Issue 19723010: Pepper Message Filters: Port to use explicit permission grants in ChildProcessSecurityPolicy.

Issue 19723010: Pepper Message Filters: Port to use explicit permission grants in ChildProcessSecurityPolicy. (Closed)

Created:
7 years, 5 months ago by tommycli

Modified:
7 years, 4 months ago

Reviewers:
Tom Sepez, dmichael (off chromium), jochen (gone - plz use gerrit), jam, teravest

CC:
vandebo (ex-Chrome), chromium-reviews, joi+watch-content_chromium.org, darin-cc_chromium.org, jam

Base URL:
https://chromium.googlesource.com/chromium/src.git@0044-write-support-remove-child-process-security-policy-bitmask-usage

Visibility:
Public.

More Reviews

Description

Pepper Message Filters: Port to use explicit permission grants in ChildProcessSecurityPolicy. This ports the Pepper message filters to use explicit permission grants instead of the base::PlatformFile bitmasks which are now deprecated. In the case that we have to deal with Pepper open flags, we now directly translate Pepper open flags to a series of explicit permissions checks instead of converting to base::PlatformFile bitmasks. BUG=262142 Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=214581

Patch Set 1 #

Patch Set 2 : #

Patch Set 3 : #

Patch Set 4 : #

Patch Set 5 : #

Total comments: 2

Patch Set 6 : #

Total comments: 1

Patch Set 7 : #

Patch Set 8 : #

Total comments: 1

Patch Set 9 : #

Patch Set 10 : fix test #

Patch Set 11 : #

Total comments: 4

Patch Set 12 : Merge #

Patch Set 13 : address jam comments #

Patch Set 14 : #

Patch Set 15 : #

Patch Set 16 : #

Patch Set 17 : #

Created: 7 years, 4 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+188 lines, -80 lines)			Patch
M	content/browser/renderer_host/pepper/pepper_flash_file_message_filter.h	View	1 2 3 4 5 6 7 8	4 chunks	+6 lines, -2 lines	0 comments	Download
M	content/browser/renderer_host/pepper/pepper_flash_file_message_filter.cc	View	1 2 3	10 chunks	+40 lines, -26 lines	0 comments	Download
A	content/browser/renderer_host/pepper/pepper_security_helper.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14	1 chunk	+21 lines, -0 lines	0 comments	Download
A	content/browser/renderer_host/pepper/pepper_security_helper.cc	View	1 2 3 4 5 6 7 8 9 10 11 12	1 chunk	+54 lines, -0 lines	0 comments	Download
M	content/browser/renderer_host/render_message_filter.h	View	1 2 3 4 5 6 7 8 9 10 11	1 chunk	+8 lines, -8 lines	0 comments	Download
M	content/browser/renderer_host/render_message_filter.cc	View	1 2 3 4 5 6 7 8 9 10 11	6 chunks	+27 lines, -17 lines	0 comments	Download
M	content/common/view_messages.h	View	1 2 3 4 5 6 7 8 9 10 11 12	3 chunks	+9 lines, -9 lines	0 comments	Download
M	content/content_browser.gypi	View	1 2 3 4 5 6 7 8 9 10 11	1 chunk	+2 lines, -0 lines	0 comments	Download
M	content/renderer/pepper/pepper_file_io_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	3 chunks	+8 lines, -4 lines	0 comments	Download
M	content/renderer/pepper/pepper_helper_impl.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -1 line	0 comments	Download
M	content/renderer/pepper/pepper_helper_impl.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	3 chunks	+5 lines, -4 lines	0 comments	Download
M	content/renderer/pepper/ppb_file_ref_impl.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	2 chunks	+2 lines, -1 line	0 comments	Download
M	ppapi/proxy/flash_file_resource.cc	View	1 2 3 4 5 6	2 chunks	+2 lines, -3 lines	0 comments	Download
M	ppapi/proxy/ppapi_messages.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -1 line	0 comments	Download
M	ppapi/shared_impl/file_type_conversion.cc	View	1 2 3 4 5 6	2 chunks	+2 lines, -4 lines	0 comments	Download

Messages

Total messages: 26 (0 generated)

Expand Messages | Collapse Messages

jam

https://codereview.chromium.org/19723010/diff/9001/content/public/browser/child_process_security_policy.h File content/public/browser/child_process_security_policy.h (right): https://codereview.chromium.org/19723010/diff/9001/content/public/browser/child_process_security_policy.h#newcode71 content/public/browser/child_process_security_policy.h:71: bool HasPermissionsForPepperMode(int child_id, const base::FilePath& file, nit: since this ...

