// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
#include "build/build_config.h"
// Link errors are tedious to track, raise a compile-time error instead.
#if defined(OS_ANDROID)
#error "Android is not supported."
#endif // defined(OS_ANDROID).
#include <string>
#include "base/basictypes.h"
#include "base/memory/scoped_ptr.h"
#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
// This class should be used to manipulate the current process' credentials.
// It is currently a stub used to manipulate POSIX.1e capabilities as
// implemented by the Linux kernel.
class SANDBOX_EXPORT Credentials {
public:
Credentials();
~Credentials();
// Checks whether the current process has any directory file descriptor open.
// Directory file descriptors are "capabilities" that would let a process use
// system calls such as openat() to bypass restrictions such as
// DropFileSystemAccess().
// Sometimes it's useful to call HasOpenDirectory() after file system access
// has been dropped. In this case, |proc_fd| should be a file descriptor to
// /proc. The file descriptor in |proc_fd| will be ignored by
// HasOpenDirectory() and remains owned by the caller. It is very important
// for the caller to close it.
// If /proc is available, |proc_fd| can be passed as -1.
// If |proc_fd| is -1 and /proc is not available, this function will return
// false.
bool HasOpenDirectory(int proc_fd);
// Drop all capabilities in the effective, inheritable and permitted sets for
// the current process.
bool DropAllCapabilities();
// Return true iff there is any capability in any of the capabilities sets
// of the current process.
bool HasAnyCapability() const;
// Returns the capabilities of the current process in textual form, as
// documented in libcap2's cap_to_text(3). This is mostly useful for
// debugging and tests.
scoped_ptr<std::string> GetCurrentCapString() const;
// Returns whether the kernel supports CLONE_NEWUSER and whether it would be
// possible to immediately move to a new user namespace. There is no point
// in using this method right before calling MoveToNewUserNS(), simply call
// MoveToNewUserNS() immediately. This method is only useful to test kernel
// support ahead of time.
static bool SupportsNewUserNS();
// Move the current process to a new "user namespace" as supported by Linux
// 3.8+ (CLONE_NEWUSER).
// The uid map will be set-up so that the perceived uid and gid will not
// change.
// If this call succeeds, the current process will be granted a full set of
// capabilities in the new namespace.
bool MoveToNewUserNS();
// Remove the ability of the process to access the file system. File
// descriptors which are already open prior to calling this API remain
// available.
// The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
// CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
// Make sure to call DropAllCapabilities() after this call to prevent
// escapes.
// To be secure, it's very important for this API to not be called while the
// process has any directory file descriptor open.
bool DropFileSystemAccess();
private:
DISALLOW_COPY_AND_ASSIGN(Credentials);
};
} // namespace sandbox.
#endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_