OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
7 | 7 |
8 #include "build/build_config.h" | 8 #include "build/build_config.h" |
9 // Link errors are tedious to track, raise a compile-time error instead. | 9 // Link errors are tedious to track, raise a compile-time error instead. |
10 #if defined(OS_ANDROID) | 10 #if defined(OS_ANDROID) |
11 #error "Android is not supported." | 11 #error "Android is not supported." |
12 #endif // defined(OS_ANDROID). | 12 #endif // defined(OS_ANDROID). |
13 | 13 |
14 #include <string> | 14 #include <string> |
15 | 15 |
16 #include "base/basictypes.h" | 16 #include "base/basictypes.h" |
17 #include "base/memory/scoped_ptr.h" | 17 #include "base/memory/scoped_ptr.h" |
18 | 18 |
19 namespace sandbox { | 19 namespace sandbox { |
20 | 20 |
21 // This class should be used to manipulate the current process' credentials. | 21 // This class should be used to manipulate the current process' credentials. |
22 // It is currently a stub used to manipulate POSIX.1e capabilities as | 22 // It is currently a stub used to manipulate POSIX.1e capabilities as |
23 // implemented by the Linux kernel. | 23 // implemented by the Linux kernel. |
24 class Credentials { | 24 class Credentials { |
25 public: | 25 public: |
26 Credentials(); | 26 Credentials(); |
27 ~Credentials(); | 27 ~Credentials(); |
28 | 28 |
29 // Checks whether the current process has any directory file descriptor open. | |
30 // Directory file descriptors are "capabilities" that would let a process use | |
31 // system calls such as openat() to bypass restrictions such as | |
32 // DropFileSystemAccess(). | |
33 // Sometimes it's useful to call HasOpenDirectory() after file system access | |
34 // has been dropped. In this case, |proc_fd| should be a file descriptor to | |
35 // /proc. The file descriptor in |proc_fd| will be ignored by | |
36 // HasOpenDirectory() and remains owned by the caller. It is very important | |
37 // for the caller to close it. | |
38 // If /proc is available, |proc_fd| can be passed as -1. | |
39 // If |proc_fd| is -1 and /proc is not available, this function will return | |
40 // false. | |
41 bool HasOpenDirectory(int proc_fd); | |
42 | |
43 // Drop all capabilities in the effective, inheritable and permitted sets for | 29 // Drop all capabilities in the effective, inheritable and permitted sets for |
44 // the current process. | 30 // the current process. |
45 bool DropAllCapabilities(); | 31 bool DropAllCapabilities(); |
46 // Return true iff there is any capability in any of the capabilities sets | 32 // Return true iff there is any capability in any of the capabilities sets |
47 // of the current process. | 33 // of the current process. |
48 bool HasAnyCapability() const; | 34 bool HasAnyCapability() const; |
49 // Returns the capabilities of the current process in textual form, as | 35 // Returns the capabilities of the current process in textual form, as |
50 // documented in libcap2's cap_to_text(3). This is mostly useful for | 36 // documented in libcap2's cap_to_text(3). This is mostly useful for |
51 // debugging and tests. | 37 // debugging and tests. |
52 scoped_ptr<std::string> GetCurrentCapString() const; | 38 scoped_ptr<std::string> GetCurrentCapString() const; |
53 | 39 |
54 // Move the current process to a new "user namespace" as supported by Linux | 40 // Move the current process to a new "user namespace" as supported by Linux |
55 // 3.8+ (CLONE_NEWUSER). | 41 // 3.8+ (CLONE_NEWUSER). |
56 // The uid map will be set-up so that the perceived uid and gid will not | 42 // The uid map will be set-up so that the perceived uid and gid will not |
57 // change. | 43 // change. |
58 // If this call succeeds, the current process will be granted a full set of | 44 // If this call succeeds, the current process will be granted a full set of |
59 // capabilities in the new namespace. | 45 // capabilities in the new namespace. |
60 bool MoveToNewUserNS(); | 46 bool MoveToNewUserNS(); |
61 | 47 |
62 // Remove the ability of the process to access the file system. File | 48 // Remove the ability of the process to access the file system. File |
63 // descriptors which are already open prior to calling this API remain | 49 // descriptors which are already open prior to calling this API remain |
64 // available. | 50 // available. |
65 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. | 51 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. |
66 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. | 52 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. |
67 // Make sure to call DropAllCapabilities() after this call to prevent | 53 // Make sure to call DropAllCapabilities() after this call to prevent |
68 // escapes. | 54 // escapes. |
69 // To be secure, it's very important for this API to not be called while the | 55 // To be secure, it's very important for this API to not be called with any |
70 // process has any directory file descriptor open. | 56 // directory file descriptor present. TODO(jln): integrate with |
| 57 // crbug.com/269806 when available. |
71 bool DropFileSystemAccess(); | 58 bool DropFileSystemAccess(); |
72 | 59 |
73 private: | 60 private: |
74 DISALLOW_COPY_AND_ASSIGN(Credentials); | 61 DISALLOW_COPY_AND_ASSIGN(Credentials); |
75 }; | 62 }; |
76 | 63 |
77 } // namespace sandbox. | 64 } // namespace sandbox. |
78 | 65 |
79 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 66 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
OLD | NEW |