Home | History | Annotate | Download | only in services
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
      6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
      7 
      8 #include "build/build_config.h"
      9 // Link errors are tedious to track, raise a compile-time error instead.
     10 #if defined(OS_ANDROID)
     11 #error "Android is not supported."
     12 #endif  // defined(OS_ANDROID).
     13 
     14 #include <string>
     15 #include <vector>
     16 
     17 #include "base/compiler_specific.h"
     18 #include "base/macros.h"
     19 #include "base/memory/scoped_ptr.h"
     20 #include "sandbox/linux/system_headers/capability.h"
     21 #include "sandbox/sandbox_export.h"
     22 
     23 namespace sandbox {
     24 
     25 // This class should be used to manipulate the current process' credentials.
     26 // It is currently a stub used to manipulate POSIX.1e capabilities as
     27 // implemented by the Linux kernel.
     28 class SANDBOX_EXPORT Credentials {
     29  public:
     30   // For brevity, we only expose enums for the subset of capabilities we use.
     31   // This can be expanded as the need arises.
     32   enum class Capability {
     33     SYS_CHROOT,
     34     SYS_ADMIN,
     35   };
     36 
     37   // Drop all capabilities in the effective, inheritable and permitted sets for
     38   // the current thread. For security reasons, since capabilities are
     39   // per-thread, the caller is responsible for ensuring it is single-threaded
     40   // when calling this API.
     41   // |proc_fd| must be a file descriptor to /proc/ and remains owned by
     42   // the caller.
     43   static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;
     44   // A similar API which assumes that it can open /proc/self/ by itself.
     45   static bool DropAllCapabilities() WARN_UNUSED_RESULT;
     46   // Sets the effective and permitted capability sets for the current thread to
     47   // the list of capabiltiies in |caps|. All other capability flags are cleared.
     48   static bool SetCapabilities(int proc_fd,
     49                               const std::vector<Capability>& caps)
     50       WARN_UNUSED_RESULT;
     51 
     52   // Versions of the above functions which do not check that the process is
     53   // single-threaded. After calling these functions, capabilities of other
     54   // threads will not be changed. This is dangerous, do not use unless you nkow
     55   // what you are doing.
     56   static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT;
     57   static bool SetCapabilitiesOnCurrentThread(
     58       const std::vector<Capability>& caps) WARN_UNUSED_RESULT;
     59 
     60   // Returns true if the current thread has either the effective, permitted, or
     61   // inheritable flag set for the given capability.
     62   static bool HasCapability(Capability cap);
     63 
     64   // Return true iff there is any capability in any of the capabilities sets
     65   // of the current thread.
     66   static bool HasAnyCapability();
     67 
     68   // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
     69   // possible to immediately move to a new user namespace. There is no point
     70   // in using this method right before calling MoveToNewUserNS(), simply call
     71   // MoveToNewUserNS() immediately. This method is only useful to test the
     72   // ability to move to a user namespace ahead of time.
     73   static bool CanCreateProcessInNewUserNS();
     74 
     75   // Move the current process to a new "user namespace" as supported by Linux
     76   // 3.8+ (CLONE_NEWUSER).
     77   // The uid map will be set-up so that the perceived uid and gid will not
     78   // change.
     79   // If this call succeeds, the current process will be granted a full set of
     80   // capabilities in the new namespace.
     81   // This will fail if the process is not mono-threaded.
     82   static bool MoveToNewUserNS() WARN_UNUSED_RESULT;
     83 
     84   // Remove the ability of the process to access the file system. File
     85   // descriptors which are already open prior to calling this API remain
     86   // available.
     87   // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
     88   // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
     89   // |proc_fd| must be a file descriptor to /proc/ and must be the only open
     90   // directory file descriptor of the process.
     91   //
     92   // CRITICAL:
     93   //   - the caller must close |proc_fd| eventually or access to the file
     94   // system can be recovered.
     95   //   - DropAllCapabilities() must be called to prevent escapes.
     96   static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;
     97 
     98   // Forks and drops capabilities in the child.
     99   static pid_t ForkAndDropCapabilitiesInChild();
    100 
    101  private:
    102   DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);
    103 };
    104 
    105 }  // namespace sandbox.
    106 
    107 #endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
    108