| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 42 base::PLATFORM_FILE_ASYNC | | 42 base::PLATFORM_FILE_ASYNC | |
| 43 base::PLATFORM_FILE_WRITE_ATTRIBUTES; | 43 base::PLATFORM_FILE_WRITE_ATTRIBUTES; |
| 44 | 44 |
| 45 const int kCreateFilePermissions = | 45 const int kCreateFilePermissions = |
| 46 base::PLATFORM_FILE_CREATE; | 46 base::PLATFORM_FILE_CREATE; |
| 47 | 47 |
| 48 const int kEnumerateDirectoryPermissions = | 48 const int kEnumerateDirectoryPermissions = |
| 49 kReadFilePermissions | | 49 kReadFilePermissions | |
| 50 base::PLATFORM_FILE_ENUMERATE; | 50 base::PLATFORM_FILE_ENUMERATE; |
| 51 | 51 |
| 52 const int kReadWriteFilePermissions = | 52 // TODO(tommycli): These flag sets need some work to make more obvious. |
| 53 base::PLATFORM_FILE_OPEN | | 53 // Why for instance, does Create|Write != Create|Write? http://crbug.com/263150 |
| 54 base::PLATFORM_FILE_CREATE | | 54 const int kCreateReadWriteFilePermissions = |
| 55 kReadFilePermissions | |
| 56 kWriteFilePermissions | |
| 57 kCreateFilePermissions | |
| 55 base::PLATFORM_FILE_OPEN_ALWAYS | | 58 base::PLATFORM_FILE_OPEN_ALWAYS | |
| 56 base::PLATFORM_FILE_CREATE_ALWAYS | | 59 base::PLATFORM_FILE_CREATE_ALWAYS | |
| 57 base::PLATFORM_FILE_OPEN_TRUNCATED | | 60 base::PLATFORM_FILE_OPEN_TRUNCATED; |
| 58 base::PLATFORM_FILE_READ | | |
| 59 base::PLATFORM_FILE_WRITE | | |
| 60 base::PLATFORM_FILE_EXCLUSIVE_READ | | |
| 61 base::PLATFORM_FILE_EXCLUSIVE_WRITE | | |
| 62 base::PLATFORM_FILE_ASYNC | | |
| 63 base::PLATFORM_FILE_WRITE_ATTRIBUTES; | |
| 64 | 61 |
| 65 const int kCreateWriteFilePermissions = | 62 const int kCreateWriteFilePermissions = |
| 66 base::PLATFORM_FILE_CREATE | | 63 kWriteFilePermissions | |
| 67 base::PLATFORM_FILE_CREATE_ALWAYS | | 64 kCreateFilePermissions | |
| 68 base::PLATFORM_FILE_OPEN | | 65 base::PLATFORM_FILE_OPEN_ALWAYS | |
| 69 base::PLATFORM_FILE_OPEN_ALWAYS | | 66 base::PLATFORM_FILE_CREATE_ALWAYS | |
| 70 base::PLATFORM_FILE_OPEN_TRUNCATED | | 67 base::PLATFORM_FILE_OPEN_TRUNCATED; |
| 71 base::PLATFORM_FILE_WRITE | | |
| 72 base::PLATFORM_FILE_WRITE_ATTRIBUTES | | |
| 73 base::PLATFORM_FILE_ASYNC; | |
| 74 // need EXCLUSIVE_WRITE in this mix? | |
| 75 | 68 |
| 76 } // namespace | 69 } // namespace |
| 77 | 70 |
| 78 // The SecurityState class is used to maintain per-child process security state | 71 // The SecurityState class is used to maintain per-child process security state |
| 79 // information. | 72 // information. |
| 80 class ChildProcessSecurityPolicyImpl::SecurityState { | 73 class ChildProcessSecurityPolicyImpl::SecurityState { |
| 81 public: | 74 public: |
| 82 SecurityState() | 75 SecurityState() |
| 83 : enabled_bindings_(0), | 76 : enabled_bindings_(0), |
| 84 can_read_raw_cookies_(false) { } | 77 can_read_raw_cookies_(false) { } |
| (...skipping 342 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 427 } | 420 } |
| 428 } | 421 } |
| 429 | 422 |
| 430 void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id, | 423 void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id, |
| 431 const base::FilePath& file) { | 424 const base::FilePath& file) { |
| 432 GrantPermissionsForFile(child_id, file, kReadFilePermissions); | 425 GrantPermissionsForFile(child_id, file, kReadFilePermissions); |
