OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
7 | 7 |
8 #include "build/build_config.h" | 8 #include "build/build_config.h" |
9 // Link errors are tedious to track, raise a compile-time error instead. | 9 // Link errors are tedious to track, raise a compile-time error instead. |
10 #if defined(OS_ANDROID) | 10 #if defined(OS_ANDROID) |
11 #error "Android is not supported." | 11 #error "Android is not supported." |
12 #endif // defined(OS_ANDROID). | 12 #endif // defined(OS_ANDROID). |
13 | 13 |
14 #include <string> | 14 #include <string> |
15 #include <vector> | 15 #include <vector> |
16 | 16 |
17 #include "base/basictypes.h" | 17 #include "base/basictypes.h" |
18 #include "base/compiler_specific.h" | 18 #include "base/compiler_specific.h" |
19 #include "base/memory/scoped_ptr.h" | 19 #include "base/memory/scoped_ptr.h" |
20 #include "sandbox/linux/system_headers/capability.h" | 20 #include "sandbox/linux/system_headers/capability.h" |
21 #include "sandbox/sandbox_export.h" | 21 #include "sandbox/sandbox_export.h" |
22 | 22 |
23 namespace sandbox { | 23 namespace sandbox { |
24 | 24 |
25 // For brevity, we only expose enums for the subset of capabilities we use. | |
26 // This can be expanded as the need arises. | |
27 enum class LinuxCapability { | |
28 kCapSysChroot, | |
29 kCapSysAdmin, | |
30 }; | |
31 | |
32 // This class should be used to manipulate the current process' credentials. | 25 // This class should be used to manipulate the current process' credentials. |
33 // It is currently a stub used to manipulate POSIX.1e capabilities as | 26 // It is currently a stub used to manipulate POSIX.1e capabilities as |
34 // implemented by the Linux kernel. | 27 // implemented by the Linux kernel. |
35 class SANDBOX_EXPORT Credentials { | 28 class SANDBOX_EXPORT Credentials { |
36 public: | 29 public: |
30 // For brevity, we only expose enums for the subset of capabilities we use. | |
31 // This can be expanded as the need arises. | |
32 enum class Capability { | |
33 kCapSysChroot, | |
jln (very slow on Chromium)
2015/03/26 22:01:33
Nit: you could drop the "Cap", now that it's quali
mdempsky
2015/03/27 20:32:11
Also, Chromium style is to use SHOUTY_CASE for enu
rickyz (no longer on Chrome)
2015/03/27 21:08:02
Oop, missed that, changed it as well, but let me k
| |
34 kCapSysAdmin, | |
35 }; | |
36 | |
37 // Drop all capabilities in the effective, inheritable and permitted sets for | 37 // Drop all capabilities in the effective, inheritable and permitted sets for |
38 // the current thread. For security reasons, since capabilities are | 38 // the current thread. For security reasons, since capabilities are |
39 // per-thread, the caller is responsible for ensuring it is single-threaded | 39 // per-thread, the caller is responsible for ensuring it is single-threaded |
40 // when calling this API. | 40 // when calling this API. |
41 // |proc_fd| must be a file descriptor to /proc/ and remains owned by | 41 // |proc_fd| must be a file descriptor to /proc/ and remains owned by |
42 // the caller. | 42 // the caller. |
43 static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT; | 43 static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT; |
44 // A similar API which assumes that it can open /proc/self/ by itself. | 44 // A similar API which assumes that it can open /proc/self/ by itself. |
45 static bool DropAllCapabilities() WARN_UNUSED_RESULT; | 45 static bool DropAllCapabilities() WARN_UNUSED_RESULT; |
46 // Sets the effective and permitted capability sets for the current thread to | 46 // Sets the effective and permitted capability sets for the current thread to |
47 // the list of capabiltiies in |caps|. All other capability flags are cleared. | 47 // the list of capabiltiies in |caps|. All other capability flags are cleared. |
48 static bool SetCapabilities(int proc_fd, | 48 static bool SetCapabilities(int proc_fd, |
49 const std::vector<LinuxCapability>& caps) | 49 const std::vector<Capability>& caps) |
50 WARN_UNUSED_RESULT; | 50 WARN_UNUSED_RESULT; |
51 | 51 |
52 // Versions of the above functions which do not check that the process is | |
53 // single-threaded. After calling these functions, capabilities of other | |
54 // threads will not be changed. | |
jln (very slow on Chromium)
2015/03/26 22:01:33
Maybe add something along the lines "This is dange
rickyz (no longer on Chrome)
2015/03/27 21:08:02
Heh, sure, done
| |
55 static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT; | |
56 static bool SetCapabilitiesOnCurrentThread( | |
57 const std::vector<Capability>& caps) WARN_UNUSED_RESULT; | |
58 | |
52 // Returns true if the current thread has either the effective, permitted, or | 59 // Returns true if the current thread has either the effective, permitted, or |
53 // inheritable flag set for the given capability. | 60 // inheritable flag set for the given capability. |
54 static bool HasCapability(LinuxCapability cap); | 61 static bool HasCapability(Capability cap); |
55 | 62 |
56 // Return true iff there is any capability in any of the capabilities sets | 63 // Return true iff there is any capability in any of the capabilities sets |
57 // of the current thread. | 64 // of the current thread. |
58 static bool HasAnyCapability(); | 65 static bool HasAnyCapability(); |
59 | 66 |
60 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be | 67 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be |
61 // possible to immediately move to a new user namespace. There is no point | 68 // possible to immediately move to a new user namespace. There is no point |
62 // in using this method right before calling MoveToNewUserNS(), simply call | 69 // in using this method right before calling MoveToNewUserNS(), simply call |
63 // MoveToNewUserNS() immediately. This method is only useful to test the | 70 // MoveToNewUserNS() immediately. This method is only useful to test the |
64 // ability to move to a user namespace ahead of time. | 71 // ability to move to a user namespace ahead of time. |
(...skipping 22 matching lines...) Expand all Loading... | |
87 // - DropAllCapabilities() must be called to prevent escapes. | 94 // - DropAllCapabilities() must be called to prevent escapes. |
88 static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT; | 95 static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT; |
89 | 96 |
90 private: | 97 private: |
91 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials); | 98 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials); |
92 }; | 99 }; |
93 | 100 |
94 } // namespace sandbox. | 101 } // namespace sandbox. |
95 | 102 |
96 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 103 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
OLD | NEW |