summaryrefslogtreecommitdiffstats
path: root/sandbox/linux/services/credentials.h
blob: c23db930df270ea39d95845fadda268f94b01cd5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_

#include "build/build_config.h"
// Link errors are tedious to track, raise a compile-time error instead.
#if defined(OS_ANDROID)
#error "Android is not supported."
#endif  // defined(OS_ANDROID).

#include <string>

#include "base/basictypes.h"
#include "base/memory/scoped_ptr.h"

namespace sandbox {

// This class should be used to manipulate the current process' credentials.
// It is currently a stub used to manipulate POSIX.1e capabilities as
// implemented by the Linux kernel.
class Credentials {
 public:
  Credentials();
  ~Credentials();

  // Checks whether the current process has any directory file descriptor open.
  // Directory file descriptors are "capabilities" that would let a process use
  // system calls such as openat() to bypass restrictions such as
  // DropFileSystemAccess().
  // Sometimes it's useful to call HasOpenDirectory() after file system access
  // has been dropped. In this case, |proc_fd| should be a file descriptor to
  // /proc. The file descriptor in |proc_fd| will be ignored by
  // HasOpenDirectory() and remains owned by the caller. It is very important
  // for the caller to close it.
  // If /proc is available, |proc_fd| can be passed as -1.
  // If |proc_fd| is -1 and /proc is not available, this function will return
  // false.
  bool HasOpenDirectory(int proc_fd);

  // Drop all capabilities in the effective, inheritable and permitted sets for
  // the current process.
  bool DropAllCapabilities();
  // Return true iff there is any capability in any of the capabilities sets
  // of the current process.
  bool HasAnyCapability() const;
  // Returns the capabilities of the current process in textual form, as
  // documented in libcap2's cap_to_text(3). This is mostly useful for
  // debugging and tests.
  scoped_ptr<std::string> GetCurrentCapString() const;

  // Move the current process to a new "user namespace" as supported by Linux
  // 3.8+ (CLONE_NEWUSER).
  // The uid map will be set-up so that the perceived uid and gid will not
  // change.
  // If this call succeeds, the current process will be granted a full set of
  // capabilities in the new namespace.
  bool MoveToNewUserNS();

  // Remove the ability of the process to access the file system. File
  // descriptors which are already open prior to calling this API remain
  // available.
  // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
  // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
  // Make sure to call DropAllCapabilities() after this call to prevent
  // escapes.
  // To be secure, it's very important for this API to not be called while the
  // process has any directory file descriptor open.
  bool DropFileSystemAccess();

 private:
  DISALLOW_COPY_AND_ASSIGN(Credentials);
};

}  // namespace sandbox.

#endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_