sandbox/linux/services/credentials.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
   6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
   7
   8 #include "build/build_config.h"
   9 // Link errors are tedious to track, raise a compile-time error instead.
  10 #if defined(OS_ANDROID)
  11 #error "Android is not supported."
  12 #endif  // defined(OS_ANDROID).
  13
  14 #include <string>
  15
  16 #include "base/basictypes.h"
  17 #include "base/compiler_specific.h"
  18 #include "base/memory/scoped_ptr.h"
  19 #include "sandbox/sandbox_export.h"
  20
  21 namespace sandbox {
  22
  23 // This class should be used to manipulate the current process' credentials.
  24 // It is currently a stub used to manipulate POSIX.1e capabilities as
  25 // implemented by the Linux kernel.
  26 class SANDBOX_EXPORT Credentials {
  27  public:
  28   // Drop all capabilities in the effective, inheritable and permitted sets for
  29   // the current process. For security reasons, since capabilities are
  30   // per-thread, the caller is responsible for ensuring it is single-threaded
  31   // when calling this API.
  32   // |proc_fd| must be a file descriptor to /proc/ and remains owned by
  33   // the caller.
  34   static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;
  35   // A similar API which assumes that it can open /proc/self/ by itself.
  36   static bool DropAllCapabilities() WARN_UNUSED_RESULT;
  37
  38   // Return true iff there is any capability in any of the capabilities sets
  39   // of the current process.
  40   static bool HasAnyCapability();
  41   // Returns the capabilities of the current process in textual form, as
  42   // documented in libcap2's cap_to_text(3). This is mostly useful for
  43   // debugging and tests.
  44   static scoped_ptr<std::string> GetCurrentCapString();
  45
  46   // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
  47   // possible to immediately move to a new user namespace. There is no point
  48   // in using this method right before calling MoveToNewUserNS(), simply call
  49   // MoveToNewUserNS() immediately. This method is only useful to test the
  50   // ability to move to a user namespace ahead of time.
  51   static bool CanCreateProcessInNewUserNS();
  52
  53   // Move the current process to a new "user namespace" as supported by Linux
  54   // 3.8+ (CLONE_NEWUSER).
  55   // The uid map will be set-up so that the perceived uid and gid will not
  56   // change.
  57   // If this call succeeds, the current process will be granted a full set of
  58   // capabilities in the new namespace.
  59   // This will fail if the process is not mono-threaded.
  60   static bool MoveToNewUserNS() WARN_UNUSED_RESULT;
  61
  62   // Remove the ability of the process to access the file system. File
  63   // descriptors which are already open prior to calling this API remain
  64   // available.
  65   // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
  66   // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
  67   // |proc_fd| must be a file descriptor to /proc/ and must be the only open
  68   // directory file descriptor of the process.
  69   //
  70   // CRITICAL:
  71   //   - the caller must close |proc_fd| eventually or access to the file
  72   // system can be recovered.
  73   //   - DropAllCapabilities() must be called to prevent escapes.
  74   static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;
  75
  76  private:
  77   DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);
  78 };
  79
  80 }  // namespace sandbox.
  81
  82 #endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_