| 433 } | 426 } |
| 434 | 427 |
| 435 void ChildProcessSecurityPolicyImpl::GrantCreateReadWriteFile( | 428 void ChildProcessSecurityPolicyImpl::GrantCreateReadWriteFile( |
| 436 int child_id, const base::FilePath& file) { | 429 int child_id, const base::FilePath& file) { |
| 437 GrantPermissionsForFile(child_id, file, kReadWriteFilePermissions); | 430 GrantPermissionsForFile(child_id, file, kCreateReadWriteFilePermissions); |
| 438 } | 431 } |
| 439 | 432 |
| 440 void ChildProcessSecurityPolicyImpl::GrantCreateWriteFile( | 433 void ChildProcessSecurityPolicyImpl::GrantCreateWriteFile( |
| 441 int child_id, const base::FilePath& file) { | 434 int child_id, const base::FilePath& file) { |
| 442 GrantPermissionsForFile(child_id, file, kCreateWriteFilePermissions); | 435 GrantPermissionsForFile(child_id, file, kCreateWriteFilePermissions); |
| 443 } | 436 } |
| 444 | 437 |
| 445 void ChildProcessSecurityPolicyImpl::GrantReadDirectory( | 438 void ChildProcessSecurityPolicyImpl::GrantReadDirectory( |
| 446 int child_id, const base::FilePath& directory) { | 439 int child_id, const base::FilePath& directory) { |
| 447 GrantPermissionsForFile(child_id, directory, kEnumerateDirectoryPermissions); | 440 GrantPermissionsForFile(child_id, directory, kEnumerateDirectoryPermissions); |
| (...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 602 // allowed to request the URL. | 595 // allowed to request the URL. |
| 603 return state->second->CanRequestURL(url); | 596 return state->second->CanRequestURL(url); |
| 604 } | 597 } |
| 605 } | 598 } |
| 606 | 599 |
| 607 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, | 600 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, |
| 608 const base::FilePath& file) { | 601 const base::FilePath& file) { |
| 609 return HasPermissionsForFile(child_id, file, kReadFilePermissions); | 602 return HasPermissionsForFile(child_id, file, kReadFilePermissions); |
| 610 } | 603 } |
| 611 | 604 |
| 605 bool ChildProcessSecurityPolicyImpl::CanWriteFile(int child_id, |
| 606 const base::FilePath& file) { |
| 607 return HasPermissionsForFile(child_id, file, kWriteFilePermissions); |
| 608 } |
| 609 |
| 610 bool ChildProcessSecurityPolicyImpl::CanCreateFile(int child_id, |
| 611 const base::FilePath& file) { |
| 612 return HasPermissionsForFile(child_id, file, kCreateFilePermissions); |
| 613 } |
| 614 |
| 615 bool ChildProcessSecurityPolicyImpl::CanCreateWriteFile( |
| 616 int child_id, |
| 617 const base::FilePath& file) { |
| 618 return HasPermissionsForFile(child_id, file, kCreateWriteFilePermissions); |
| 619 } |
| 620 |
| 612 bool ChildProcessSecurityPolicyImpl::CanReadDirectory( | 621 bool ChildProcessSecurityPolicyImpl::CanReadDirectory( |
| 613 int child_id, const base::FilePath& directory) { | 622 int child_id, const base::FilePath& directory) { |
| 614 return HasPermissionsForFile(child_id, | 623 return HasPermissionsForFile(child_id, |
| 615 directory, | 624 directory, |
| 616 kEnumerateDirectoryPermissions); | 625 kEnumerateDirectoryPermissions); |
| 617 } | 626 } |
| 618 | 627 |
| 619 bool ChildProcessSecurityPolicyImpl::CanReadFileSystem( | 628 bool ChildProcessSecurityPolicyImpl::CanReadFileSystem( |
