Add SetCapabilities for setting capabilities to an exact set.

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <stdio.h>
 #include <sys/capability.h>
@@ skipping 115 matching lines @@
   // EPERM can happen if already in a chroot. EUSERS if too many nested
   // namespaces are used. EINVAL for kernels that don't support the feature.
   // Valgrind will ENOSYS unshare().
   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
          error == ENOSYS);
 }
 
 }  // namespace.
 
 bool Credentials::DropAllCapabilities(int proc_fd) {
-  DCHECK_LE(0, proc_fd);
-#if !defined(THREAD_SANITIZER)
-  // With TSAN, accept to break the security model as it is a testing
-  // configuration.
-  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
-#endif
+  if (!SetCapabilities(proc_fd, std::vector<cap_value_t>())) {
+    return false;

[jln (very slow on Chromium), 2015/03/10 22:32:29]

n.b. We used to never let this function fail and this changes that.

+  }
 
-  ScopedCap cap(cap_init());
-  CHECK(cap);
-  PCHECK(0 == cap_set_proc(cap.get()));
   CHECK(!HasAnyCapability());
-  // We never let this function fail.
   return true;
 }
 
 bool Credentials::DropAllCapabilities() {
   base::ScopedFD proc_fd(ProcUtil::OpenProc());
   return Credentials::DropAllCapabilities(proc_fd.get());
 }
 
+// static
+bool Credentials::SetCapabilities(int proc_fd,
+                                  const std::vector<cap_value_t>& caps) {
+  DCHECK_LE(0, proc_fd);
+#if !defined(THREAD_SANITIZER)
+  // With TSAN, accept to break the security model as it is a testing
+  // configuration.
+  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
+#endif
+
+  sandbox::ScopedCap cap(cap_init());
+  PCHECK(cap != nullptr);
+
+  if (!caps.empty()) {
+    // Initially, cap has no capability flags set. Enable CAP_EFFECTIVE and
+    // CAP_PERMITTED only for the requested capabilities.
+    const cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED};
+    for (const cap_flag_t flag : flags) {
+      PCHECK(cap_set_flag(cap.get(), flag, caps.size(), &caps.at(0), CAP_SET) ==
+             0);
+    }
+  }
+
+  return cap_set_proc(cap.get()) == 0;
+}
+
 bool Credentials::HasAnyCapability() {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);
   ScopedCap empty_cap(cap_init());
   CHECK(empty_cap);
   return cap_compare(current_cap.get(), empty_cap.get()) != 0;
 }
 
+bool Credentials::HasCapability(cap_value_t cap) {
+  ScopedCap current_cap(cap_get_proc());
+  PCHECK(current_cap);
+
+  cap_flag_value_t value;
+  const cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED};
+  for (const cap_flag_t flag : flags) {
+    PCHECK(cap_get_flag(current_cap.get(), cap, flag, &value) == 0);
+    if (value == CAP_SET) {
+      return true;
+    }
+  }
+  return false;
+}
+
 scoped_ptr<std::string> Credentials::GetCurrentCapString() {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);
   ScopedCapText cap_text(cap_to_text(current_cap.get(), NULL));
   CHECK(cap_text);
   return scoped_ptr<std::string> (new std::string(cap_text.get()));
 }
 
 // static
 bool Credentials::CanCreateProcessInNewUserNS() {
@@ skipping 71 matching lines @@
   CHECK_LE(0, proc_fd);
 
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
   // We never let this function fail.
   return true;
 }
 
 }  // namespace sandbox.