OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
7 | 7 |
8 #include "build/build_config.h" | 8 #include "build/build_config.h" |
9 // Link errors are tedious to track, raise a compile-time error instead. | 9 // Link errors are tedious to track, raise a compile-time error instead. |
10 #if defined(OS_ANDROID) | 10 #if defined(OS_ANDROID) |
11 #error "Android is not supported." | 11 #error "Android is not supported." |
12 #endif // defined(OS_ANDROID). | 12 #endif // defined(OS_ANDROID). |
13 | 13 |
14 #include <string> | 14 #include <string> |
15 #include <vector> | |
15 | 16 |
16 #include "base/basictypes.h" | 17 #include "base/basictypes.h" |
17 #include "base/compiler_specific.h" | 18 #include "base/compiler_specific.h" |
18 #include "base/memory/scoped_ptr.h" | 19 #include "base/memory/scoped_ptr.h" |
19 #include "sandbox/sandbox_export.h" | 20 #include "sandbox/sandbox_export.h" |
20 | 21 |
21 namespace sandbox { | 22 namespace sandbox { |
22 | 23 |
23 // This class should be used to manipulate the current process' credentials. | 24 // This class should be used to manipulate the current process' credentials. |
24 // It is currently a stub used to manipulate POSIX.1e capabilities as | 25 // It is currently a stub used to manipulate POSIX.1e capabilities as |
25 // implemented by the Linux kernel. | 26 // implemented by the Linux kernel. |
26 class SANDBOX_EXPORT Credentials { | 27 class SANDBOX_EXPORT Credentials { |
27 public: | 28 public: |
28 // Drop all capabilities in the effective, inheritable and permitted sets for | 29 // Drop all capabilities in the effective, inheritable and permitted sets for |
29 // the current process. For security reasons, since capabilities are | 30 // the current thread. For security reasons, since capabilities are |
30 // per-thread, the caller is responsible for ensuring it is single-threaded | 31 // per-thread, the caller is responsible for ensuring it is single-threaded |
31 // when calling this API. | 32 // when calling this API. |
32 // |proc_fd| must be a file descriptor to /proc/ and remains owned by | 33 // |proc_fd| must be a file descriptor to /proc/ and remains owned by |
33 // the caller. | 34 // the caller. |
34 static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT; | 35 static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT; |
35 // A similar API which assumes that it can open /proc/self/ by itself. | 36 // A similar API which assumes that it can open /proc/self/ by itself. |
36 static bool DropAllCapabilities() WARN_UNUSED_RESULT; | 37 static bool DropAllCapabilities() WARN_UNUSED_RESULT; |
38 // Sets the effective and permitted capability sets for the current thread to | |
39 // the list of capabiltiies in |caps|. All other capability flags are cleared. | |
40 static bool SetCapabilities(int proc_fd, const std::vector<int>& caps) | |
jln (very slow on Chromium)
2015/03/12 20:46:30
Would it be worth taking an enum class instead of
rickyz (no longer on Chrome)
2015/03/12 23:36:01
Done.
| |
41 WARN_UNUSED_RESULT; | |
42 | |
43 // Returns true if the current thread has either the CAP_EFFECTIVE or | |
44 // CAP_PERMITTED flag set for the given capability. | |
jln (very slow on Chromium)
2015/03/12 19:24:15
The implementation also considers CAP_INHERITABLE.
rickyz (no longer on Chrome)
2015/03/12 23:36:01
Oops, I updated the documentation. It bothers me a
| |
45 static bool HasCapability(int cap); | |
37 | 46 |
38 // Return true iff there is any capability in any of the capabilities sets | 47 // Return true iff there is any capability in any of the capabilities sets |
39 // of the current process. | 48 // of the current thread. |
40 static bool HasAnyCapability(); | 49 static bool HasAnyCapability(); |
41 // Returns the capabilities of the current process in textual form, as | |
42 // documented in libcap2's cap_to_text(3). This is mostly useful for | |
43 // debugging and tests. | |
44 static scoped_ptr<std::string> GetCurrentCapString(); | |
45 | 50 |
46 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be | 51 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be |
47 // possible to immediately move to a new user namespace. There is no point | 52 // possible to immediately move to a new user namespace. There is no point |
48 // in using this method right before calling MoveToNewUserNS(), simply call | 53 // in using this method right before calling MoveToNewUserNS(), simply call |
49 // MoveToNewUserNS() immediately. This method is only useful to test the | 54 // MoveToNewUserNS() immediately. This method is only useful to test the |
50 // ability to move to a user namespace ahead of time. | 55 // ability to move to a user namespace ahead of time. |
51 static bool CanCreateProcessInNewUserNS(); | 56 static bool CanCreateProcessInNewUserNS(); |
52 | 57 |
53 // Move the current process to a new "user namespace" as supported by Linux | 58 // Move the current process to a new "user namespace" as supported by Linux |
54 // 3.8+ (CLONE_NEWUSER). | 59 // 3.8+ (CLONE_NEWUSER). |
(...skipping 18 matching lines...) Expand all Loading... | |
73 // - DropAllCapabilities() must be called to prevent escapes. | 78 // - DropAllCapabilities() must be called to prevent escapes. |
74 static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT; | 79 static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT; |
75 | 80 |
76 private: | 81 private: |
77 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials); | 82 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials); |
78 }; | 83 }; |
79 | 84 |
80 } // namespace sandbox. | 85 } // namespace sandbox. |
81 | 86 |
82 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 87 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
OLD | NEW |