sandbox/linux/services/credentials.h - Issue 54643010: Linux: add basic unprivileged namespace support.

Side by Side Diff: sandbox/linux/services/credentials.h

Issue 54643010: Linux: add basic unprivileged namespace support. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: A tiny bit more testing. Created 7 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_	5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_

6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_	6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_

7	7

8 #include "build/build_config.h"	8 #include "build/build_config.h"

9 // Link errors are tedious to track, raise a compile-time error instead.	9 // Link errors are tedious to track, raise a compile-time error instead.

10 #if defined(OS_ANDROID)	10 #if defined(OS_ANDROID)

(...skipping 10 matching lines...) Expand all Loading...
21 // This class should be used to manipulate the current process' credentials.	21 // This class should be used to manipulate the current process' credentials.

22 // It is currently a stub used to manipulate POSIX.1e capabilities as	22 // It is currently a stub used to manipulate POSIX.1e capabilities as

23 // implemented by the Linux kernel.	23 // implemented by the Linux kernel.

24 class Credentials {	24 class Credentials {

25 public:	25 public:

26 Credentials();	26 Credentials();

27 ~Credentials();	27 ~Credentials();

28	28

29 // Drop all capabilities in the effective, inheritable and permitted sets for	29 // Drop all capabilities in the effective, inheritable and permitted sets for

30 // the current process.	30 // the current process.

31 void DropAllCapabilities();	31 bool DropAllCapabilities();

32 // Return true iff there is any capability in any of the capabilities sets	32 // Return true iff there is any capability in any of the capabilities sets

33 // of the current process.	33 // of the current process.

34 bool HasAnyCapability();	34 bool HasAnyCapability() const;

35 // Returns the capabilities of the current process in textual form, as	35 // Returns the capabilities of the current process in textual form, as

36 // documented in libcap2's cap_to_text(3). This is mostly useful for	36 // documented in libcap2's cap_to_text(3). This is mostly useful for

37 // debugging and tests.	37 // debugging and tests.

38 scoped_ptr<std::string> GetCurrentCapString();	38 scoped_ptr<std::string> GetCurrentCapString() const;

	39

	40 // Move the current process to a new "user namespace" as supported by Linux

	41 // 3.8+ (CLONE_NEWUSER).

	42 // The uid map will be set-up so that the perceived uid and gid will not

	43 // change.

	44 // If this call succeeds, the current process will be granted a full set of

	45 // capabilities in the new namespace.

	46 bool MoveToNewUserNS();

	47

	48 // Remove the ability of the process to access the file system. File

	49 // descriptors which are already open prior to calling this API remain

	50 // available.

	51 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.

	52 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.

	53 // Make sure to call DropAllCapabilities() after this call to prevent

	54 // escapes.

	55 // To be secure, it's very important that this API is not called with any
	Jorge Lucangeli Obes 2013/11/05 00:44:51 .. very important for this API not to be called... .. very important for this API not to be called... jln (very slow on Chromium) 2013/11/05 00:54:42 Done. Show quoted text On 2013/11/05 00:44:51, Jorge Lucangeli Obes wrote: > .. very important for this API not to be called... Done.
	56 // directory file descriptor present. TODO(jln): integrate with
	Jorge Lucangeli Obes 2013/11/05 00:44:51 descriptors. descriptors. jln (very slow on Chromium) 2013/11/05 00:54:42 palmer@ says that singular is "more common". Keepi Show quoted text On 2013/11/05 00:44:51, Jorge Lucangeli Obes wrote: > descriptors. palmer@ says that singular is "more common". Keeping unless you object.
	57 // crbug.com/269806 when available.

	58 bool DropFileSystemAccess();

39	59

40 private:	60 private:

41 DISALLOW_COPY_AND_ASSIGN(Credentials);	61 DISALLOW_COPY_AND_ASSIGN(Credentials);

42 };	62 };

43	63

44 } // namespace sandbox.	64 } // namespace sandbox.

45	65

46 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_	66 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_

OLD	NEW

« no previous file with comments | « no previous file | sandbox/linux/services/credentials.cc » ('j') | sandbox/linux/services/credentials.cc » ('J')