OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/services/credentials.h" | 5 #include "sandbox/linux/services/credentials.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <limits.h> | 8 #include <limits.h> |
9 #include <signal.h> | 9 #include <signal.h> |
10 #include <stddef.h> | 10 #include <stddef.h> |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
125 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); | 125 PCHECK(HANDLE_EINTR(waitpid(pid, &status, 0)) == pid); |
126 | 126 |
127 return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; | 127 return WIFEXITED(status) && WEXITSTATUS(status) == kExitSuccess; |
128 } | 128 } |
129 | 129 |
130 // CHECK() that an attempt to move to a new user namespace raised an expected | 130 // CHECK() that an attempt to move to a new user namespace raised an expected |
131 // errno. | 131 // errno. |
132 void CheckCloneNewUserErrno(int error) { | 132 void CheckCloneNewUserErrno(int error) { |
133 // EPERM can happen if already in a chroot. EUSERS if too many nested | 133 // EPERM can happen if already in a chroot. EUSERS if too many nested |
134 // namespaces are used. EINVAL for kernels that don't support the feature. | 134 // namespaces are used. EINVAL for kernels that don't support the feature. |
135 // Valgrind will ENOSYS unshare(). | 135 // Valgrind will ENOSYS unshare(). ENOSPC can occur when the system has |
| 136 // reached its maximum configured number of user namespaces. |
136 PCHECK(error == EPERM || error == EUSERS || error == EINVAL || | 137 PCHECK(error == EPERM || error == EUSERS || error == EINVAL || |
137 error == ENOSYS); | 138 error == ENOSYS || error == ENOSPC); |
138 } | 139 } |
139 | 140 |
140 // Converts a Capability to the corresponding Linux CAP_XXX value. | 141 // Converts a Capability to the corresponding Linux CAP_XXX value. |
141 int CapabilityToKernelValue(Credentials::Capability cap) { | 142 int CapabilityToKernelValue(Credentials::Capability cap) { |
142 switch (cap) { | 143 switch (cap) { |
143 case Credentials::Capability::SYS_CHROOT: | 144 case Credentials::Capability::SYS_CHROOT: |
144 return CAP_SYS_CHROOT; | 145 return CAP_SYS_CHROOT; |
145 case Credentials::Capability::SYS_ADMIN: | 146 case Credentials::Capability::SYS_ADMIN: |
146 return CAP_SYS_ADMIN; | 147 return CAP_SYS_ADMIN; |
147 } | 148 } |
(...skipping 199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
347 if (pid != 0) { | 348 if (pid != 0) { |
348 return pid; | 349 return pid; |
349 } | 350 } |
350 | 351 |
351 // Since we just forked, we are single threaded. | 352 // Since we just forked, we are single threaded. |
352 PCHECK(DropAllCapabilitiesOnCurrentThread()); | 353 PCHECK(DropAllCapabilitiesOnCurrentThread()); |
353 return 0; | 354 return 0; |
354 } | 355 } |
355 | 356 |
356 } // namespace sandbox. | 357 } // namespace sandbox. |
OLD | NEW |