Index: sandbox/linux/services/credentials.h |
diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..99f8f322dff62c9814ee131d97ec31fab4b1bbaf |
--- /dev/null |
+++ b/sandbox/linux/services/credentials.h |
@@ -0,0 +1,92 @@ |
+// Copyright (c) 2013 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
+#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
+ |
+#include "build/build_config.h" |
+// Link errors are tedious to track, raise a compile-time error instead. |
+#if defined(OS_ANDROID) |
+#error "Android is not supported." |
+#endif // defined(OS_ANDROID). |
+ |
+#include <string> |
+ |
+#include "base/basictypes.h" |
+#include "base/memory/scoped_ptr.h" |
+#include "sandbox/sandbox_export.h" |
+ |
+namespace sandbox { |
+ |
+// This class should be used to manipulate the current process' credentials. |
+// It is currently a stub used to manipulate POSIX.1e capabilities as |
+// implemented by the Linux kernel. |
+class SANDBOX_EXPORT Credentials { |
+ public: |
+ Credentials(); |
+ ~Credentials(); |
+ |
+ // Returns the number of file descriptors in the current process's FD |
+ // table, excluding |proc_fd|, which should be a file descriptor for |
+ // /proc. |
+ int CountOpenFds(int proc_fd); |
+ |
+ // Checks whether the current process has any directory file descriptor open. |
+ // Directory file descriptors are "capabilities" that would let a process use |
+ // system calls such as openat() to bypass restrictions such as |
+ // DropFileSystemAccess(). |
+ // Sometimes it's useful to call HasOpenDirectory() after file system access |
+ // has been dropped. In this case, |proc_fd| should be a file descriptor to |
+ // /proc. The file descriptor in |proc_fd| will be ignored by |
+ // HasOpenDirectory() and remains owned by the caller. It is very important |
+ // for the caller to close it. |
+ // If /proc is available, |proc_fd| can be passed as -1. |
+ // If |proc_fd| is -1 and /proc is not available, this function will return |
+ // false. |
+ bool HasOpenDirectory(int proc_fd); |
+ |
+ // Drop all capabilities in the effective, inheritable and permitted sets for |
+ // the current process. |
+ bool DropAllCapabilities(); |
+ // Return true iff there is any capability in any of the capabilities sets |
+ // of the current process. |
+ bool HasAnyCapability() const; |
+ // Returns the capabilities of the current process in textual form, as |
+ // documented in libcap2's cap_to_text(3). This is mostly useful for |
+ // debugging and tests. |
+ scoped_ptr<std::string> GetCurrentCapString() const; |
+ |
+ // Returns whether the kernel supports CLONE_NEWUSER and whether it would be |
+ // possible to immediately move to a new user namespace. There is no point |
+ // in using this method right before calling MoveToNewUserNS(), simply call |
+ // MoveToNewUserNS() immediately. This method is only useful to test kernel |
+ // support ahead of time. |
+ static bool SupportsNewUserNS(); |
+ |
+ // Move the current process to a new "user namespace" as supported by Linux |
+ // 3.8+ (CLONE_NEWUSER). |
+ // The uid map will be set-up so that the perceived uid and gid will not |
+ // change. |
+ // If this call succeeds, the current process will be granted a full set of |
+ // capabilities in the new namespace. |
+ bool MoveToNewUserNS(); |
+ |
+ // Remove the ability of the process to access the file system. File |
+ // descriptors which are already open prior to calling this API remain |
+ // available. |
+ // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. |
+ // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. |
+ // Make sure to call DropAllCapabilities() after this call to prevent |
+ // escapes. |
+ // To be secure, it's very important for this API to not be called while the |
+ // process has any directory file descriptor open. |
+ bool DropFileSystemAccess(); |
+ |
+ private: |
+ DISALLOW_COPY_AND_ASSIGN(Credentials); |
+}; |
+ |
+} // namespace sandbox. |
+ |
+#endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |