sandbox/linux/services/credentials.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
   6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
   7
   8 #include "build/build_config.h"
   9 // Link errors are tedious to track, raise a compile-time error instead.
  10 #if defined(OS_ANDROID)
  11 #error "Android is not supported."
  12 #endif  // defined(OS_ANDROID).
  13
  14 #include <string>
  15 #include <vector>
  16
  17 #include "base/compiler_specific.h"
  18 #include "base/macros.h"
  19 #include "base/memory/scoped_ptr.h"
  20 #include "sandbox/linux/system_headers/capability.h"
  21 #include "sandbox/sandbox_export.h"
  22
  23 namespace sandbox {
  24
  25 // This class should be used to manipulate the current process' credentials.
  26 // It is currently a stub used to manipulate POSIX.1e capabilities as
  27 // implemented by the Linux kernel.
  28 class SANDBOX_EXPORT Credentials {
  29  public:
  30   // For brevity, we only expose enums for the subset of capabilities we use.
  31   // This can be expanded as the need arises.
  32   enum class Capability {
  33     SYS_CHROOT,
  34     SYS_ADMIN,
  35   };
  36
  37   // Drop all capabilities in the effective, inheritable and permitted sets for
  38   // the current thread. For security reasons, since capabilities are
  39   // per-thread, the caller is responsible for ensuring it is single-threaded
  40   // when calling this API.
  41   // |proc_fd| must be a file descriptor to /proc/ and remains owned by
  42   // the caller.
  43   static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;
  44   // A similar API which assumes that it can open /proc/self/ by itself.
  45   static bool DropAllCapabilities() WARN_UNUSED_RESULT;
  46   // Sets the effective and permitted capability sets for the current thread to
  47   // the list of capabiltiies in |caps|. All other capability flags are cleared.
  48   static bool SetCapabilities(int proc_fd,
  49                               const std::vector<Capability>& caps)
  50       WARN_UNUSED_RESULT;
  51
  52   // Versions of the above functions which do not check that the process is
  53   // single-threaded. After calling these functions, capabilities of other
  54   // threads will not be changed. This is dangerous, do not use unless you nkow
  55   // what you are doing.
  56   static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT;
  57   static bool SetCapabilitiesOnCurrentThread(
  58       const std::vector<Capability>& caps) WARN_UNUSED_RESULT;
  59
  60   // Returns true if the current thread has either the effective, permitted, or
  61   // inheritable flag set for the given capability.
  62   static bool HasCapability(Capability cap);
  63
  64   // Return true iff there is any capability in any of the capabilities sets
  65   // of the current thread.
  66   static bool HasAnyCapability();
  67
  68   // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
  69   // possible to immediately move to a new user namespace. There is no point
  70   // in using this method right before calling MoveToNewUserNS(), simply call
  71   // MoveToNewUserNS() immediately. This method is only useful to test the
  72   // ability to move to a user namespace ahead of time.
  73   static bool CanCreateProcessInNewUserNS();
  74
  75   // Move the current process to a new "user namespace" as supported by Linux
  76   // 3.8+ (CLONE_NEWUSER).
  77   // The uid map will be set-up so that the perceived uid and gid will not
  78   // change.
  79   // If this call succeeds, the current process will be granted a full set of
  80   // capabilities in the new namespace.
  81   // This will fail if the process is not mono-threaded.
  82   static bool MoveToNewUserNS() WARN_UNUSED_RESULT;
  83
  84   // Remove the ability of the process to access the file system. File
  85   // descriptors which are already open prior to calling this API remain
  86   // available.
  87   // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
  88   // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
  89   // |proc_fd| must be a file descriptor to /proc/ and must be the only open
  90   // directory file descriptor of the process.
  91   //
  92   // CRITICAL:
  93   //   - the caller must close |proc_fd| eventually or access to the file
  94   // system can be recovered.
  95   //   - DropAllCapabilities() must be called to prevent escapes.
  96   static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;
  97
  98   // Forks and drops capabilities in the child.
  99   static pid_t ForkAndDropCapabilitiesInChild();
 100
 101  private:
 102   DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);
 103 };
 104
 105 }  // namespace sandbox.
 106
 107 #endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_