1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 7 8 #include "build/build_config.h" 9 // Link errors are tedious to track, raise a compile-time error instead. 10 #if defined(OS_ANDROID) 11 #error "Android is not supported." 12 #endif // defined(OS_ANDROID). 13 14 #include <string> 15 #include <vector> 16 17 #include "base/compiler_specific.h" 18 #include "base/macros.h" 19 #include "base/memory/scoped_ptr.h" 20 #include "sandbox/linux/system_headers/capability.h" 21 #include "sandbox/sandbox_export.h" 22 23 namespace sandbox { 24 25 // This class should be used to manipulate the current process' credentials. 26 // It is currently a stub used to manipulate POSIX.1e capabilities as 27 // implemented by the Linux kernel. 28 class SANDBOX_EXPORT Credentials { 29 public: 30 // For brevity, we only expose enums for the subset of capabilities we use. 31 // This can be expanded as the need arises. 32 enum class Capability { 33 SYS_CHROOT, 34 SYS_ADMIN, 35 }; 36 37 // Drop all capabilities in the effective, inheritable and permitted sets for 38 // the current thread. For security reasons, since capabilities are 39 // per-thread, the caller is responsible for ensuring it is single-threaded 40 // when calling this API. 41 // |proc_fd| must be a file descriptor to /proc/ and remains owned by 42 // the caller. 43 static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT; 44 // A similar API which assumes that it can open /proc/self/ by itself. 45 static bool DropAllCapabilities() WARN_UNUSED_RESULT; 46 // Sets the effective and permitted capability sets for the current thread to 47 // the list of capabiltiies in |caps|. All other capability flags are cleared. 48 static bool SetCapabilities(int proc_fd, 49 const std::vector<Capability>& caps) 50 WARN_UNUSED_RESULT; 51 52 // Versions of the above functions which do not check that the process is 53 // single-threaded. After calling these functions, capabilities of other 54 // threads will not be changed. This is dangerous, do not use unless you nkow 55 // what you are doing. 56 static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT; 57 static bool SetCapabilitiesOnCurrentThread( 58 const std::vector<Capability>& caps) WARN_UNUSED_RESULT; 59 60 // Returns true if the current thread has either the effective, permitted, or 61 // inheritable flag set for the given capability. 62 static bool HasCapability(Capability cap); 63 64 // Return true iff there is any capability in any of the capabilities sets 65 // of the current thread. 66 static bool HasAnyCapability(); 67 68 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be 69 // possible to immediately move to a new user namespace. There is no point 70 // in using this method right before calling MoveToNewUserNS(), simply call 71 // MoveToNewUserNS() immediately. This method is only useful to test the 72 // ability to move to a user namespace ahead of time. 73 static bool CanCreateProcessInNewUserNS(); 74 75 // Move the current process to a new "user namespace" as supported by Linux 76 // 3.8+ (CLONE_NEWUSER). 77 // The uid map will be set-up so that the perceived uid and gid will not 78 // change. 79 // If this call succeeds, the current process will be granted a full set of 80 // capabilities in the new namespace. 81 // This will fail if the process is not mono-threaded. 82 static bool MoveToNewUserNS() WARN_UNUSED_RESULT; 83 84 // Remove the ability of the process to access the file system. File 85 // descriptors which are already open prior to calling this API remain 86 // available. 87 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. 88 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. 89 // |proc_fd| must be a file descriptor to /proc/ and must be the only open 90 // directory file descriptor of the process. 91 // 92 // CRITICAL: 93 // - the caller must close |proc_fd| eventually or access to the file 94 // system can be recovered. 95 // - DropAllCapabilities() must be called to prevent escapes. 96 static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT; 97 98 // Forks and drops capabilities in the child. 99 static pid_t ForkAndDropCapabilitiesInChild(); 100 101 private: 102 DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials); 103 }; 104 105 } // namespace sandbox. 106 107 #endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 108