| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
| (...skipping 28 matching lines...) Expand all Loading... |
| 39 base::PLATFORM_FILE_ASYNC | | 39 base::PLATFORM_FILE_ASYNC | |
| 40 base::PLATFORM_FILE_WRITE_ATTRIBUTES; | 40 base::PLATFORM_FILE_WRITE_ATTRIBUTES; |
| 41 | 41 |
| 42 const int kCreateFilePermissions = | 42 const int kCreateFilePermissions = |
| 43 base::PLATFORM_FILE_CREATE; | 43 base::PLATFORM_FILE_CREATE; |
| 44 | 44 |
| 45 const int kEnumerateDirectoryPermissions = | 45 const int kEnumerateDirectoryPermissions = |
| 46 kReadFilePermissions | | 46 kReadFilePermissions | |
| 47 base::PLATFORM_FILE_ENUMERATE; | 47 base::PLATFORM_FILE_ENUMERATE; |
| 48 | 48 |
| 49 const int kReadWriteFilePermissions = |
| 50 base::PLATFORM_FILE_OPEN | |
| 51 base::PLATFORM_FILE_CREATE | |
| 52 base::PLATFORM_FILE_OPEN_ALWAYS | |
| 53 base::PLATFORM_FILE_CREATE_ALWAYS | |
| 54 base::PLATFORM_FILE_OPEN_TRUNCATED | |
| 55 base::PLATFORM_FILE_READ | |
| 56 base::PLATFORM_FILE_WRITE | |
| 57 base::PLATFORM_FILE_EXCLUSIVE_READ | |
| 58 base::PLATFORM_FILE_EXCLUSIVE_WRITE | |
| 59 base::PLATFORM_FILE_ASYNC | |
| 60 base::PLATFORM_FILE_WRITE_ATTRIBUTES; |
| 61 |
| 62 const int kCreateWriteFilePermissions = |
| 63 base::PLATFORM_FILE_CREATE | |
| 64 base::PLATFORM_FILE_CREATE_ALWAYS | |
| 65 base::PLATFORM_FILE_OPEN | |
| 66 base::PLATFORM_FILE_OPEN_ALWAYS | |
| 67 base::PLATFORM_FILE_OPEN_TRUNCATED | |
| 68 base::PLATFORM_FILE_WRITE | |
| 69 base::PLATFORM_FILE_WRITE_ATTRIBUTES | |
| 70 base::PLATFORM_FILE_ASYNC; |
| 71 // need EXCLUSIVE_WRITE in this mix? |
| 72 |
| 49 } // namespace | 73 } // namespace |
| 50 | 74 |
| 51 // The SecurityState class is used to maintain per-child process security state | 75 // The SecurityState class is used to maintain per-child process security state |
| 52 // information. | 76 // information. |
| 53 class ChildProcessSecurityPolicyImpl::SecurityState { | 77 class ChildProcessSecurityPolicyImpl::SecurityState { |
| 54 public: | 78 public: |
| 55 SecurityState() | 79 SecurityState() |
| 56 : enabled_bindings_(0), | 80 : enabled_bindings_(0), |
| 57 can_read_raw_cookies_(false) { } | 81 can_read_raw_cookies_(false) { } |
| 58 | 82 |
| (...skipping 339 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 398 if (net::FileURLToFilePath(url, &path)) | 422 if (net::FileURLToFilePath(url, &path)) |
| 399 state->second->GrantRequestOfSpecificFile(path); | 423 state->second->GrantRequestOfSpecificFile(path); |
| 400 } | 424 } |
| 401 } | 425 } |
| 402 | 426 |
| 403 void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id, | 427 void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id, |
| 404 const base::FilePath& file) { | 428 const base::FilePath& file) { |
| 405 GrantPermissionsForFile(child_id, file, kReadFilePermissions); | 429 GrantPermissionsForFile(child_id, file, kReadFilePermissions); |
| 406 } | 430 } |
| 407 | 431 |
| 432 void ChildProcessSecurityPolicyImpl::GrantReadWriteFile( |
| 433 int child_id, const base::FilePath& file) { |
| 434 GrantPermissionsForFile(child_id, file, kReadWriteFilePermissions); |
| 435 } |
| 436 |
| 437 void ChildProcessSecurityPolicyImpl::GrantCreateWriteFile( |
| 438 int child_id, const base::FilePath& file) { |
| 439 GrantPermissionsForFile(child_id, file, kCreateWriteFilePermissions); |
| 440 } |
| 441 |
| 408 void ChildProcessSecurityPolicyImpl::GrantReadDirectory( | 442 void ChildProcessSecurityPolicyImpl::GrantReadDirectory( |
| 409 int child_id, const base::FilePath& directory) { | 443 int child_id, const base::FilePath& directory) { |
| 410 GrantPermissionsForFile(child_id, directory, kEnumerateDirectoryPermissions); | 444 GrantPermissionsForFile(child_id, directory, kEnumerateDirectoryPermissions); |
| 411 } | 445 } |
| 412 | 446 |
| 413 void ChildProcessSecurityPolicyImpl::GrantPermissionsForFile( | 447 void ChildProcessSecurityPolicyImpl::GrantPermissionsForFile( |
| 414 int child_id, const base::FilePath& file, int permissions) { | 448 int child_id, const base::FilePath& file, int permissions) { |
| 415 base::AutoLock lock(lock_); | 449 base::AutoLock lock(lock_); |
| 416 | 450 |
| 417 SecurityStateMap::iterator state = security_state_.find(child_id); | 451 SecurityStateMap::iterator state = security_state_.find(child_id); |
| (...skipping 268 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 686 int permission) { | 720 int permission) { |
| 687 base::AutoLock lock(lock_); | 721 base::AutoLock lock(lock_); |
| 688 | 722 |
| 689 SecurityStateMap::iterator state = security_state_.find(child_id); | 723 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 690 if (state == security_state_.end()) | 724 if (state == security_state_.end()) |
| 691 return false; | 725 return false; |
| 692 return state->second->HasPermissionsForFileSystem(filesystem_id, permission); | 726 return state->second->HasPermissionsForFileSystem(filesystem_id, permission); |
| 693 } | 727 } |
| 694 | 728 |
| 695 } // namespace content | 729 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 18129002:
Update the child process security policy to use explicit permission grants. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src