summaryrefslogtreecommitdiff
path: root/sandbox/linux/services/credentials.h
diff options
context:
space:
mode:
Diffstat (limited to 'sandbox/linux/services/credentials.h')
-rw-r--r--sandbox/linux/services/credentials.h104
1 files changed, 104 insertions, 0 deletions
diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h
new file mode 100644
index 0000000000..0001dc7328
--- /dev/null
+++ b/sandbox/linux/services/credentials.h
@@ -0,0 +1,104 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
+#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
+
+#include "build/build_config.h"
+// Link errors are tedious to track, raise a compile-time error instead.
+#if defined(OS_ANDROID)
+#error "Android is not supported."
+#endif // defined(OS_ANDROID).
+
+#include <string>
+#include <vector>
+
+#include "base/compiler_specific.h"
+#include "base/macros.h"
+#include "base/memory/scoped_ptr.h"
+#include "sandbox/linux/system_headers/capability.h"
+#include "sandbox/sandbox_export.h"
+
+namespace sandbox {
+
+// This class should be used to manipulate the current process' credentials.
+// It is currently a stub used to manipulate POSIX.1e capabilities as
+// implemented by the Linux kernel.
+class SANDBOX_EXPORT Credentials {
+ public:
+ // For brevity, we only expose enums for the subset of capabilities we use.
+ // This can be expanded as the need arises.
+ enum class Capability {
+ SYS_CHROOT,
+ SYS_ADMIN,
+ };
+
+ // Drop all capabilities in the effective, inheritable and permitted sets for
+ // the current thread. For security reasons, since capabilities are
+ // per-thread, the caller is responsible for ensuring it is single-threaded
+ // when calling this API.
+ // |proc_fd| must be a file descriptor to /proc/ and remains owned by
+ // the caller.
+ static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;
+ // A similar API which assumes that it can open /proc/self/ by itself.
+ static bool DropAllCapabilities() WARN_UNUSED_RESULT;
+ // Sets the effective and permitted capability sets for the current thread to
+ // the list of capabiltiies in |caps|. All other capability flags are cleared.
+ static bool SetCapabilities(int proc_fd,
+ const std::vector<Capability>& caps)
+ WARN_UNUSED_RESULT;
+
+ // Versions of the above functions which do not check that the process is
+ // single-threaded. After calling these functions, capabilities of other
+ // threads will not be changed. This is dangerous, do not use unless you nkow
+ // what you are doing.
+ static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT;
+ static bool SetCapabilitiesOnCurrentThread(
+ const std::vector<Capability>& caps) WARN_UNUSED_RESULT;
+
+ // Returns true if the current thread has either the effective, permitted, or
+ // inheritable flag set for the given capability.
+ static bool HasCapability(Capability cap);
+
+ // Return true iff there is any capability in any of the capabilities sets
+ // of the current thread.
+ static bool HasAnyCapability();
+
+ // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
+ // possible to immediately move to a new user namespace. There is no point
+ // in using this method right before calling MoveToNewUserNS(), simply call
+ // MoveToNewUserNS() immediately. This method is only useful to test the
+ // ability to move to a user namespace ahead of time.
+ static bool CanCreateProcessInNewUserNS();
+
+ // Move the current process to a new "user namespace" as supported by Linux
+ // 3.8+ (CLONE_NEWUSER).
+ // The uid map will be set-up so that the perceived uid and gid will not
+ // change.
+ // If this call succeeds, the current process will be granted a full set of
+ // capabilities in the new namespace.
+ // This will fail if the process is not mono-threaded.
+ static bool MoveToNewUserNS() WARN_UNUSED_RESULT;
+
+ // Remove the ability of the process to access the file system. File
+ // descriptors which are already open prior to calling this API remain
+ // available.
+ // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
+ // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
+ // |proc_fd| must be a file descriptor to /proc/ and must be the only open
+ // directory file descriptor of the process.
+ //
+ // CRITICAL:
+ // - the caller must close |proc_fd| eventually or access to the file
+ // system can be recovered.
+ // - DropAllCapabilities() must be called to prevent escapes.
+ static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;
+
+ private:
+ DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);
+};
+
+} // namespace sandbox.
+
+#endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 17:56:31 +0000