OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <signal.h> | 8 #include <signal.h> |
9 #include <stdio.h> | 9 #include <stdio.h> |
10 #include <sys/capability.h> | 10 #include <sys/capability.h> |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
141 CHECK(!HasAnyCapability()); | 141 CHECK(!HasAnyCapability()); |
142 // We never let this function fail. | 142 // We never let this function fail. |
143 return true; | 143 return true; |
144 } | 144 } |
145 | 145 |
146 bool Credentials::DropAllCapabilities() { | 146 bool Credentials::DropAllCapabilities() { |
147 base::ScopedFD proc_fd(ProcUtil::OpenProc()); | 147 base::ScopedFD proc_fd(ProcUtil::OpenProc()); |
148 return Credentials::DropAllCapabilities(proc_fd.get()); | 148 return Credentials::DropAllCapabilities(proc_fd.get()); |
149 } | 149 } |
150 | 150 |
| 151 // static |
| 152 bool Credentials::SetCapabilities(int proc_fd, |
| 153 const std::vector<cap_value_t>& caps) { |
| 154 DCHECK_LE(0, proc_fd); |
| 155 CHECK(ThreadHelpers::IsSingleThreaded(proc_fd)); |
| 156 |
| 157 sandbox::ScopedCap cap(cap_init()); |
| 158 PCHECK(cap != nullptr); |
| 159 cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED}; |
| 160 for (const cap_flag_t flag : flags) { |
| 161 PCHECK(cap_set_flag(cap.get(), flag, caps.size(), &caps[0], CAP_SET) == 0); |
| 162 } |
| 163 return cap_set_proc(cap.get()) == 0; |
| 164 } |
| 165 |
151 bool Credentials::HasAnyCapability() { | 166 bool Credentials::HasAnyCapability() { |
152 ScopedCap current_cap(cap_get_proc()); | 167 ScopedCap current_cap(cap_get_proc()); |
153 CHECK(current_cap); | 168 CHECK(current_cap); |
154 ScopedCap empty_cap(cap_init()); | 169 ScopedCap empty_cap(cap_init()); |
155 CHECK(empty_cap); | 170 CHECK(empty_cap); |
156 return cap_compare(current_cap.get(), empty_cap.get()) != 0; | 171 return cap_compare(current_cap.get(), empty_cap.get()) != 0; |
157 } | 172 } |
158 | 173 |
159 scoped_ptr<std::string> Credentials::GetCurrentCapString() { | 174 scoped_ptr<std::string> Credentials::GetCurrentCapString() { |
160 ScopedCap current_cap(cap_get_proc()); | 175 ScopedCap current_cap(cap_get_proc()); |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
234 CHECK_LE(0, proc_fd); | 249 CHECK_LE(0, proc_fd); |
235 | 250 |
236 CHECK(ChrootToSafeEmptyDir()); | 251 CHECK(ChrootToSafeEmptyDir()); |
237 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); | 252 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); |
238 CHECK(!ProcUtil::HasOpenDirectory(proc_fd)); | 253 CHECK(!ProcUtil::HasOpenDirectory(proc_fd)); |
239 // We never let this function fail. | 254 // We never let this function fail. |
240 return true; | 255 return true; |
241 } | 256 } |
242 | 257 |
243 } // namespace sandbox. | 258 } // namespace sandbox. |
OLD | NEW |