Revert of Start all children in their own PID namespace.

sandbox/linux/services/credentials.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/services/credentials.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <stdio.h>
 #include <sys/syscall.h>
@@ skipping 92 matching lines @@
 // CHECK() that an attempt to move to a new user namespace raised an expected
 // errno.
 void CheckCloneNewUserErrno(int error) {
   // EPERM can happen if already in a chroot. EUSERS if too many nested
   // namespaces are used. EINVAL for kernels that don't support the feature.
   // Valgrind will ENOSYS unshare().
   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
          error == ENOSYS);
 }
 
-// Converts a Capability to the corresponding Linux CAP_XXX value.
-int CapabilityToKernelValue(Credentials::Capability cap) {
+// Converts a LinuxCapability to the corresponding Linux CAP_XXX value.
+int LinuxCapabilityToKernelValue(LinuxCapability cap) {
   switch (cap) {
-    case Credentials::Capability::SYS_CHROOT:
+    case LinuxCapability::kCapSysChroot:
       return CAP_SYS_CHROOT;
-    case Credentials::Capability::SYS_ADMIN:
+    case LinuxCapability::kCapSysAdmin:
       return CAP_SYS_ADMIN;
   }
 
-  LOG(FATAL) << "Invalid Capability: " << static_cast<int>(cap);
+  LOG(FATAL) << "Invalid LinuxCapability: " << static_cast<int>(cap);
   return 0;
 }
 
 }  // namespace.
 
-// static
 bool Credentials::DropAllCapabilities(int proc_fd) {
-  if (!SetCapabilities(proc_fd, std::vector<Capability>())) {
+  if (!SetCapabilities(proc_fd, std::vector<LinuxCapability>())) {
     return false;
   }
 
   CHECK(!HasAnyCapability());
   return true;
 }
 
-// static
 bool Credentials::DropAllCapabilities() {
   base::ScopedFD proc_fd(ProcUtil::OpenProc());
   return Credentials::DropAllCapabilities(proc_fd.get());
 }
 
 // static
-bool Credentials::DropAllCapabilitiesOnCurrentThread() {
-  return SetCapabilitiesOnCurrentThread(std::vector<Capability>());
-}
-
-// static
-bool Credentials::SetCapabilitiesOnCurrentThread(
-    const std::vector<Capability>& caps) {
-  struct cap_hdr hdr = {};
-  hdr.version = _LINUX_CAPABILITY_VERSION_3;
-  struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
-
-  // Initially, cap has no capability flags set. Enable the effective and
-  // permitted flags only for the requested capabilities.
-  for (const Capability cap : caps) {
-    const int cap_num = CapabilityToKernelValue(cap);
-    const size_t index = CAP_TO_INDEX(cap_num);
-    const uint32_t mask = CAP_TO_MASK(cap_num);
-    data[index].effective |= mask;
-    data[index].permitted |= mask;
-  }
-
-  return sys_capset(&hdr, data) == 0;
-}
-
-// static
 bool Credentials::SetCapabilities(int proc_fd,
-                                  const std::vector<Capability>& caps) {
+                                  const std::vector<LinuxCapability>& caps) {
   DCHECK_LE(0, proc_fd);
 
 #if !defined(THREAD_SANITIZER)
   // With TSAN, accept to break the security model as it is a testing
   // configuration.
   CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));
 #endif
 
-  return SetCapabilitiesOnCurrentThread(caps);
+  struct cap_hdr hdr = {};
+  hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
+
+  // Initially, cap has no capability flags set. Enable the effective and
+  // permitted flags only for the requested capabilities.
+  for (const LinuxCapability cap : caps) {
+    const int cap_num = LinuxCapabilityToKernelValue(cap);
+    const size_t index = CAP_TO_INDEX(cap_num);
+    const uint32_t mask = CAP_TO_MASK(cap_num);
+    data[index].effective |= mask;
+    data[index].permitted |= mask;
+  }
+
+  return sys_capset(&hdr, data) == 0;
 }
 
 bool Credentials::HasAnyCapability() {
   struct cap_hdr hdr = {};
   hdr.version = _LINUX_CAPABILITY_VERSION_3;
   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 
   PCHECK(sys_capget(&hdr, data) == 0);
 
   for (size_t i = 0; i < arraysize(data); ++i) {
     if (data[i].effective || data[i].permitted || data[i].inheritable) {
       return true;
     }
   }
 
   return false;
 }
 
-bool Credentials::HasCapability(Capability cap) {
+bool Credentials::HasCapability(LinuxCapability cap) {
   struct cap_hdr hdr = {};
   hdr.version = _LINUX_CAPABILITY_VERSION_3;
   struct cap_data data[_LINUX_CAPABILITY_U32S_3] = {{}};
 
   PCHECK(sys_capget(&hdr, data) == 0);
 
-  const int cap_num = CapabilityToKernelValue(cap);
+  const int cap_num = LinuxCapabilityToKernelValue(cap);
   const size_t index = CAP_TO_INDEX(cap_num);
   const uint32_t mask = CAP_TO_MASK(cap_num);
 
   return (data[index].effective | data[index].permitted |
           data[index].inheritable) &
          mask;
 }
 
 // static
 bool Credentials::CanCreateProcessInNewUserNS() {
@@ skipping 71 matching lines @@
   CHECK_LE(0, proc_fd);
 
   CHECK(ChrootToSafeEmptyDir());
   CHECK(!base::DirectoryExists(base::FilePath("/proc")));
   CHECK(!ProcUtil::HasOpenDirectory(proc_fd));
   // We never let this function fail.
   return true;
 }
 
 }  // namespace sandbox.