sandbox/linux/services/syscall_wrappers.h - Issue 997463002: Add SetCapabilities for setting capabilities to an exact set.

Side by Side Diff: sandbox/linux/services/syscall_wrappers.h

Issue 997463002: Add SetCapabilities for setting capabilities to an exact set. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Respond to comments. Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« sandbox/linux/services/credentials_unittest.cc ('K') | « sandbox/linux/services/credentials_unittest.cc ('k') | sandbox/linux/services/syscall_wrappers.cc » ('j') | sandbox/linux/system_headers/capability.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_	5 #ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_

6 #define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_	6 #define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_

7	7

	8 #include <stdint.h>

8 #include <sys/types.h>	9 #include <sys/types.h>

9	10

10 #include "sandbox/sandbox_export.h"	11 #include "sandbox/sandbox_export.h"

11	12

12 struct sock_fprog;	13 struct sock_fprog;

13 struct rlimit64;	14 struct rlimit64;

	15 struct cap_hdr;

	16 struct cap_data;

14	17

15 namespace sandbox {	18 namespace sandbox {

16	19

17 // Provide direct system call wrappers for a few common system calls.	20 // Provide direct system call wrappers for a few common system calls.

18 // These are guaranteed to perform a system call and do not rely on things such	21 // These are guaranteed to perform a system call and do not rely on things such

19 // as caching the current pid (c.f. getpid()) unless otherwise specified.	22 // as caching the current pid (c.f. getpid()) unless otherwise specified.

20	23

21 SANDBOX_EXPORT pid_t sys_getpid(void);	24 SANDBOX_EXPORT pid_t sys_getpid(void);

22	25

23 SANDBOX_EXPORT pid_t sys_gettid(void);	26 SANDBOX_EXPORT pid_t sys_gettid(void);

(...skipping 16 matching lines...) Expand all Loading...
40 SANDBOX_EXPORT int sys_seccomp(unsigned int operation,	43 SANDBOX_EXPORT int sys_seccomp(unsigned int operation,

41 unsigned int flags,	44 unsigned int flags,

42 const struct sock_fprog* args);	45 const struct sock_fprog* args);

43	46

44 // Some libcs do not expose a prlimit64 wrapper.	47 // Some libcs do not expose a prlimit64 wrapper.

45 SANDBOX_EXPORT int sys_prlimit64(pid_t pid,	48 SANDBOX_EXPORT int sys_prlimit64(pid_t pid,

46 int resource,	49 int resource,

47 const struct rlimit64* new_limit,	50 const struct rlimit64* new_limit,

48 struct rlimit64* old_limit);	51 struct rlimit64* old_limit);

49	52

	53 // Some libcs do not expose capget/capset wrappers. We want to use these

	54 // directly in order to avoid pulling in libcap2.

	55 SANDBOX_EXPORT int sys_capget(cap_hdr* hdrp, cap_data* datap);
	jln (very slow on Chromium) 2015/03/12 19:24:15 How about putting C-style "struct cap_hdr" for the How about putting C-style "struct cap_hdr" for these C-style APIs? rickyz (no longer on Chrome) 2015/03/12 23:36:01 Done. Show quoted text On 2015/03/12 19:24:15, jln wrote: > How about putting C-style "struct cap_hdr" for these C-style APIs? Done.
	56 SANDBOX_EXPORT int sys_capset(cap_hdr* hdrp, const cap_data* datap);

	57

50 } // namespace sandbox	58 } // namespace sandbox

51	59

52 #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_	60 #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_

OLD	NEW