Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(336)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/credentials.cc

Issue 935333002: Update from https://crrev.com/316786 (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/credentials.h ('k') | sandbox/linux/services/linux_syscalls.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/linux/services/credentials.h" 5 #include "sandbox/linux/services/credentials.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <signal.h> 8 #include <signal.h>
9 #include <stdio.h> 9 #include <stdio.h>
10 #include <sys/capability.h> 10 #include <sys/capability.h>
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after
196 } 196 }
197 int ret = unshare(CLONE_NEWUSER); 197 int ret = unshare(CLONE_NEWUSER);
198 if (ret) { 198 if (ret) {
199 const int unshare_errno = errno; 199 const int unshare_errno = errno;
200 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available " 200 VLOG(1) << "Looks like unprivileged CLONE_NEWUSER may not be available "
201 << "on this kernel."; 201 << "on this kernel.";
202 CheckCloneNewUserErrno(unshare_errno); 202 CheckCloneNewUserErrno(unshare_errno);
203 return false; 203 return false;
204 } 204 }
205 205
206 if (NamespaceUtils::KernelSupportsDenySetgroups()) {
207 PCHECK(NamespaceUtils::DenySetgroups());
208 }
209
206 // The current {r,e,s}{u,g}id is now an overflow id (c.f. 210 // The current {r,e,s}{u,g}id is now an overflow id (c.f.
207 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps. 211 // /proc/sys/kernel/overflowuid). Setup the uid and gid maps.
208 DCHECK(GetRESIds(NULL, NULL)); 212 DCHECK(GetRESIds(NULL, NULL));
209 const char kGidMapFile[] = "/proc/self/gid_map"; 213 const char kGidMapFile[] = "/proc/self/gid_map";
210 const char kUidMapFile[] = "/proc/self/uid_map"; 214 const char kUidMapFile[] = "/proc/self/uid_map";
211 CHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid)); 215 PCHECK(NamespaceUtils::WriteToIdMapFile(kGidMapFile, gid));
212 CHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid)); 216 PCHECK(NamespaceUtils::WriteToIdMapFile(kUidMapFile, uid));
213 DCHECK(GetRESIds(NULL, NULL)); 217 DCHECK(GetRESIds(NULL, NULL));
214 return true; 218 return true;
215 } 219 }
216 220
217 bool Credentials::DropFileSystemAccess() { 221 bool Credentials::DropFileSystemAccess() {
218 CHECK(ChrootToSafeEmptyDir()); 222 CHECK(ChrootToSafeEmptyDir());
219 CHECK(!base::DirectoryExists(base::FilePath("/proc"))); 223 CHECK(!base::DirectoryExists(base::FilePath("/proc")));
220 // We never let this function fail. 224 // We never let this function fail.
221 return true; 225 return true;
222 } 226 }
223 227
224 } // namespace sandbox. 228 } // namespace sandbox.
OLDNEW
« no previous file with comments | « sandbox/linux/services/credentials.h ('k') | sandbox/linux/services/linux_syscalls.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698