Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(486)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/services/namespace_utils.h

Issue 935333002: Update from https://crrev.com/316786 (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/linux/services/namespace_sandbox.cc ('k') | sandbox/linux/services/namespace_utils.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef SANDBOX_LINUX_SERVICES_NAMESPACE_UTILS_H_ 5 #ifndef SANDBOX_LINUX_SERVICES_NAMESPACE_UTILS_H_
6 #define SANDBOX_LINUX_SERVICES_NAMESPACE_UTILS_H_ 6 #define SANDBOX_LINUX_SERVICES_NAMESPACE_UTILS_H_
7 7
8 #include <sys/types.h> 8 #include <sys/types.h>
9 9
10 #include "base/compiler_specific.h" 10 #include "base/compiler_specific.h"
(...skipping 15 matching lines...) Expand all
26 static bool WriteToIdMapFile(const char* map_file, 26 static bool WriteToIdMapFile(const char* map_file,
27 generic_id_t id) WARN_UNUSED_RESULT; 27 generic_id_t id) WARN_UNUSED_RESULT;
28 28
29 // Returns true if unprivileged namespaces of type |type| is supported 29 // Returns true if unprivileged namespaces of type |type| is supported
30 // (meaning that both CLONE_NEWUSER and type are are supported). |type| must 30 // (meaning that both CLONE_NEWUSER and type are are supported). |type| must
31 // be one of CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, 31 // be one of CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID,
32 // CLONE_NEWUSER, or CLONE_NEWUTS. This relies on access to /proc, so it will 32 // CLONE_NEWUSER, or CLONE_NEWUTS. This relies on access to /proc, so it will
33 // not work from within a sandbox. 33 // not work from within a sandbox.
34 static bool KernelSupportsUnprivilegedNamespace(int type); 34 static bool KernelSupportsUnprivilegedNamespace(int type);
35 35
36 // Returns true if the kernel supports denying setgroups in a user namespace.
37 // On kernels where this is supported, DenySetgroups must be called before a
38 // gid mapping can be added.
39 static bool KernelSupportsDenySetgroups();
40
41 // Disables setgroups() within the current user namespace. On Linux 3.18.2 and
42 // later, this is required in order to write to /proc/self/gid_map without
43 // having CAP_SETGID. Callers can determine whether is this needed with
44 // KernelSupportsDenySetgroups. This function is async-signal-safe.
45 static bool DenySetgroups() WARN_UNUSED_RESULT;
46
36 private: 47 private:
37 DISALLOW_IMPLICIT_CONSTRUCTORS(NamespaceUtils); 48 DISALLOW_IMPLICIT_CONSTRUCTORS(NamespaceUtils);
38 }; 49 };
39 50
40 } // namespace sandbox 51 } // namespace sandbox
41 52
42 #endif // SANDBOX_LINUX_SERVICES_NAMESPACE_UTILS_H_ 53 #endif // SANDBOX_LINUX_SERVICES_NAMESPACE_UTILS_H_
OLDNEW
« no previous file with comments | « sandbox/linux/services/namespace_sandbox.cc ('k') | sandbox/linux/services/namespace_utils.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698