Index: sandbox/linux/services/credentials.cc |
diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc |
index 6f84a66b7a60f2877a7dc2d85ab7a1d31983c27b..8a9fe5d4bf1958e91d47c23b67a3ef44af16ad5a 100644 |
--- a/sandbox/linux/services/credentials.cc |
+++ b/sandbox/linux/services/credentials.cc |
@@ -153,6 +153,26 @@ bool Credentials::DropAllCapabilities() { |
return Credentials::DropAllCapabilities(proc_fd.get()); |
} |
+// static |
+bool Credentials::SetCapabilities(int proc_fd, |
+ const std::vector<cap_value_t>& caps) { |
+ DCHECK_LE(0, proc_fd); |
+ CHECK(ThreadHelpers::IsSingleThreaded(proc_fd)); |
jln (very slow on Chromium)
2015/03/10 22:14:22
#if !defined(THREAD_SANITIZER)
rickyz (no longer on Chrome)
2015/03/10 22:22:14
Done.
|
+ |
+ sandbox::ScopedCap cap(cap_init()); |
+ PCHECK(cap != nullptr); |
+ |
+ if (!caps.empty()) { |
+ const cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED}; |
+ for (const cap_flag_t flag : flags) { |
+ PCHECK(cap_set_flag(cap.get(), flag, caps.size(), &caps.at(0), CAP_SET) == |
+ 0); |
+ } |
+ } |
+ |
+ return cap_set_proc(cap.get()) == 0; |
+} |
+ |
bool Credentials::HasAnyCapability() { |
ScopedCap current_cap(cap_get_proc()); |
CHECK(current_cap); |
@@ -161,6 +181,21 @@ bool Credentials::HasAnyCapability() { |
return cap_compare(current_cap.get(), empty_cap.get()) != 0; |
} |
+bool Credentials::HasCapability(cap_value_t cap) { |
+ ScopedCap current_cap(cap_get_proc()); |
+ PCHECK(current_cap); |
+ |
+ cap_flag_value_t value; |
+ const cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED}; |
+ for (const cap_flag_t flag : flags) { |
+ PCHECK(cap_get_flag(current_cap.get(), cap, flag, &value) == 0); |
+ if (value == CAP_SET) { |
+ return true; |
+ } |
+ } |
+ return false; |
+} |
+ |
scoped_ptr<std::string> Credentials::GetCurrentCapString() { |
ScopedCap current_cap(cap_get_proc()); |
CHECK(current_cap); |