OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
7 | 7 |
8 #include "build/build_config.h" | 8 #include "build/build_config.h" |
9 // Link errors are tedious to track, raise a compile-time error instead. | 9 // Link errors are tedious to track, raise a compile-time error instead. |
10 #if defined(OS_ANDROID) | 10 #if defined(OS_ANDROID) |
11 #error "Android is not supported." | 11 #error "Android is not supported." |
12 #endif // defined(OS_ANDROID). | 12 #endif // defined(OS_ANDROID). |
13 | 13 |
14 #include <string> | 14 #include <string> |
15 | 15 |
16 #include "base/basictypes.h" | 16 #include "base/basictypes.h" |
17 #include "base/memory/scoped_ptr.h" | 17 #include "base/memory/scoped_ptr.h" |
18 | 18 |
19 namespace sandbox { | 19 namespace sandbox { |
20 | 20 |
21 // This class should be used to manipulate the current process' credentials. | 21 // This class should be used to manipulate the current process' credentials. |
22 // It is currently a stub used to manipulate POSIX.1e capabilities as | 22 // It is currently a stub used to manipulate POSIX.1e capabilities as |
23 // implemented by the Linux kernel. | 23 // implemented by the Linux kernel. |
24 class Credentials { | 24 class Credentials { |
25 public: | 25 public: |
26 Credentials(); | 26 Credentials(); |
27 ~Credentials(); | 27 ~Credentials(); |
28 | 28 |
| 29 // Checks whether the current process has any directory file descriptor open. |
| 30 // Directory file descriptors are "capabilities" that would let a process use |
| 31 // system calls such as openat() to bypass restrictions such as |
| 32 // DropFileSystemAccess(). |
| 33 // Sometimes it's useful to call HasOpenDirectory() after file system access |
| 34 // has been dropped. In this case, |proc_fd| should be a file descriptor to |
| 35 // /proc. The file descriptor in |proc_fd| will be ignored by |
| 36 // HasOpenDirectory() and remains owned by the caller. It is very important |
| 37 // for the caller to close it. |
| 38 // If /proc is available, |proc_fd| can be passed as -1. |
| 39 // If |proc_fd| is -1 and /proc is not available, this function will return |
| 40 // false. |
| 41 bool HasOpenDirectory(int proc_fd); |
| 42 |
29 // Drop all capabilities in the effective, inheritable and permitted sets for | 43 // Drop all capabilities in the effective, inheritable and permitted sets for |
30 // the current process. | 44 // the current process. |
31 bool DropAllCapabilities(); | 45 bool DropAllCapabilities(); |
32 // Return true iff there is any capability in any of the capabilities sets | 46 // Return true iff there is any capability in any of the capabilities sets |
33 // of the current process. | 47 // of the current process. |
34 bool HasAnyCapability() const; | 48 bool HasAnyCapability() const; |
35 // Returns the capabilities of the current process in textual form, as | 49 // Returns the capabilities of the current process in textual form, as |
36 // documented in libcap2's cap_to_text(3). This is mostly useful for | 50 // documented in libcap2's cap_to_text(3). This is mostly useful for |
37 // debugging and tests. | 51 // debugging and tests. |
38 scoped_ptr<std::string> GetCurrentCapString() const; | 52 scoped_ptr<std::string> GetCurrentCapString() const; |
39 | 53 |
40 // Move the current process to a new "user namespace" as supported by Linux | 54 // Move the current process to a new "user namespace" as supported by Linux |
41 // 3.8+ (CLONE_NEWUSER). | 55 // 3.8+ (CLONE_NEWUSER). |
42 // The uid map will be set-up so that the perceived uid and gid will not | 56 // The uid map will be set-up so that the perceived uid and gid will not |
43 // change. | 57 // change. |
44 // If this call succeeds, the current process will be granted a full set of | 58 // If this call succeeds, the current process will be granted a full set of |
45 // capabilities in the new namespace. | 59 // capabilities in the new namespace. |
46 bool MoveToNewUserNS(); | 60 bool MoveToNewUserNS(); |
47 | 61 |
48 // Remove the ability of the process to access the file system. File | 62 // Remove the ability of the process to access the file system. File |
49 // descriptors which are already open prior to calling this API remain | 63 // descriptors which are already open prior to calling this API remain |
50 // available. | 64 // available. |
51 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. | 65 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. |
52 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. | 66 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. |
53 // Make sure to call DropAllCapabilities() after this call to prevent | 67 // Make sure to call DropAllCapabilities() after this call to prevent |
54 // escapes. | 68 // escapes. |
55 // To be secure, it's very important for this API to not be called with any | 69 // To be secure, it's very important for this API to not be called while the |
56 // directory file descriptor present. TODO(jln): integrate with | 70 // process has any directory file descriptor open. |
57 // crbug.com/269806 when available. | |
58 bool DropFileSystemAccess(); | 71 bool DropFileSystemAccess(); |
59 | 72 |
60 private: | 73 private: |
61 DISALLOW_COPY_AND_ASSIGN(Credentials); | 74 DISALLOW_COPY_AND_ASSIGN(Credentials); |
62 }; | 75 }; |
63 | 76 |
64 } // namespace sandbox. | 77 } // namespace sandbox. |
65 | 78 |
66 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ | 79 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ |
OLD | NEW |