1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
6 #define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
7 
8 #include "build/build_config.h"
9 // Link errors are tedious to track, raise a compile-time error instead.
10 #if defined(OS_ANDROID)
11 #error "Android is not supported."
12 #endif  // defined(OS_ANDROID).
13 
14 #include <string>
15 #include <vector>
16 
17 #include "base/compiler_specific.h"
18 #include "base/macros.h"
19 #include "sandbox/linux/system_headers/capability.h"
20 #include "sandbox/sandbox_export.h"
21 
22 namespace sandbox {
23 
24 // This class should be used to manipulate the current process' credentials.
25 // It is currently a stub used to manipulate POSIX.1e capabilities as
26 // implemented by the Linux kernel.
27 class SANDBOX_EXPORT Credentials {
28  public:
29   // For brevity, we only expose enums for the subset of capabilities we use.
30   // This can be expanded as the need arises.
31   enum class Capability {
32     SYS_CHROOT,
33     SYS_ADMIN,
34   };
35 
36   // Drop all capabilities in the effective, inheritable and permitted sets for
37   // the current thread. For security reasons, since capabilities are
38   // per-thread, the caller is responsible for ensuring it is single-threaded
39   // when calling this API.
40   // |proc_fd| must be a file descriptor to /proc/ and remains owned by
41   // the caller.
42   static bool DropAllCapabilities(int proc_fd) WARN_UNUSED_RESULT;
43   // A similar API which assumes that it can open /proc/self/ by itself.
44   static bool DropAllCapabilities() WARN_UNUSED_RESULT;
45   // Sets the effective and permitted capability sets for the current thread to
46   // the list of capabiltiies in |caps|. All other capability flags are cleared.
47   static bool SetCapabilities(int proc_fd,
48                               const std::vector<Capability>& caps)
49       WARN_UNUSED_RESULT;
50 
51   // Versions of the above functions which do not check that the process is
52   // single-threaded. After calling these functions, capabilities of other
53   // threads will not be changed. This is dangerous, do not use unless you nkow
54   // what you are doing.
55   static bool DropAllCapabilitiesOnCurrentThread() WARN_UNUSED_RESULT;
56   static bool SetCapabilitiesOnCurrentThread(
57       const std::vector<Capability>& caps) WARN_UNUSED_RESULT;
58 
59   // Returns true if the current thread has either the effective, permitted, or
60   // inheritable flag set for the given capability.
61   static bool HasCapability(Capability cap);
62 
63   // Return true iff there is any capability in any of the capabilities sets
64   // of the current thread.
65   static bool HasAnyCapability();
66 
67   // Returns whether the kernel supports CLONE_NEWUSER and whether it would be
68   // possible to immediately move to a new user namespace. There is no point
69   // in using this method right before calling MoveToNewUserNS(), simply call
70   // MoveToNewUserNS() immediately. This method is only useful to test the
71   // ability to move to a user namespace ahead of time.
72   static bool CanCreateProcessInNewUserNS();
73 
74   // Move the current process to a new "user namespace" as supported by Linux
75   // 3.8+ (CLONE_NEWUSER).
76   // The uid map will be set-up so that the perceived uid and gid will not
77   // change.
78   // If this call succeeds, the current process will be granted a full set of
79   // capabilities in the new namespace.
80   // This will fail if the process is not mono-threaded.
81   static bool MoveToNewUserNS() WARN_UNUSED_RESULT;
82 
83   // Remove the ability of the process to access the file system. File
84   // descriptors which are already open prior to calling this API remain
85   // available.
86   // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT.
87   // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API.
88   // |proc_fd| must be a file descriptor to /proc/ and must be the only open
89   // directory file descriptor of the process.
90   //
91   // CRITICAL:
92   //   - the caller must close |proc_fd| eventually or access to the file
93   // system can be recovered.
94   //   - DropAllCapabilities() must be called to prevent escapes.
95   static bool DropFileSystemAccess(int proc_fd) WARN_UNUSED_RESULT;
96 
97   // Forks and drops capabilities in the child.
98   static pid_t ForkAndDropCapabilitiesInChild();
99 
100  private:
101   DISALLOW_IMPLICIT_CONSTRUCTORS(Credentials);
102 };
103 
104 }  // namespace sandbox.
105 
106 #endif  // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_
107