sandbox/linux/services/credentials.h - Issue 938223004: Linux sandbox: better APIs with /proc/ arguments

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/services/credentials.h

Issue 938223004: Linux sandbox: better APIs with /proc/ arguments (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fix invalid proc_fd_ usage. Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/services/credentials.h

diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h

index 2b761b6034aeb7445a0f114166b41c11f5eebdf7..6b37d4904eca5c53f5f3f18d50fa47aee6936792 100644

--- a/sandbox/linux/services/credentials.h

+++ b/sandbox/linux/services/credentials.h

@@ -29,7 +29,12 @@ class SANDBOX_EXPORT Credentials {

// the current process. For security reasons, since capabilities are

// per-thread, the caller is responsible for ensuring it is single-threaded

// when calling this API.

+ // |proc_fd| must be a file descriptor to /proc/ and remains owned by

+ // the caller.

+ static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;

+ // A similar API which assumes that it can open /proc/self/ by itself.

static bool DropAllCapabilities() WARN_UNUSED_RESULT;

// Return true iff there is any capability in any of the capabilities sets

// of the current process.

static bool HasAnyCapability();

@@ -58,13 +63,14 @@ class SANDBOX_EXPORT Credentials {

// available.

// The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.

// CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.

- // Make sure to call DropAllCapabilities() after this call to prevent

- // escapes.

- // To be secure, the caller must ensure that any directory file descriptors

- // are closed (for example, by checking the result of

- // ProcUtil::HasOpenDirectory with a file descriptor for /proc, then closing

- // that file descriptor). Otherwise it may be possible to escape the chroot.

- static bool DropFileSystemAccess() WARN_UNUSED_RESULT;

+ // |proc_fd| must be a file descriptor to /proc/ and must be the only open

+ // directory file descriptor of the process.

+ //

+ // CRITICAL:

+ // - the caller must close |proc_fd| eventually or access to the file

+ // system can be recovered.

+ // - DropAllCapabilities() must be called to prevent escapes.

+ static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;

private:

DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);

« no previous file with comments | « sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc ('k') | sandbox/linux/services/credentials.cc » ('j') | no next file with comments »