7 years, 5 months ago (2013-07-22 23:46:41 UTC) #1

tommycli

jochen: Need review of content/browser/renderer_host dmichael: Need review of content/renderer/pepper tsepez: General security review. Thanks! ...

7 years, 5 months ago (2013-07-23 22:21:35 UTC) #2

dmichael (off chromium)

https://codereview.chromium.org/19723010/diff/20001/content/browser/renderer_host/pepper/pepper_security_helper.cc File content/browser/renderer_host/pepper/pepper_security_helper.cc (right): https://codereview.chromium.org/19723010/diff/20001/content/browser/renderer_host/pepper/pepper_security_helper.cc#newcode33 content/browser/renderer_host/pepper/pepper_security_helper.cc:33: return false; I don't think we can do this ...

7 years, 5 months ago (2013-07-24 17:02:23 UTC) #4

teravest

On 2013/07/24 17:28:26, dmichael wrote: > +teravest I have the same concern with regard to ...

7 years, 5 months ago (2013-07-24 19:50:00 UTC) #6

tommycli

dmichael/teravest: To my knowledge, the ChildProcessSecurityPolicy before this change also always denies requests to APPEND. ...

7 years, 5 months ago (2013-07-24 21:00:12 UTC) #7

teravest

That's strange; there's an explicit test of PP_FILEOPENFLAG_APPEND in TestFileIO::TestReadWriteSetLength(). On Wed, Jul 24, 2013 ...

7 years, 5 months ago (2013-07-24 21:04:52 UTC) #8

teravest

In the FileIO test, I see that permission check passing when the append flag is ...

7 years, 5 months ago (2013-07-24 21:56:07 UTC) #9

tommycli

How bizzare! Thanks for confirming the issue. I will investigate and get back to you. ...

7 years, 5 months ago (2013-07-24 22:21:03 UTC) #10

tommycli

teravest: I have the answer to the mystery. I modified your print statement a little ...

7 years, 5 months ago (2013-07-25 19:49:20 UTC) #11

teravest: I have the answer to the mystery.

I modified your print statement a little bit:
  fprintf(stderr, "FileAPIMessageFilter::OnOpenFile, file_flags: %d, "
                  "open_permissions: %d, HasPermissions: %s\n",
                  file_flags,
                  open_permissions,
                  HasPermissionsForFile(url, open_permissions, &error) ?
                      "true" : "false");

And output:
FileAPIMessageFilter::OnOpenFile, file_flags: 164, open_permissions: 5,
HasPermissions: true

Pertinent line of code in FileAPIMessageFilter::OnOpenFile:
  const int open_permissions = base::PLATFORM_FILE_OPEN |
                               (file_flags & fileapi::kOpenFilePermissions);
...
  HasPermissionsForFile(url, open_permissions, &error)

The permissions passed in are bitwise ANDed with a set of permissions that don't
contain APPEND, so an APPEND request can pass. So APPEND is supported
almost-by-accident due to the way FileAPIMessageFilter::OnOpenFile is
constructed.

This CL won't break that. Any APPEND ops that were previously supported will
still be supported. Any calls to ChildProcessSecurityPolicy directly that
contain the APPEND flag didn't pass before, and won't pass after this CL either.

Here's some additional info: After this CL lands, my next plan is to tackle
porting over FileAPIMessageFilter and FileSystemDispatcher. The only user of the
FileAPIMessageFilter::OnOPenFile is Pepper. So I'm likely going to be changing
OnOpenFile to a more specific OnOpenPepperFile and passing in pp_open_flags
directly instead of converting to PlatformFile flags. If you want
ChildProcessSecurityPolicy to support APPEND "for reals", that's the opportunity
to get it fixed.



