Home | History | Annotate | Download | only in client 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
      6 #define SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
      7 
      8 #include "base/basictypes.h"
      9 #include "base/callback_forward.h"
     10 
     11 namespace base { class Environment; }
     12 
     13 namespace sandbox {
     14 
     15 // Helper class to use the setuid sandbox. This class is to be used both
     16 // before launching the setuid helper and after being executed through the
     17 // setuid helper.
     18 //
     19 // A typical use would be:
     20 // 1. The browser calls SetupLaunchEnvironment()
     21 // 2. The browser launches a renderer through the setuid sandbox.
     22 // 3. The renderer requests being chroot-ed through ChrootMe() and
     23 //    requests other sandboxing status via the status functions.
     24 class SetuidSandboxClient {
     25  public:
     26   // All instantation should go through this factory method.
     27   static class SetuidSandboxClient* Create();
     28   ~SetuidSandboxClient();
     29 
     30   // Ask the setuid helper over the setuid sandbox IPC channel to chroot() us
     31   // to an empty directory.
     32   // Will only work if we have been launched through the setuid helper.
     33   bool ChrootMe();
     34   // When a new PID namespace is created, the process with pid == 1 should
     35   // assume the role of init.
     36   // See sandbox/linux/services/init_process_reaper.h for more information
     37   // on this API.
     38   bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback);
     39 
     40   // Did we get launched through an up to date setuid binary ?
     41   bool IsSuidSandboxUpToDate() const;
     42   // Did we get launched through the setuid helper ?
     43   bool IsSuidSandboxChild() const;
     44   // Did the setuid helper create a new PID namespace ?
     45   bool IsInNewPIDNamespace() const;
     46   // Did the setuid helper create a new network namespace ?
     47   bool IsInNewNETNamespace() const;
     48   // Are we done and fully sandboxed ?
     49   bool IsSandboxed() const;
     50 
     51   // Set-up the environment. This should be done prior to launching the setuid
     52   // helper.
     53   void SetupLaunchEnvironment();
     54 
     55  private:
     56   // Holds the environment. Will never be NULL.
     57   base::Environment* env_;
     58   bool sandboxed_;
     59   DISALLOW_IMPLICIT_CONSTRUCTORS(SetuidSandboxClient);
     60 };
     61 
     62 }  // namespace sandbox
     63 
     64 #endif  // SANDBOX_LINUX_SUID_SETUID_SANDBOX_CLIENT_H_
     65 
     66