| Index: sandbox/linux/services/credentials.cc
|
| diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
|
| index 291c2cad4450e9a473281255cde6b72009c3852f..8dda0eb9027a0e506dd80da9e64bbea3b111ff1a 100644
|
| --- a/sandbox/linux/services/credentials.cc
|
| +++ b/sandbox/linux/services/credentials.cc
|
| @@ -22,12 +22,11 @@
|
| #include "base/process/launch.h"
|
| #include "base/template_util.h"
|
| #include "base/third_party/valgrind/valgrind.h"
|
| +#include "sandbox/linux/services/namespace_utils.h"
|
| #include "sandbox/linux/services/syscall_wrappers.h"
|
|
|
| namespace {
|
|
|
| -bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
|
| -
|
| struct CapFreeDeleter {
|
| inline void operator()(cap_t cap) const {
|
| int ret = cap_free(cap);
|
| @@ -59,28 +58,6 @@ struct FILECloser {
|
| // TODO(jln): fix base/.
|
| typedef scoped_ptr<FILE, FILECloser> ScopedFILE;
|
|
|
| -static_assert((base::is_same<uid_t, gid_t>::value),
|
| - "uid_t and gid_t should be the same type");
|
| -// generic_id_t can be used for either uid_t or gid_t.
|
| -typedef uid_t generic_id_t;
|
| -
|
| -// Write a uid or gid mapping from |id| to |id| in |map_file|.
|
| -bool WriteToIdMapFile(const char* map_file, generic_id_t id) {
|
| - ScopedFILE f(fopen(map_file, "w"));
|
| - PCHECK(f);
|
| - const uid_t inside_id = id;
|
| - const uid_t outside_id = id;
|
| - int num = fprintf(f.get(), "%d %d 1\n", inside_id, outside_id);
|
| - if (num < 0) return false;
|
| - // Manually call fflush() to catch permission failures.
|
| - int ret = fflush(f.get());
|
| - if (ret) {
|
| - VLOG(1) << "Could not write to id map file";
|
| - return false;
|
| - }
|
| - return true;
|
| -}
|
| -
|
| // Checks that the set of RES-uids and the set of RES-gids have
|
| // one element each and return that element in |resuid| and |resgid|
|
| // respectively. It's ok to pass NULL as one or both of the ids.
|
| @@ -168,37 +145,6 @@ scoped_ptr<std::string> Credentials::GetCurrentCapString() {
|
| return scoped_ptr<std::string> (new std::string(cap_text.get()));
|
| }
|
|
|
| -// static
|
| -bool Credentials::SupportsNewUserNS() {
|
| - // Valgrind will let clone(2) pass-through, but doesn't support unshare(),
|
| - // so always consider UserNS unsupported there.
|
| - if (IsRunningOnValgrind()) {
|
| - return false;
|
| - }
|
| -
|
| - // This is roughly a fork().
|
| - const pid_t pid = sys_clone(CLONE_NEWUSER | SIGCHLD, 0, 0, 0, 0);
|
| -
|
| - if (pid == -1) {
|
| - CheckCloneNewUserErrno(errno);
|
| - return false;
|
| - }
|
| -
|
| - // The parent process could have had threads. In the child, these threads
|
| - // have disappeared. Make sure to not do anything in the child, as this is a
|
| - // fragile execution environment.
|
| - if (pid == 0) {
|
| - _exit(0);
|
| - }
|
| -
|
| - // Always reap the child.
|
| - siginfo_t infop;
|
| - PCHECK(0 == HANDLE_EINTR(waitid(P_PID, pid, &infop, WEXITED)));
|
| -
|
| - // clone(2) succeeded, we can use CLONE_NEWUSER.
|
| - return true;
|
| -}
|
| -
|
| bool Credentials::MoveToNewUserNS() {
|
| uid_t uid;
|
| gid_t gid;
|
| @@ -222,8 +168,8 @@ bool Credentials::MoveToNewUserNS() {
|
| DCHECK(GetRESIds(NULL, NULL));
|
| const char kGidMapFile[] = "/proc/self/gid_map";
|
| const char kUidMapFile[] = "/proc/self/uid_map";
|
| - CHECK(WriteToIdMapFile(kGidMapFile, gid));
|
| - CHECK(WriteToIdMapFile(kUidMapFile, uid));
|
| + CHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
|
| + CHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
|
| DCHECK(GetRESIds(NULL, NULL));
|
| return true;
|
| }
|
|
|
Chromium Code Reviews
Issue 849893004:
Move a couple of utility functions to a new namespace_utils class. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master