| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ | |
| 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ | |
| 7 | |
| 8 #include <map> | |
| 9 #include <set> | |
| 10 #include <string> | |
| 11 #include <vector> | |
| 12 | |
| 13 #include "base/compiler_specific.h" | |
| 14 #include "base/gtest_prod_util.h" | |
| 15 #include "base/macros.h" | |
| 16 #include "base/memory/singleton.h" | |
| 17 #include "base/synchronization/lock.h" | |
| 18 #include "content/public/browser/child_process_security_policy.h" | |
| 19 #include "content/public/common/resource_type.h" | |
| 20 #include "storage/common/fileapi/file_system_types.h" | |
| 21 | |
| 22 class GURL; | |
| 23 | |
| 24 namespace base { | |
| 25 class FilePath; | |
| 26 } | |
| 27 | |
| 28 namespace storage { | |
| 29 class FileSystemURL; | |
| 30 } | |
| 31 | |
| 32 namespace content { | |
| 33 | |
| 34 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl | |
| 35 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) { | |
| 36 public: | |
| 37 // Object can only be created through GetInstance() so the constructor is | |
| 38 // private. | |
| 39 ~ChildProcessSecurityPolicyImpl() override; | |
| 40 | |
| 41 static ChildProcessSecurityPolicyImpl* GetInstance(); | |
| 42 | |
| 43 // ChildProcessSecurityPolicy implementation. | |
| 44 void RegisterWebSafeScheme(const std::string& scheme) override; | |
| 45 bool IsWebSafeScheme(const std::string& scheme) override; | |
| 46 void GrantReadFile(int child_id, const base::FilePath& file) override; | |
| 47 void GrantCreateReadWriteFile(int child_id, | |
| 48 const base::FilePath& file) override; | |
| 49 void GrantCopyInto(int child_id, const base::FilePath& dir) override; | |
| 50 void GrantDeleteFrom(int child_id, const base::FilePath& dir) override; | |
| 51 void GrantReadFileSystem(int child_id, | |
| 52 const std::string& filesystem_id) override; | |
| 53 void GrantWriteFileSystem(int child_id, | |
| 54 const std::string& filesystem_id) override; | |
| 55 void GrantCreateFileForFileSystem(int child_id, | |
| 56 const std::string& filesystem_id) override; | |
| 57 void GrantCreateReadWriteFileSystem( | |
| 58 int child_id, | |
| 59 const std::string& filesystem_id) override; | |
| 60 void GrantCopyIntoFileSystem(int child_id, | |
| 61 const std::string& filesystem_id) override; | |
| 62 void GrantDeleteFromFileSystem(int child_id, | |
| 63 const std::string& filesystem_id) override; | |
| 64 void GrantOrigin(int child_id, const url::Origin& origin) override; | |
| 65 void GrantScheme(int child_id, const std::string& scheme) override; | |
| 66 bool CanReadFile(int child_id, const base::FilePath& file) override; | |
| 67 bool CanCreateReadWriteFile(int child_id, | |
| 68 const base::FilePath& file) override; | |
| 69 bool CanReadFileSystem(int child_id, | |
| 70 const std::string& filesystem_id) override; | |
| 71 bool CanReadWriteFileSystem(int child_id, | |
| 72 const std::string& filesystem_id) override; | |
| 73 bool CanCopyIntoFileSystem(int child_id, | |
| 74 const std::string& filesystem_id) override; | |
| 75 bool CanDeleteFromFileSystem(int child_id, | |
| 76 const std::string& filesystem_id) override; | |
| 77 bool HasWebUIBindings(int child_id) override; | |
| 78 void GrantSendMidiSysExMessage(int child_id) override; | |
| 79 bool CanAccessDataForOrigin(int child_id, const GURL& url) override; | |
| 80 | |
| 81 // Returns if |child_id| can read all of the |files|. | |
| 82 bool CanReadAllFiles(int child_id, const std::vector<base::FilePath>& files); | |
| 83 | |
| 84 // Pseudo schemes are treated differently than other schemes because they | |
| 85 // cannot be requested like normal URLs. There is no mechanism for revoking | |
| 86 // pseudo schemes. | |
| 87 void RegisterPseudoScheme(const std::string& scheme); | |
| 88 | |
| 89 // Returns true iff |scheme| has been registered as pseudo scheme. | |
| 90 bool IsPseudoScheme(const std::string& scheme); | |
| 91 | |
| 92 // Upon creation, child processes should register themselves by calling this | |
| 93 // this method exactly once. | |
