Add SetCapabilities for setting capabilities to an exact set.

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <stdio.h>
-#include <sys/capability.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/process/launch.h"
 #include "base/template_util.h"
 #include "base/third_party/valgrind/valgrind.h"
 #include "build/build_config.h"
 #include "sandbox/linux/services/namespace_utils.h"
 #include "sandbox/linux/services/proc_util.h"
 #include "sandbox/linux/services/syscall_wrappers.h"
 #include "sandbox/linux/services/thread_helpers.h"
+#include "sandbox/linux/system_headers/capability.h"
 
 namespace sandbox {
 
 namespace {
 
 bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
 
-struct CapFreeDeleter {
-  inline void operator()(cap_t cap) const {
-    int ret = cap_free(cap);
-    CHECK_EQ(0, ret);
-  }
-};
-
-// Wrapper to manage libcap2's cap_t type.
-typedef scoped_ptr<typeof(*((cap_t)0)), CapFreeDeleter> ScopedCap;
-
-struct CapTextFreeDeleter {
-  inline void operator()(char* cap_text) const {
-    int ret = cap_free(cap_text);
-    CHECK_EQ(0, ret);
-  }
-};
-
-// Wrapper to manage the result from libcap2's cap_from_text().
-typedef scoped_ptr<char, CapTextFreeDeleter> ScopedCapText;
-
 // Checks that the set of RES-uids and the set of RES-gids have
 // one element each and return that element in |resuid| and |resgid|
 // respectively. It's ok to pass NULL as one or both of the ids.
 bool GetRESIds(uid_t* resuid, gid_t* resgid) {
   uid_t ruid, euid, suid;
   gid_t rgid, egid, sgid;
   PCHECK(getresuid(&ruid, &euid, &suid) == 0);
   PCHECK(getresgid(&rgid, &egid, &sgid) == 0);
   const bool uids_are_equal = (ruid == euid) && (ruid == suid);
   const bool gids_are_equal = (rgid == egid) && (rgid == sgid);
@@ skipping 59 matching lines @@
   // EPERM can happen if already in a chroot. EUSERS if too many nested
   // namespaces are used. EINVAL for kernels that don't support the feature.
   // Valgrind will ENOSYS unshare().
   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
          error == ENOSYS);
 }
 
 }  // namespace.
 
 bool Credentials::DropAllCapabilities(int proc_fd) {
-  DCHECK_LE(0, proc_fd);
-#if !defined(THREAD_SANITIZER)
-  // With TSAN, accept to break the security model as it is a testing
-  // configuration.
-  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
-#endif
+  if (!SetCapabilities(proc_fd, std::vector<int>())) {
+    return false;
+  }
 
-  ScopedCap cap(cap_init());
-  CHECK(cap);
-  PCHECK(0 == cap_set_proc(cap.get()));
   CHECK(!HasAnyCapability());
-  // We never let this function fail.
   return true;
 }
 
 bool Credentials::DropAllCapabilities() {
   base::ScopedFD proc_fd(ProcUtil::OpenProc());
   return Credentials::DropAllCapabilities(proc_fd.get());
 }
 
-bool Credentials::HasAnyCapability() {
-  ScopedCap current_cap(cap_get_proc());
-  CHECK(current_cap);
-  ScopedCap empty_cap(cap_init());
-  CHECK(empty_cap);
-  return cap_compare(current_cap.get(), empty_cap.get()) != 0;
+// static
+bool Credentials::SetCapabilities(int proc_fd,
+                                  const std::vector<int>& caps) {
+  DCHECK_LE(0, proc_fd);
+
+#if !defined(THREAD_SANITIZER)
+  // With TSAN, accept to break the security model as it is a testing
+  // configuration.
+  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
+#endif
+
+  cap_hdr hdr;
+  hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  cap_data data[_LINUX_CAPABILITY_U32S_3];

[jln (very slow on Chromium), 2015/03/12 19:24:15]

Even here I would use "struct cap_data", given that it's not following the style
guide for class / struct names and we're calling low-level kernel APIs.

[rickyz (no longer on Chrome), 2015/03/12 23:36:01]

Done.

+
+  // Initially, cap has no capability flags set. Enable the effective and
+  // permitted flags only for the requested capabilities.
+  for (const int cap : caps) {
+    DCHECK(cap >= 0 && cap < CAP_LAST_CAP);
+    data[CAP_TO_INDEX(cap)].effective |= CAP_TO_MASK(cap);
+    data[CAP_TO_INDEX(cap)].permitted |= CAP_TO_MASK(cap);
+  }
+
+  return sys_capset(&hdr, data) == 0;
 }
 
-scoped_ptr<std::string> Credentials::GetCurrentCapString() {
-  ScopedCap current_cap(cap_get_proc());
-  CHECK(current_cap);
-  ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL));
-  CHECK(cap_text);
-  return scoped_ptr<std::string> (new std::string(cap_text.get()));
+bool Credentials::HasAnyCapability() {
+  cap_hdr hdr;
+  hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  cap_data data[_LINUX_CAPABILITY_U32S_3];
+
+  PCHECK(sys_capget(&hdr, data) == 0);
+
+  for (size_t i = 0; i < arraysize(data); ++i) {
+    if (data[i].effective || data[i].permitted || data[i].inheritable) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+bool Credentials::HasCapability(int cap) {
+  DCHECK(cap >= 0 && cap < CAP_LAST_CAP);
+  cap_hdr hdr;
+  hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  cap_data data[_LINUX_CAPABILITY_U32S_3];
+
+  PCHECK(sys_capget(&hdr, data) == 0);
+
+  const size_t index = CAP_TO_INDEX(cap);
+  const uint32_t mask = CAP_TO_MASK(cap);
+
+  return (data[index].effective | data[index].permitted |
+          data[index].inheritable) &

[jln (very slow on Chromium), 2015/03/12 19:24:14]

conidering .inheritable doesn't match the documentation. Update documentation?

[rickyz (no longer on Chrome), 2015/03/12 23:36:01]

Done.

+         mask;
 }
 
 // static
 bool Credentials::CanCreateProcessInNewUserNS() {
   // Valgrind will let clone(2) pass-through, but doesn't support unshare(),
   // so always consider UserNS unsupported there.
   if (IsRunningOnValgrind()) {
     return false;
   }
 
@@ skipping 65 matching lines @@
   CHECK_LE(0, proc_fd);
 
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
   // We never let this function fail.
   return true;
 }
 
 }  // namespace sandbox.