| 620 int child_id, const std::string& filesystem_id) { | 629 int child_id, const std::string& filesystem_id) { |
| 621 return HasPermissionsForFileSystem(child_id, | 630 return HasPermissionsForFileSystem(child_id, |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 691 | 700 |
| 692 if (found->second & fileapi::FILE_PERMISSION_USE_FILE_PERMISSION) | 701 if (found->second & fileapi::FILE_PERMISSION_USE_FILE_PERMISSION) |
| 693 return HasPermissionsForFile(child_id, url.path(), permissions); | 702 return HasPermissionsForFile(child_id, url.path(), permissions); |
| 694 | 703 |
| 695 if (found->second & fileapi::FILE_PERMISSION_SANDBOX) | 704 if (found->second & fileapi::FILE_PERMISSION_SANDBOX) |
| 696 return true; | 705 return true; |
| 697 | 706 |
| 698 return false; | 707 return false; |
| 699 } | 708 } |
| 700 | 709 |
| 710 bool ChildProcessSecurityPolicyImpl::CanReadFileSystemFile( |
| 711 int child_id, |
| 712 const fileapi::FileSystemURL& url) { |
| 713 return HasPermissionsForFileSystemFile(child_id, url, kReadFilePermissions); |
| 714 } |
| 715 |
| 716 bool ChildProcessSecurityPolicyImpl::CanWriteFileSystemFile( |
| 717 int child_id, |
| 718 const fileapi::FileSystemURL& url) { |
| 719 return HasPermissionsForFileSystemFile(child_id, url, kWriteFilePermissions); |
| 720 } |
| 721 |
| 722 bool ChildProcessSecurityPolicyImpl::CanCreateFileSystemFile( |
| 723 int child_id, |
| 724 const fileapi::FileSystemURL& url) { |
| 725 return HasPermissionsForFileSystemFile(child_id, url, kCreateFilePermissions); |
| 726 } |
| 727 |
| 728 bool ChildProcessSecurityPolicyImpl::CanCreateWriteFileSystemFile( |
| 729 int child_id, |
| 730 const fileapi::FileSystemURL& url) { |
| 731 return HasPermissionsForFileSystemFile(child_id, url, |
| 732 kCreateWriteFilePermissions); |
| 733 } |
| 734 |
| 701 bool ChildProcessSecurityPolicyImpl::HasWebUIBindings(int child_id) { | 735 bool ChildProcessSecurityPolicyImpl::HasWebUIBindings(int child_id) { |
| 702 base::AutoLock lock(lock_); | 736 base::AutoLock lock(lock_); |
| 703 | 737 |
| 704 SecurityStateMap::iterator state = security_state_.find(child_id); | 738 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 705 if (state == security_state_.end()) | 739 if (state == security_state_.end()) |
| 706 return false; | 740 return false; |
| 707 | 741 |
| 708 return state->second->has_web_ui_bindings(); | 742 return state->second->has_web_ui_bindings(); |
| 709 } | 743 } |
| 710 | 744 |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 788 } | 822 } |
| 789 | 823 |
| 790 void ChildProcessSecurityPolicyImpl::RegisterFileSystemPermissionPolicy( | 824 void ChildProcessSecurityPolicyImpl::RegisterFileSystemPermissionPolicy( |
| 791 fileapi::FileSystemType type, | 825 fileapi::FileSystemType type, |
| 792 int policy) { | 826 int policy) { |
| 793 base::AutoLock lock(lock_); | 827 base::AutoLock lock(lock_); |
| 794 file_system_policy_map_[type] = policy; | 828 file_system_policy_map_[type] = policy; |
| 795 } | 829 } |
| 796 | 830 |
| 797 } // namespace content | 831 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 19599006:
ChildProcessSecurityPolicy: Deprecate bitmask-based permissions checks for files. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master