API_SANDBOX2_SANITIZER_H_
19 #define SANDBOXED_API_SANDBOX2_SANITIZER_H_
20 
21 #include "absl/container/flat_hash_set.h"
22 #include "absl/status/status.h"
23 #include "absl/status/statusor.h"
24 
25 namespace sandbox2 {
26 namespace sanitizer {
27 
28 // Reads a list of open file descriptors in the current process.
29 absl::StatusOr<absl::flat_hash_set<int>> GetListOfFDs();
30 
31 // Closes all file descriptors in the current process except the ones in
32 // fd_exceptions.
33 absl::Status CloseAllFDsExcept(const absl::flat_hash_set<int>& fd_exceptions);
34 
35 // Marks all file descriptors as close-on-exec, except the ones in
36 // fd_exceptions.
37 absl::Status MarkAllFDsAsCOEExcept(
38     const absl::flat_hash_set<int>& fd_exceptions);
39 
40 // Returns the number of threads in the process 'pid'. Returns -1 in case of
41 // errors.
42 int GetNumberOfThreads(int pid);
43 
44 // When running under a sanitizer, it may spawn a background threads. This is
45 // not desirable for sandboxing purposes. We will notify its background thread
46 // that we wish for it to finish and then wait for it to be done. It is safe to
47 // call this function more than once, since it keeps track of whether it has
48 // already notified the sanitizer. This function does nothing if not running
49 // under a sanitizer.
50 void WaitForSanitizer();
51 
52 // Sanitizes current process (which will not execve a sandboxed binary).
53 // File-descriptors in fd_exceptions will be either closed
54 // (close_fds == true), or marked as close-on-exec (close_fds == false).
55 absl::Status SanitizeCurrentProcess(
56     const absl::flat_hash_set<int>& fd_exceptions, bool close_fds);
57 
58 // Returns a list of tasks for a pid.
59 absl::StatusOr<absl::flat_hash_set<int>> GetListOfTasks(int pid);
60 
61 }  // namespace sanitizer
62 }  // namespace sandbox2
63 
64 #endif  // SANDBOXED_API_SANDBOX2_SANITIZER_H_
65