On 2013/07/24 22:21:03, tommycli wrote:
> How bizzare! Thanks for confirming the issue. I will investigate and get back
to
> you.
> 
> On 2013/07/24 21:56:07, teravest wrote:
> > In the FileIO test, I see that permission check passing when the
> > append flag is used.
> > 
> > I added the following line in FileAPIMessageFilter::OnOpenFile():
> >   fprintf(stderr, "FileAPIMessageFilter::OnOpenFile, file_flags: %d "
> >                   "HasPermissions: %s\n",
> >           file_flags,
> >           HasPermissionsForFile(url, open_permissions, &error) ?
> > "true" : "false");
> > 
> > And I get this output:
> > FileAPIMessageFilter::OnOpenFile, file_flags: 16488 HasPermissions: true
> > FileAPIMessageFilter::OnOpenFile, file_flags: 164 HasPermissions: true
> > 
> > 16488:
> >   PLATFORM_FILE_CREATE_ALWAYS
> >   PLATFORM_FILE_READ
> >   PLATFORM_FILE_WRITE
> >   PLATFORM_FILE_WRITE_ATTRIBUTES
> > 
> > 164:
> >   PLATFORM_FILE_OPEN_ALWAYS
> >   PLATFORM_FILE_READ
> >   PLATFORM_FILE_APPEND
> > 
> > These correspond to file_io and file_io2 in
> > TestFileIO::TestReadWriteSetLength().
> > 
> > Do we grant all file permissions in the browser when running tests? I
> > read through the files you mentioned, and can't see how appends are
> > being permitted either.
> > 
> > 
> > On Wed, Jul 24, 2013 at 3:04 PM, Justin TerAvest
> <mailto:teravest@chromium.org> wrote:
> > > That's strange; there's an explicit test of PP_FILEOPENFLAG_APPEND in
> > > TestFileIO::TestReadWriteSetLength().
> > >
> > > On Wed, Jul 24, 2013 at 3:00 PM,  <mailto:tommycli@chromium.org> wrote:
> > >> dmichael/teravest: To my knowledge, the ChildProcessSecurityPolicy before
> > >> this
> > >> change also always denies requests to APPEND.
> > >>
> > >> Please see file_type_conversion.cc and the flags at the top of
> > >> child_process_security_policy_impl.cc.
> > >>
> > >> PPAPITest.FileIO passes. I will run the whole suite of browser tests to
> > >> confirm.
> > >>
> > >>
> > >> https://codereview.chromium.org/19723010/

teravest

Thanks for the investigation! Your explanation (and plan) sound good to me. On Thu, Jul ...

7 years, 5 months ago (2013-07-25 19:52:28 UTC) #12

Thanks for the investigation!
Your explanation (and plan) sound good to me.

