init/startup/security_manager.h - chromiumos/platform2 - Git at Google

 // Copyright 2022 The ChromiumOS Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // This file contains the functionality for configuring process management.

 #ifndef INIT_STARTUP_SECURITY_MANAGER_H_
 #define INIT_STARTUP_SECURITY_MANAGER_H_

 #include <string>

 #include <base/files/file_path.h>
 #include <base/files/file_util.h>
 #include <libstorage/platform/platform.h>

 #include "init/startup/startup_dep_impl.h"

 namespace startup {

 // Accumulate process management policies from the files in the policy dir
 // and append them to to output_file.
 bool AccumulatePolicyFiles(libstorage::Platform* platform,
                            const base::FilePath& root,
                            const base::FilePath& output_file,
                            const base::FilePath& policy_dir);
 // Determine where securityfs files are placed and accumulate policy files.
 bool ConfigureProcessMgmtSecurity(libstorage::Platform* platform,
                                   const base::FilePath& root);

 // Sets up the LoadPin verity root digests to be trusted by the kernel.
 bool SetupLoadPinVerityDigests(libstorage::Platform* platform,
                                const base::FilePath& root,
                                StartupDep* startup_dep);

 // Block symlink and FIFO access on the given path.
 bool BlockSymlinkAndFifo(libstorage::Platform* platform,
                          const base::FilePath& root,
                          const std::string& path);

 void CreateSystemKey(libstorage::Platform* platform,
                      const base::FilePath& root,
                      const base::FilePath& stateful,
                      StartupDep* startup_dep,
                      std::string* output);

 bool AllowSymlink(libstorage::Platform* platform,
                   const base::FilePath& root,
                   const std::string& path);
 bool AllowFifo(libstorage::Platform* platform,
                const base::FilePath& root,
                const std::string& path);

 void SymlinkExceptions(libstorage::Platform* platform,
                        const base::FilePath& root);
 void ExceptionsProjectSpecific(libstorage::Platform* platform,
                                const base::FilePath& root,
                                const base::FilePath& config_dir,
                                bool (*callback)(libstorage::Platform* platform,
                                                 const base::FilePath& root,
                                                 const std::string& path));

 // Set up symlink traversal, FIFO blocking policy, and project specific
 // symlink and FIFO exceptions.
 void ConfigureFilesystemExceptions(libstorage::Platform* platform,
                                    const base::FilePath& root);

 }  // namespace startup

 #endif  // INIT_STARTUP_SECURITY_MANAGER_H_
	// Copyright 2022 The ChromiumOS Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// This file contains the functionality for configuring process management.

	#ifndef INIT_STARTUP_SECURITY_MANAGER_H_
	#define INIT_STARTUP_SECURITY_MANAGER_H_

	#include <string>

	#include <base/files/file_path.h>
	#include <base/files/file_util.h>
	#include <libstorage/platform/platform.h>

	#include "init/startup/startup_dep_impl.h"

	namespace startup {

	// Accumulate process management policies from the files in the policy dir
	// and append them to to output_file.
	bool AccumulatePolicyFiles(libstorage::Platform* platform,
	const base::FilePath& root,
	const base::FilePath& output_file,
	const base::FilePath& policy_dir);
	// Determine where securityfs files are placed and accumulate policy files.
	bool ConfigureProcessMgmtSecurity(libstorage::Platform* platform,
	const base::FilePath& root);

	// Sets up the LoadPin verity root digests to be trusted by the kernel.
	bool SetupLoadPinVerityDigests(libstorage::Platform* platform,
	const base::FilePath& root,
	StartupDep* startup_dep);

	// Block symlink and FIFO access on the given path.
	bool BlockSymlinkAndFifo(libstorage::Platform* platform,
	const base::FilePath& root,
	const std::string& path);

	void CreateSystemKey(libstorage::Platform* platform,
	const base::FilePath& root,
	const base::FilePath& stateful,
	StartupDep* startup_dep,
	std::string* output);

	bool AllowSymlink(libstorage::Platform* platform,
	const base::FilePath& root,
	const std::string& path);
	bool AllowFifo(libstorage::Platform* platform,
	const base::FilePath& root,
	const std::string& path);

	void SymlinkExceptions(libstorage::Platform* platform,
	const base::FilePath& root);
	void ExceptionsProjectSpecific(libstorage::Platform* platform,
	const base::FilePath& root,
	const base::FilePath& config_dir,
	bool (callback)(libstorage::Platform platform,
	const base::FilePath& root,
	const std::string& path));

	// Set up symlink traversal, FIFO blocking policy, and project specific
	// symlink and FIFO exceptions.
	void ConfigureFilesystemExceptions(libstorage::Platform* platform,
	const base::FilePath& root);

	} // namespace startup

	#endif // INIT_STARTUP_SECURITY_MANAGER_H_