Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / sandbox / linux / services / credentials.h
blob99f8f322dff62c9814ee131d97ec31fab4b1bbaf
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
8 #include "build/build_config.h"
9 // Link errors are tedious to track, raise a compile-time error instead.
10 #if defined(OS_ANDROID)
11 #error "Android is not supported."
12 #endif // defined(OS_ANDROID).
14 #include <string>
16 #include "base/basictypes.h"
17 #include "base/memory/scoped_ptr.h"
18 #include "sandbox/sandbox_export.h"
20 namespace sandbox {
22 // This class should be used to manipulate the current process' credentials.
23 // It is currently a stub used to manipulate POSIX.1e capabilities as
24 // implemented by the Linux kernel.
25 class SANDBOX_EXPORT Credentials {
26 public:
27 Credentials();
28 ~Credentials();
30 // Returns the number of file descriptors in the current process's FD
31 // table, excluding |proc_fd|, which should be a file descriptor for
32 // /proc.
33 int CountOpenFds(int proc_fd);
35 // Checks whether the current process has any directory file descriptor open.
36 // Directory file descriptors are "capabilities" that would let a process use
37 // system calls such as openat() to bypass restrictions such as
38 // DropFileSystemAccess().
39 // Sometimes it's useful to call HasOpenDirectory() after file system access
40 // has been dropped. In this case, |proc_fd| should be a file descriptor to
41 // /proc. The file descriptor in |proc_fd| will be ignored by
42 // HasOpenDirectory() and remains owned by the caller. It is very important
43 // for the caller to close it.
44 // If /proc is available, |proc_fd| can be passed as -1.
45 // If |proc_fd| is -1 and /proc is not available, this function will return
46 // false.
47 bool HasOpenDirectory(int proc_fd);
49 // Drop all capabilities in the effective, inheritable and permitted sets for
50 // the current process.
51 bool DropAllCapabilities();
52 // Return true iff there is any capability in any of the capabilities sets
53 // of the current process.
54 bool HasAnyCapability() const;
55 // Returns the capabilities of the current process in textual form, as
56 // documented in libcap2's cap_to_text(3). This is mostly useful for
57 // debugging and tests.
58 scoped_ptr<std::string> GetCurrentCapString() const;
60 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
61 // possible to immediately move to a new user namespace. There is no point
62 // in using this method right before calling MoveToNewUserNS(), simply call
63 // MoveToNewUserNS() immediately. This method is only useful to test kernel
64 // support ahead of time.
65 static bool SupportsNewUserNS();
67 // Move the current process to a new "user namespace" as supported by Linux
68 // 3.8+ (CLONE_NEWUSER).
69 // The uid map will be set-up so that the perceived uid and gid will not
70 // change.
71 // If this call succeeds, the current process will be granted a full set of
72 // capabilities in the new namespace.
73 bool MoveToNewUserNS();
75 // Remove the ability of the process to access the file system. File
76 // descriptors which are already open prior to calling this API remain
77 // available.
78 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
79 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
80 // Make sure to call DropAllCapabilities() after this call to prevent
81 // escapes.
82 // To be secure, it's very important for this API to not be called while the
83 // process has any directory file descriptor open.
84 bool DropFileSystemAccess();
86 private:
87 DISALLOW_COPY_AND_ASSIGN(Credentials);
90 } // namespace sandbox.
92 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_