Update from chromium 62675d9fb31fb8cedc40f68e78e8445a74f362e7

sandbox/linux/services/credentials.h

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
+#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
+
+#include "build/build_config.h"
+// Link errors are tedious to track, raise a compile-time error instead.
+#if defined(OS_ANDROID)
+#error "Android is not supported."
+#endif  // defined(OS_ANDROID).
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/memory/scoped_ptr.h"
+#include "sandbox/sandbox_export.h"
+
+namespace sandbox {
+
+// This class should be used to manipulate the current process' credentials.
+// It is currently a stub used to manipulate POSIX.1e capabilities as
+// implemented by the Linux kernel.
+class SANDBOX_EXPORT Credentials {
+ public:
+  Credentials();
+  ~Credentials();
+
+  // Returns the number of file descriptors in the current process's FD
+  // table, excluding |proc_fd|, which should be a file descriptor for
+  // /proc.
+  int CountOpenFds(int proc_fd);
+
+  // Checks whether the current process has any directory file descriptor open.
+  // Directory file descriptors are "capabilities" that would let a process use
+  // system calls such as openat() to bypass restrictions such as
+  // DropFileSystemAccess().
+  // Sometimes it's useful to call HasOpenDirectory() after file system access
+  // has been dropped. In this case, |proc_fd| should be a file descriptor to
+  // /proc. The file descriptor in |proc_fd| will be ignored by
+  // HasOpenDirectory() and remains owned by the caller. It is very important
+  // for the caller to close it.
+  // If /proc is available, |proc_fd| can be passed as -1.
+  // If |proc_fd| is -1 and /proc is not available, this function will return
+  // false.
+  bool HasOpenDirectory(int proc_fd);
+
+  // Drop all capabilities in the effective, inheritable and permitted sets for
+  // the current process.
+  bool DropAllCapabilities();
+  // Return true iff there is any capability in any of the capabilities sets
+  // of the current process.
+  bool HasAnyCapability() const;
+  // Returns the capabilities of the current process in textual form, as
+  // documented in libcap2's cap_to_text(3). This is mostly useful for
+  // debugging and tests.
+  scoped_ptr<std::string> GetCurrentCapString() const;
+
+  // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
+  // possible to immediately move to a new user namespace. There is no point
+  // in using this method right before calling MoveToNewUserNS(), simply call
+  // MoveToNewUserNS() immediately. This method is only useful to test kernel
+  // support ahead of time.
+  static bool SupportsNewUserNS();
+
+  // Move the current process to a new "user namespace" as supported by Linux
+  // 3.8+ (CLONE_NEWUSER).
+  // The uid map will be set-up so that the perceived uid and gid will not
+  // change.
+  // If this call succeeds, the current process will be granted a full set of
+  // capabilities in the new namespace.
+  bool MoveToNewUserNS();
+
+  // Remove the ability of the process to access the file system. File
+  // descriptors which are already open prior to calling this API remain
+  // available.
+  // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
+  // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
+  // Make sure to call DropAllCapabilities() after this call to prevent
+  // escapes.
+  // To be secure, it's very important for this API to not be called while the
+  // process has any directory file descriptor open.
+  bool DropFileSystemAccess();
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(Credentials);
+};
+
+}  // namespace sandbox.
+
+#endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_