On Thu, Jul 25, 2013 at 1:49 PM,  <tommycli@chromium.org> wrote:
> teravest: I have the answer to the mystery.
>
> I modified your print statement a little bit:
>   fprintf(stderr, "FileAPIMessageFilter::OnOpenFile, file_flags: %d, "
>                   "open_permissions: %d, HasPermissions: %s\n",
>                   file_flags,
>                   open_permissions,
>
>                   HasPermissionsForFile(url, open_permissions, &error) ?
>                       "true" : "false");
>
> And output:
> FileAPIMessageFilter::OnOpenFile, file_flags: 164, open_permissions: 5,
> HasPermissions: true
>
> Pertinent line of code in FileAPIMessageFilter::OnOpenFile:
>   const int open_permissions = base::PLATFORM_FILE_OPEN |
>                                (file_flags & fileapi::kOpenFilePermissions);
> ...
>   HasPermissionsForFile(url, open_permissions, &error)
>
> The permissions passed in are bitwise ANDed with a set of permissions that
> don't
> contain APPEND, so an APPEND request can pass. So APPEND is supported
> almost-by-accident due to the way FileAPIMessageFilter::OnOpenFile is
> constructed.
>
> This CL won't break that. Any APPEND ops that were previously supported will
> still be supported. Any calls to ChildProcessSecurityPolicy directly that
> contain the APPEND flag didn't pass before, and won't pass after this CL
> either.
>
> Here's some additional info: After this CL lands, my next plan is to tackle
> porting over FileAPIMessageFilter and FileSystemDispatcher. The only user of
> the
> FileAPIMessageFilter::OnOPenFile is Pepper. So I'm likely going to be
> changing
> OnOpenFile to a more specific OnOpenPepperFile and passing in pp_open_flags
> directly instead of converting to PlatformFile flags. If you want
> ChildProcessSecurityPolicy to support APPEND "for reals", that's the
> opportunity
> to get it fixed.
>
>
>
>
> On 2013/07/24 22:21:03, tommycli wrote:
>>
>> How bizzare! Thanks for confirming the issue. I will investigate and get
>> back
>
> to
>>
>> you.
>
>
>> On 2013/07/24 21:56:07, teravest wrote:
>> > In the FileIO test, I see that permission check passing when the
>> > append flag is used.
>> >
>> > I added the following line in FileAPIMessageFilter::OnOpenFile():
>> >   fprintf(stderr, "FileAPIMessageFilter::OnOpenFile, file_flags: %d "
>> >                   "HasPermissions: %s\n",
>> >           file_flags,
>> >           HasPermissionsForFile(url, open_permissions, &error) ?
>> > "true" : "false");
>> >
>> > And I get this output:
>> > FileAPIMessageFilter::OnOpenFile, file_flags: 16488 HasPermissions: true
>> > FileAPIMessageFilter::OnOpenFile, file_flags: 164 HasPermissions: true
>> >
>> > 16488:
>> >   PLATFORM_FILE_CREATE_ALWAYS
>> >   PLATFORM_FILE_READ
>> >   PLATFORM_FILE_WRITE
>> >   PLATFORM_FILE_WRITE_ATTRIBUTES
>> >
>> > 164:
>> >   PLATFORM_FILE_OPEN_ALWAYS
>> >   PLATFORM_FILE_READ
>> >   PLATFORM_FILE_APPEND
>> >
>> > These correspond to file_io and file_io2 in
>> > TestFileIO::TestReadWriteSetLength().
>> >
>> > Do we grant all file permissions in the browser when running tests? I
>> > read through the files you mentioned, and can't see how appends are
>> > being permitted either.
>> >
>> >
>> > On Wed, Jul 24, 2013 at 3:04 PM, Justin TerAvest
>> <mailto:teravest@chromium.org> wrote:
>> > > That's strange; there's an explicit test of PP_FILEOPENFLAG_APPEND in
>> > > TestFileIO::TestReadWriteSetLength().
>> > >
>> > > On Wed, Jul 24, 2013 at 3:00 PM,  <mailto:tommycli@chromium.org>
>> > > wrote:
>> > >> dmichael/teravest: To my knowledge, the ChildProcessSecurityPolicy
>> > >> before
>> > >> this
>> > >> change also always denies requests to APPEND.
>> > >>
>> > >> Please see file_type_conversion.cc and the flags at the top of
>> > >> child_process_security_policy_impl.cc.
>> > >>
>> > >> PPAPITest.FileIO passes. I will run the whole suite of browser tests
>> > >> to
>> > >> confirm.
>> > >>
>> > >>
>> > >> https://codereview.chromium.org/19723010/
>
>
>
> https://codereview.chromium.org/19723010/

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tommycli@chromium.org/19723010/59001

7 years, 5 months ago (2013-07-26 15:20:58 UTC) #17

tommycli

jam: May I get an OWNER review for content/content_browser.gypi ? Thanks.

7 years, 5 months ago (2013-07-26 15:40:23 UTC) #18

commit-bot: I haz the power

Retried try job too often on chromium_presubmit for step(s) presubmit http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=chromium_presubmit&number=17337

7 years, 5 months ago (2013-07-26 16:32:07 UTC) #19

tommycli

On 2013/07/26 15:40:23, tommycli wrote: > jam: May I get an OWNER review for content/content_browser.gypi ...

7 years, 4 months ago (2013-07-29 19:21:57 UTC) #20

jam

lgtm, sorry for the delay i just saw this. https://codereview.chromium.org/19723010/diff/59001/content/browser/renderer_host/pepper/pepper_security_helper.h File content/browser/renderer_host/pepper/pepper_security_helper.h (right): https://codereview.chromium.org/19723010/diff/59001/content/browser/renderer_host/pepper/pepper_security_helper.h#newcode9 content/browser/renderer_host/pepper/pepper_security_helper.h:9: ...

