Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / sandbox / linux / services / credentials.h
blob095d636d42712c2132fd7aa3d9e995836eb646fa
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
8 #include "build/build_config.h"
9 // Link errors are tedious to track, raise a compile-time error instead.
10 #if defined(OS_ANDROID)
11 #error "Android is not supported."
12 #endif // defined(OS_ANDROID).
14 #include <string>
15 #include <vector>
17 #include "base/compiler_specific.h"
18 #include "base/macros.h"
19 #include "base/memory/scoped_ptr.h"
20 #include "sandbox/linux/system_headers/capability.h"
21 #include "sandbox/sandbox_export.h"
23 namespace sandbox {
25 // This class should be used to manipulate the current process' credentials.
26 // It is currently a stub used to manipulate POSIX.1e capabilities as
27 // implemented by the Linux kernel.
28 class SANDBOX_EXPORT Credentials {
29 public:
30 // For brevity, we only expose enums for the subset of capabilities we use.
31 // This can be expanded as the need arises.
32 enum class Capability {
33 SYS_CHROOT,
34 SYS_ADMIN,
37 // Drop all capabilities in the effective, inheritable and permitted sets for
38 // the current thread. For security reasons, since capabilities are
39 // per-thread, the caller is responsible for ensuring it is single-threaded
40 // when calling this API.
41 // |proc_fd| must be a file descriptor to /proc/ and remains owned by
42 // the caller.
43 static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;
44 // A similar API which assumes that it can open /proc/self/ by itself.
45 static bool DropAllCapabilities() WARN_UNUSED_RESULT;
46 // Sets the effective and permitted capability sets for the current thread to
47 // the list of capabiltiies in |caps|. All other capability flags are cleared.
48 static bool SetCapabilities(int proc_fd,
49 const std::vector<Capability>& caps)
50 WARN_UNUSED_RESULT;
52 // Versions of the above functions which do not check that the process is
53 // single-threaded. After calling these functions, capabilities of other
54 // threads will not be changed. This is dangerous, do not use unless you nkow
55 // what you are doing.
56 static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT;
57 static bool SetCapabilitiesOnCurrentThread(
58 const std::vector<Capability>& caps) WARN_UNUSED_RESULT;
60 // Returns true if the current thread has either the effective, permitted, or
61 // inheritable flag set for the given capability.
62 static bool HasCapability(Capability cap);
64 // Return true iff there is any capability in any of the capabilities sets
65 // of the current thread.
66 static bool HasAnyCapability();
68 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
69 // possible to immediately move to a new user namespace. There is no point
70 // in using this method right before calling MoveToNewUserNS(), simply call
71 // MoveToNewUserNS() immediately. This method is only useful to test the
72 // ability to move to a user namespace ahead of time.
73 static bool CanCreateProcessInNewUserNS();
75 // Move the current process to a new "user namespace" as supported by Linux
76 // 3.8+ (CLONE_NEWUSER).
77 // The uid map will be set-up so that the perceived uid and gid will not
78 // change.
79 // If this call succeeds, the current process will be granted a full set of
80 // capabilities in the new namespace.
81 // This will fail if the process is not mono-threaded.
82 static bool MoveToNewUserNS() WARN_UNUSED_RESULT;
84 // Remove the ability of the process to access the file system. File
85 // descriptors which are already open prior to calling this API remain
86 // available.
87 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
88 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
89 // |proc_fd| must be a file descriptor to /proc/ and must be the only open
90 // directory file descriptor of the process.
92 // CRITICAL:
93 // - the caller must close |proc_fd| eventually or access to the file
94 // system can be recovered.
95 // - DropAllCapabilities() must be called to prevent escapes.
96 static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;
98 // Forks and drops capabilities in the child.
99 static pid_t ForkAndDropCapabilitiesInChild();
101 private:
102 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);
105 } // namespace sandbox.
107 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_