OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
| 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
| 7 |
| 8 #include "build/build_config.h" |
| 9 // Link errors are tedious to track, raise a compile-time error instead. |
| 10 #if defined(OS_ANDROID) |
| 11 #error "Android is not supported." |
| 12 #endif // defined(OS_ANDROID). |
| 13 |
| 14 #include <string> |
| 15 |
| 16 #include "base/basictypes.h" |
| 17 #include "base/memory/scoped_ptr.h" |
| 18 #include "sandbox/sandbox_export.h" |
| 19 |
| 20 namespace sandbox { |
| 21 |
| 22 // This class should be used to manipulate the current process' credentials. |
| 23 // It is currently a stub used to manipulate POSIX.1e capabilities as |
| 24 // implemented by the Linux kernel. |
| 25 class SANDBOX_EXPORT Credentials { |
| 26 public: |
| 27 Credentials(); |
| 28 ~Credentials(); |
| 29 |
| 30 // Returns the number of file descriptors in the current process's FD |
| 31 // table, excluding |proc_fd|, which should be a file descriptor for |
| 32 // /proc. |
| 33 int CountOpenFds(int proc_fd); |
| 34 |
| 35 // Checks whether the current process has any directory file descriptor open. |
| 36 // Directory file descriptors are "capabilities" that would let a process use |
| 37 // system calls such as openat() to bypass restrictions such as |
| 38 // DropFileSystemAccess(). |
| 39 // Sometimes it's useful to call HasOpenDirectory() after file system access |
| 40 // has been dropped. In this case, |proc_fd| should be a file descriptor to |
| 41 // /proc. The file descriptor in |proc_fd| will be ignored by |
| 42 // HasOpenDirectory() and remains owned by the caller. It is very important |
| 43 // for the caller to close it. |
| 44 // If /proc is available, |proc_fd| can be passed as -1. |
| 45 // If |proc_fd| is -1 and /proc is not available, this function will return |
| 46 // false. |
| 47 bool HasOpenDirectory(int proc_fd); |
| 48 |
| 49 // Drop all capabilities in the effective, inheritable and permitted sets for |
| 50 // the current process. |
| 51 bool DropAllCapabilities(); |
| 52 // Return true iff there is any capability in any of the capabilities sets |
| 53 // of the current process. |
| 54 bool HasAnyCapability() const; |
| 55 // Returns the capabilities of the current process in textual form, as |
| 56 // documented in libcap2's cap_to_text(3). This is mostly useful for |
| 57 // debugging and tests. |
| 58 scoped_ptr<std::string> GetCurrentCapString() const; |
| 59 |
| 60 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be |
| 61 // possible to immediately move to a new user namespace. There is no point |
| 62 // in using this method right before calling MoveToNewUserNS(), simply call |
| 63 // MoveToNewUserNS() immediately. This method is only useful to test kernel |
| 64 // support ahead of time. |
| 65 static bool SupportsNewUserNS(); |
| 66 |
| 67 // Move the current process to a new "user namespace" as supported by Linux |
| 68 // 3.8+ (CLONE_NEWUSER). |
| 69 // The uid map will be set-up so that the perceived uid and gid will not |
| 70 // change. |
| 71 // If this call succeeds, the current process will be granted a full set of |
| 72 // capabilities in the new namespace. |
| 73 bool MoveToNewUserNS(); |
| 74 |
| 75 // Remove the ability of the process to access the file system. File |
| 76 // descriptors which are already open prior to calling this API remain |
| 77 // available. |
| 78 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. |
| 79 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. |
| 80 // Make sure to call DropAllCapabilities() after this call to prevent |
| 81 // escapes. |
| 82 // To be secure, it's very important for this API to not be called while the |
| 83 // process has any directory file descriptor open. |
| 84 bool DropFileSystemAccess(); |
| 85 |
| 86 private: |
| 87 DISALLOW_COPY_AND_ASSIGN(Credentials); |
| 88 }; |
| 89 |
| 90 } // namespace sandbox. |
| 91 |
| 92 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
OLD | NEW |