1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 7 8 #include "build/build_config.h" 9 // Link errors are tedious to track, raise a compile-time error instead. 10 #if defined(OS_ANDROID) 11 #error "Android is not supported." 12 #endif // defined(OS_ANDROID). 13 14 #include <string> 15 16 #include "base/basictypes.h" 17 #include "base/memory/scoped_ptr.h" 18 #include "sandbox/sandbox_export.h" 19 20 namespace sandbox { 21 22 // This class should be used to manipulate the current process' credentials. 23 // It is currently a stub used to manipulate POSIX.1e capabilities as 24 // implemented by the Linux kernel. 25 class SANDBOX_EXPORT Credentials { 26 public: 27 Credentials(); 28 ~Credentials(); 29 30 // Returns the number of file descriptors in the current process's FD 31 // table, excluding |proc_fd|, which should be a file descriptor for 32 // /proc. 33 int CountOpenFds(int proc_fd); 34 35 // Checks whether the current process has any directory file descriptor open. 36 // Directory file descriptors are "capabilities" that would let a process use 37 // system calls such as openat() to bypass restrictions such as 38 // DropFileSystemAccess(). 39 // Sometimes it's useful to call HasOpenDirectory() after file system access 40 // has been dropped. In this case, |proc_fd| should be a file descriptor to 41 // /proc. The file descriptor in |proc_fd| will be ignored by 42 // HasOpenDirectory() and remains owned by the caller. It is very important 43 // for the caller to close it. 44 // If /proc is available, |proc_fd| can be passed as -1. 45 // If |proc_fd| is -1 and /proc is not available, this function will return 46 // false. 47 bool HasOpenDirectory(int proc_fd); 48 49 // Drop all capabilities in the effective, inheritable and permitted sets for 50 // the current process. 51 bool DropAllCapabilities(); 52 // Return true iff there is any capability in any of the capabilities sets 53 // of the current process. 54 bool HasAnyCapability() const; 55 // Returns the capabilities of the current process in textual form, as 56 // documented in libcap2's cap_to_text(3). This is mostly useful for 57 // debugging and tests. 58 scoped_ptr<std::string> GetCurrentCapString() const; 59 60 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be 61 // possible to immediately move to a new user namespace. There is no point 62 // in using this method right before calling MoveToNewUserNS(), simply call 63 // MoveToNewUserNS() immediately. This method is only useful to test kernel 64 // support ahead of time. 65 static bool SupportsNewUserNS(); 66 67 // Move the current process to a new "user namespace" as supported by Linux 68 // 3.8+ (CLONE_NEWUSER). 69 // The uid map will be set-up so that the perceived uid and gid will not 70 // change. 71 // If this call succeeds, the current process will be granted a full set of 72 // capabilities in the new namespace. 73 bool MoveToNewUserNS(); 74 75 // Remove the ability of the process to access the file system. File 76 // descriptors which are already open prior to calling this API remain 77 // available. 78 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. 79 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. 80 // Make sure to call DropAllCapabilities() after this call to prevent 81 // escapes. 82 // To be secure, it's very important for this API to not be called while the 83 // process has any directory file descriptor open. 84 bool DropFileSystemAccess(); 85 86 private: 87 DISALLOW_COPY_AND_ASSIGN(Credentials); 88 }; 89 90 } // namespace sandbox. 91 92 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 93