| 94 void Add(int child_id); | |
| 95 | |
| 96 // Upon creation, worker thread child processes should register themselves by | |
| 97 // calling this this method exactly once. Workers that are not shared will | |
| 98 // inherit permissions from their parent renderer process identified with | |
| 99 // |main_render_process_id|. | |
| 100 void AddWorker(int worker_child_id, int main_render_process_id); | |
| 101 | |
| 102 // Upon destruction, child processess should unregister themselves by caling | |
| 103 // this method exactly once. | |
| 104 void Remove(int child_id); | |
| 105 | |
| 106 // Whenever the browser processes commands the child process to request a URL, | |
| 107 // it should call this method to grant the child process the capability to | |
| 108 // request the URL, along with permission to request all URLs of the same | |
| 109 // scheme. | |
| 110 void GrantRequestURL(int child_id, const GURL& url); | |
| 111 | |
| 112 // Whenever the browser process drops a file icon on a tab, it should call | |
| 113 // this method to grant the child process the capability to request this one | |
| 114 // file:// URL, but not all urls of the file:// scheme. | |
| 115 void GrantRequestSpecificFileURL(int child_id, const GURL& url); | |
| 116 | |
| 117 // Revokes all permissions granted to the given file. | |
| 118 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file); | |
| 119 | |
| 120 // Grant the child process the ability to use Web UI Bindings. | |
| 121 void GrantWebUIBindings(int child_id); | |
| 122 | |
| 123 // Grant the child process the ability to read raw cookies. | |
| 124 void GrantReadRawCookies(int child_id); | |
| 125 | |
| 126 // Revoke read raw cookies permission. | |
| 127 void RevokeReadRawCookies(int child_id); | |
| 128 | |
| 129 // Before servicing a child process's request for a URL, the browser should | |
| 130 // call this method to determine whether the process has the capability to | |
| 131 // request the URL. | |
| 132 bool CanRequestURL(int child_id, const GURL& url); | |
| 133 | |
| 134 // Whether the process is allowed to commit a document from the given URL. | |
| 135 // This is more restrictive than CanRequestURL, since CanRequestURL allows | |
| 136 // requests that might lead to cross-process navigations or external protocol | |
| 137 // handlers. | |
| 138 bool CanCommitURL(int child_id, const GURL& url); | |
| 139 | |
| 140 // Explicit permissions checks for FileSystemURL specified files. | |
| 141 bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url); | |
| 142 bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url); | |
| 143 bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url); | |
| 144 bool CanCreateReadWriteFileSystemFile(int child_id, | |
| 145 const storage::FileSystemURL& url); | |
| 146 bool CanCopyIntoFileSystemFile(int child_id, | |
| 147 const storage::FileSystemURL& url); | |
| 148 bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url); | |
| 149 | |
| 150 // Returns true if the specified child_id has been granted ReadRawCookies. | |
| 151 bool CanReadRawCookies(int child_id); | |
| 152 | |
| 153 // Sets the process as only permitted to use and see the cookies for the | |
| 154 // given origin. | |
| 155 // Origin lock is applied only if the --site-per-process flag is used. | |
| 156 void LockToOrigin(int child_id, const GURL& gurl); | |
| 157 | |
| 158 // Register FileSystem type and permission policy which should be used | |
| 159 // for the type. The |policy| must be a bitwise-or'd value of | |
| 160 // storage::FilePermissionPolicy. | |
| 161 void RegisterFileSystemPermissionPolicy(storage::FileSystemType type, | |
| 162 int policy); | |
| 163 | |
| 164 // Returns true if sending system exclusive messages is allowed. | |
| 165 bool CanSendMidiSysExMessage(int child_id); | |
| 166 | |
| 167 private: | |
| 168 friend class ChildProcessSecurityPolicyInProcessBrowserTest; | |
| 169 friend class ChildProcessSecurityPolicyTest; | |
| 170 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, | |
| 171 NoLeak); | |
| 172 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions); | |
