1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
8 #include "build/build_config.h"
9 // Link errors are tedious to track, raise a compile-time error instead.
10 #if defined(OS_ANDROID)
11 #error "Android is not supported."
12 #endif // defined(OS_ANDROID).
16 #include "base/basictypes.h"
17 #include "base/compiler_specific.h"
18 #include "base/memory/scoped_ptr.h"
19 #include "sandbox/sandbox_export.h"
23 // This class should be used to manipulate the current process' credentials.
24 // It is currently a stub used to manipulate POSIX.1e capabilities as
25 // implemented by the Linux kernel.
26 class SANDBOX_EXPORT Credentials
{
28 // Drop all capabilities in the effective, inheritable and permitted sets for
29 // the current process. For security reasons, since capabilities are
30 // per-thread, the caller is responsible for ensuring it is single-threaded
31 // when calling this API.
32 static bool DropAllCapabilities() WARN_UNUSED_RESULT
;
33 // Return true iff there is any capability in any of the capabilities sets
34 // of the current process.
35 static bool HasAnyCapability();
36 // Returns the capabilities of the current process in textual form, as
37 // documented in libcap2's cap_to_text(3). This is mostly useful for
38 // debugging and tests.
39 static scoped_ptr
<std::string
> GetCurrentCapString();
41 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
42 // possible to immediately move to a new user namespace. There is no point
43 // in using this method right before calling MoveToNewUserNS(), simply call
44 // MoveToNewUserNS() immediately. This method is only useful to test the
45 // ability to move to a user namespace ahead of time.
46 static bool CanCreateProcessInNewUserNS();
48 // Move the current process to a new "user namespace" as supported by Linux
49 // 3.8+ (CLONE_NEWUSER).
50 // The uid map will be set-up so that the perceived uid and gid will not
52 // If this call succeeds, the current process will be granted a full set of
53 // capabilities in the new namespace.
54 static bool MoveToNewUserNS() WARN_UNUSED_RESULT
;
56 // Remove the ability of the process to access the file system. File
57 // descriptors which are already open prior to calling this API remain
59 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
60 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
61 // Make sure to call DropAllCapabilities() after this call to prevent
63 // To be secure, the caller must ensure that any directory file descriptors
64 // are closed (for example, by checking the result of
65 // ProcUtil::HasOpenDirectory with a file descriptor for /proc, then closing
66 // that file descriptor). Otherwise it may be possible to escape the chroot.
67 static bool DropFileSystemAccess() WARN_UNUSED_RESULT
;
70 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials
);
73 } // namespace sandbox.
75 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_