7 years, 4 months ago (2013-07-30 16:07:12 UTC) #21

tommycli

https://codereview.chromium.org/19723010/diff/59001/content/browser/renderer_host/pepper/pepper_security_helper.h File content/browser/renderer_host/pepper/pepper_security_helper.h (right): https://codereview.chromium.org/19723010/diff/59001/content/browser/renderer_host/pepper/pepper_security_helper.h#newcode9 content/browser/renderer_host/pepper/pepper_security_helper.h:9: #include "content/browser/child_process_security_policy_impl.h" On 2013/07/30 16:07:12, jam wrote: > nit: ...

7 years, 4 months ago (2013-07-30 17:52:41 UTC) #22

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tommycli@chromium.org/19723010/73015

7 years, 4 months ago (2013-07-30 20:38:51 UTC) #23

commit-bot: I haz the power

Failed to apply patch for content/renderer/pepper/pepper_file_io_host.cc: While running patch -p1 --forward --force --no-backup-if-mismatch; patching file ...

7 years, 4 months ago (2013-07-30 20:39:11 UTC) #24

Failed to apply patch for content/renderer/pepper/pepper_file_io_host.cc:
While running patch -p1 --forward --force --no-backup-if-mismatch;
  patching file content/renderer/pepper/pepper_file_io_host.cc
  Hunk #1 succeeded at 194 (offset -2 lines).
  Hunk #2 succeeded at 227 (offset -2 lines).
  Hunk #3 FAILED at 239.
  1 out of 3 hunks FAILED -- saving rejects to file
content/renderer/pepper/pepper_file_io_host.cc.rej

Patch:       content/renderer/pepper/pepper_file_io_host.cc
Index: content/renderer/pepper/pepper_file_io_host.cc
diff --git a/content/renderer/pepper/pepper_file_io_host.cc
b/content/renderer/pepper/pepper_file_io_host.cc
index
c58b25fbdfde5a9401661df37d8ec8078b6a1362..0c85824ad6064384f4fba53d9ff233ed071b9673
100644
--- a/content/renderer/pepper/pepper_file_io_host.cc
+++ b/content/renderer/pepper/pepper_file_io_host.cc
@@ -196,10 +196,14 @@ int32_t PepperFileIOHost::OnHostMsgOpen(
   if (rv != PP_OK)
     return rv;
 
-  int flags = 0;
+  // TODO(tommycli): Eventually just pass the Pepper flags straight to the
+  // FileSystemDispatcher so it can handle doing the security check.
+  int platform_file_flags = 0;
   open_flags_ = open_flags;
-  if (!::ppapi::PepperFileOpenFlagsToPlatformFileFlags(open_flags, &flags))
+  if (!::ppapi::PepperFileOpenFlagsToPlatformFileFlags(open_flags,
+                                                       &platform_file_flags)) {
     return PP_ERROR_BADARGUMENT;
+  }
 
   EnterResourceNoLock<PPB_FileRef_API> enter(file_ref_resource, true);
   if (enter.failed())
@@ -225,7 +229,7 @@ int32_t PepperFileIOHost::OnHostMsgOpen(
         weak_factory_.GetWeakPtr(),
         context->MakeReplyMessageContext());
     file_system_dispatcher->OpenFile(
-      file_system_url_, flags,
+      file_system_url_, platform_file_flags,
       base::Bind(&DidOpenFileSystemURL, callback),
       base::Bind(&DidFailOpenFileSystemURL, callback));
   } else {
@@ -235,7 +239,7 @@ int32_t PepperFileIOHost::OnHostMsgOpen(
     if (file_system_type_ != PP_FILESYSTEMTYPE_EXTERNAL || !plugin_delegate)
       return PP_ERROR_FAILED;
     if (!plugin_delegate->AsyncOpenFile(
-            file_ref->GetSystemPath(), flags,
+            file_ref->GetSystemPath(), open_flags,
             base::Bind(&PepperFileIOHost::ExecutePlatformOpenFileCallback,
                        weak_factory_.GetWeakPtr(),
                        context->MakeReplyMessageContext())))

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tommycli@chromium.org/19723010/113001

7 years, 4 months ago (2013-07-30 22:03:57 UTC) #25

Message was sent while issue was closed.

Change committed as 214581

Expand Messages | Collapse Messages