| 173 | |
| 174 class SecurityState; | |
| 175 | |
| 176 typedef std::set<std::string> SchemeSet; | |
| 177 typedef std::map<int, SecurityState*> SecurityStateMap; | |
| 178 typedef std::map<int, int> WorkerToMainProcessMap; | |
| 179 typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap; | |
| 180 | |
| 181 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). | |
| 182 ChildProcessSecurityPolicyImpl(); | |
| 183 friend struct base::DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; | |
| 184 | |
| 185 // Adds child process during registration. | |
| 186 void AddChild(int child_id); | |
| 187 | |
| 188 // Determines if certain permissions were granted for a file to given child | |
| 189 // process. |permissions| is an internally defined bit-set. | |
| 190 bool ChildProcessHasPermissionsForFile(int child_id, | |
| 191 const base::FilePath& file, | |
| 192 int permissions); | |
| 193 | |
| 194 // Grant a particular permission set for a file. |permissions| is an | |
| 195 // internally defined bit-set. | |
| 196 void GrantPermissionsForFile(int child_id, | |
| 197 const base::FilePath& file, | |
| 198 int permissions); | |
| 199 | |
| 200 // Grants access permission to the given isolated file system | |
| 201 // identified by |filesystem_id|. See comments for | |
| 202 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. | |
| 203 void GrantPermissionsForFileSystem( | |
| 204 int child_id, | |
| 205 const std::string& filesystem_id, | |
| 206 int permission); | |
| 207 | |
| 208 // Determines if certain permissions were granted for a file. |permissions| | |
| 209 // is an internally defined bit-set. If |child_id| is a worker process, | |
| 210 // this returns true if either the worker process or its parent renderer | |
| 211 // has permissions for the file. | |
| 212 bool HasPermissionsForFile(int child_id, | |
| 213 const base::FilePath& file, | |
| 214 int permissions); | |
| 215 | |
| 216 // Determines if certain permissions were granted for a file in FileSystem | |
| 217 // API. |permissions| is an internally defined bit-set. | |
| 218 bool HasPermissionsForFileSystemFile(int child_id, | |
| 219 const storage::FileSystemURL& url, | |
| 220 int permissions); | |
| 221 | |
| 222 // Determines if certain permissions were granted for a file system. | |
| 223 // |permissions| is an internally defined bit-set. | |
| 224 bool HasPermissionsForFileSystem( | |
| 225 int child_id, | |
| 226 const std::string& filesystem_id, | |
| 227 int permission); | |
| 228 | |
| 229 // You must acquire this lock before reading or writing any members of this | |
| 230 // class. You must not block while holding this lock. | |
| 231 base::Lock lock_; | |
| 232 | |
| 233 // These schemes are white-listed for all child processes. This set is | |
| 234 // protected by |lock_|. | |
| 235 SchemeSet web_safe_schemes_; | |
| 236 | |
| 237 // These schemes do not actually represent retrievable URLs. For example, | |
| 238 // the the URLs in the "about" scheme are aliases to other URLs. This set is | |
| 239 // protected by |lock_|. | |
| 240 SchemeSet pseudo_schemes_; | |
| 241 | |
| 242 // This map holds a SecurityState for each child process. The key for the | |
| 243 // map is the ID of the ChildProcessHost. The SecurityState objects are | |
| 244 // owned by this object and are protected by |lock_|. References to them must | |
| 245 // not escape this class. | |
| 246 SecurityStateMap security_state_; | |
| 247 | |
| 248 // This maps keeps the record of which js worker thread child process | |
| 249 // corresponds to which main js thread child process. | |
| 250 WorkerToMainProcessMap worker_map_; | |
| 251 | |
| 252 FileSystemPermissionPolicyMap file_system_policy_map_; | |
| 253 | |
| 254 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); | |
| 255 }; | |
| 256 | |
| 257 } // namespace content | |
| 258 | |
| 259 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2108053005:
Pull ChildProcessSecurityPolicyImpl out to shared subfolder (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master