summaryrefslogtreecommitdiffstats
path: root/security/sandbox/linux/launch/LinuxCapabilities.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/linux/launch/LinuxCapabilities.h')
-rw-r--r--security/sandbox/linux/launch/LinuxCapabilities.h122
1 files changed, 122 insertions, 0 deletions
diff --git a/security/sandbox/linux/launch/LinuxCapabilities.h b/security/sandbox/linux/launch/LinuxCapabilities.h
new file mode 100644
index 0000000000..6d9b79e5d9
--- /dev/null
+++ b/security/sandbox/linux/launch/LinuxCapabilities.h
@@ -0,0 +1,122 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_LinuxCapabilities_h
+#define mozilla_LinuxCapabilities_h
+
+#include <linux/capability.h>
+#include <stdint.h>
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/PodOperations.h"
+
+// This class is a relatively simple interface to manipulating the
+// capabilities of a Linux process/thread; see the capabilities(7) man
+// page for background information.
+
+// Unfortunately, Android's kernel headers omit some definitions
+// needed for the low-level capability interface. They're part of the
+// stable syscall ABI, so it's safe to include them here.
+#ifndef _LINUX_CAPABILITY_VERSION_3
+# define _LINUX_CAPABILITY_VERSION_3 0x20080522
+# define _LINUX_CAPABILITY_U32S_3 2
+#endif
+#ifndef CAP_TO_INDEX
+# define CAP_TO_INDEX(x) ((x) >> 5)
+# define CAP_TO_MASK(x) (1 << ((x)&31))
+#endif
+
+namespace mozilla {
+
+class LinuxCapabilities final {
+ public:
+ // A class to represent a bit within the capability sets as an lvalue.
+ class BitRef {
+ __u32& mWord;
+ __u32 mMask;
+ friend class LinuxCapabilities;
+ BitRef(__u32& aWord, uint32_t aMask) : mWord(aWord), mMask(aMask) {}
+ BitRef(const BitRef& aBit) = default;
+
+ public:
+ MOZ_IMPLICIT operator bool() const { return mWord & mMask; }
+ BitRef& operator=(bool aSetTo) {
+ if (aSetTo) {
+ mWord |= mMask;
+ } else {
+ mWord &= mMask;
+ }
+ return *this;
+ }
+ };
+
+ // The default value is the empty set.
+ LinuxCapabilities() { PodArrayZero(mBits); }
+
+ // Get the current thread's capability sets and assign them to this
+ // object. Returns whether it succeeded and sets errno on failure.
+ // Shouldn't fail unless the kernel is very old.
+ bool GetCurrent();
+
+ // Try to set the current thread's capability sets to those
+ // specified in this object. Returns whether it succeeded and sets
+ // errno on failure.
+ bool SetCurrentRaw() const;
+
+ // The capability model requires that the permitted set always be a
+ // superset of the effective and inheritable sets. This method
+ // expands the permitted set as needed and then sets the current
+ // thread's capabilities, as described above.
+ bool SetCurrent() {
+ Normalize();
+ return SetCurrentRaw();
+ }
+
+ void Normalize() {
+ for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; ++i) {
+ mBits[i].permitted |= mBits[i].effective | mBits[i].inheritable;
+ }
+ }
+
+ bool AnyEffective() const {
+ for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; ++i) {
+ if (mBits[i].effective != 0) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ // These three methods expose individual bits in the three
+ // capability sets as objects that can be used as bool lvalues.
+ // The argument is the capability number, as defined in
+ // the <linux/capability.h> header.
+ BitRef Effective(unsigned aCap) {
+ return GenericBitRef(&__user_cap_data_struct::effective, aCap);
+ }
+
+ BitRef Permitted(unsigned aCap) {
+ return GenericBitRef(&__user_cap_data_struct::permitted, aCap);
+ }
+
+ BitRef Inheritable(unsigned aCap) {
+ return GenericBitRef(&__user_cap_data_struct::inheritable, aCap);
+ }
+
+ private:
+ __user_cap_data_struct mBits[_LINUX_CAPABILITY_U32S_3];
+
+ BitRef GenericBitRef(__u32 __user_cap_data_struct::*aField, unsigned aCap) {
+ // Please don't pass untrusted data as the capability number.
+ MOZ_ASSERT(CAP_TO_INDEX(aCap) < _LINUX_CAPABILITY_U32S_3);
+ return BitRef(mBits[CAP_TO_INDEX(aCap)].*aField, CAP_TO_MASK(aCap));
+ }
+};
+
+} // namespace mozilla
+
+#endif // mozilla_LinuxCapabilities_h