Add SetCapabilities for setting capabilities to an exact set.

sandbox/linux/services/credentials.cc

Index: sandbox/linux/services/credentials.cc
diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
index 6f84a66b7a60f2877a7dc2d85ab7a1d31983c27b..8a9fe5d4bf1958e91d47c23b67a3ef44af16ad5a 100644
--- a/sandbox/linux/services/credentials.cc
+++ b/sandbox/linux/services/credentials.cc
@@ -153,6 +153,26 @@ bool Credentials::DropAllCapabilities() {
   return Credentials::DropAllCapabilities(proc_fd.get());
 }
 
+// static
+bool Credentials::SetCapabilities(int proc_fd,
+                                  const std::vector<cap_value_t>& caps) {
+  DCHECK_LE(0, proc_fd);
+  CHECK(ThreadHelpers::IsSingleThreaded(proc_fd));

[jln (very slow on Chromium), 2015/03/10 22:14:22]

#if !defined(THREAD_SANITIZER)

[rickyz (no longer on Chrome), 2015/03/10 22:22:14]

Done.

+
+  sandbox::ScopedCap cap(cap_init());
+  PCHECK(cap != nullptr);
+
+  if (!caps.empty()) {
+    const cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED};
+    for (const cap_flag_t flag : flags) {
+      PCHECK(cap_set_flag(cap.get(), flag, caps.size(), &caps.at(0), CAP_SET) ==
+             0);
+    }
+  }
+
+  return cap_set_proc(cap.get()) == 0;
+}
+
 bool Credentials::HasAnyCapability() {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);
@@ -161,6 +181,21 @@ bool Credentials::HasAnyCapability() {
   return cap_compare(current_cap.get(), empty_cap.get()) != 0;
 }
 
+bool Credentials::HasCapability(cap_value_t cap) {
+  ScopedCap current_cap(cap_get_proc());
+  PCHECK(current_cap);
+
+  cap_flag_value_t value;
+  const cap_flag_t flags[] = {CAP_EFFECTIVE, CAP_PERMITTED};
+  for (const cap_flag_t flag : flags) {
+    PCHECK(cap_get_flag(current_cap.get(), cap, flag, &value) == 0);
+    if (value == CAP_SET) {
+      return true;
+    }
+  }
+  return false;
+}
+
 scoped_ptr<std::string> Credentials::GetCurrentCapString() {
   ScopedCap current_cap(cap_get_proc());
   CHECK(current_cap);