Chromium Code Reviews| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ | |
| 6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ | |
| 7 | |
| 8 #include <string> | |
| 9 #include <vector> | |
| 10 | |
| 11 namespace sandbox { | |
| 12 namespace syscall_broker { | |
| 13 | |
| 14 class BrokerPolicy { | |
| 15 public: | |
| 16 BrokerPolicy(int denied_errno, | |
| 17 const std::vector<std::string>& allowed_r_files, | |
| 18 const std::vector<std::string>& allowed_w_files_); | |
| 19 ~BrokerPolicy(); | |
| 20 | |
| 21 // Check if calling access() should be allowed on |requested_filename| with | |
| 22 // mode |requested_mode|. | |
| 23 // Note: access() being a system call to check permissions, this can get a bit | |
| 24 // confusing. We're checking if calling access() should even be allowed with | |
| 25 // the same policy we would use for open(). | |
| 26 // If |file_to_access| is not NULL, we will return the matching pointer from | |
| 27 // the whitelist. For paranoia a caller should then use |file_to_access|. See | |
| 28 // GetFileNameIfAllowedToOpen() fore more explanation. | |
|
leecam
2014/10/31 21:06:25
for
jln (very slow on Chromium)
2014/10/31 21:43:19
Done.
| |
| 29 // return true if calling access() on this file should be allowed, false | |
| 30 // otherwise. | |
| 31 // Async signal safe if and only if |file_to_access| is NULL. | |
| 32 bool GetFileNameIfAllowedToAccess(const char* requested_filename, | |
| 33 int requested_mode, | |
| 34 const char** file_to_access) const; | |
| 35 | |
| 36 // Check if |requested_filename| can be opened with flags |requested_flags|. | |
| 37 // If |file_to_open| is not NULL, we will return the matching pointer from the | |
| 38 // whitelist. For paranoia, a caller should then use |file_to_open| rather | |
| 39 // than |requested_filename|, so that it never attempts to open an | |
| 40 // attacker-controlled file name, even if an attacker managed to fool the | |
| 41 // string comparison mechanism. | |
| 42 // Return true if opening should be allowed, false otherwise. | |
| 43 // Async signal safe if and only if |file_to_open| is NULL. | |
| 44 bool GetFileNameIfAllowedToOpen(const char* requested_filename, | |
| 45 int requested_flags, | |
| 46 const char** file_to_open) const; | |
| 47 int denied_errno() const { return denied_errno_; } | |
| 48 | |
| 49 private: | |
| 50 const int denied_errno_; | |
| 51 const std::vector<std::string> allowed_r_files_; | |
| 52 const std::vector<std::string> allowed_w_files_; | |
| 53 }; | |
| 54 | |
| 55 } // namespace syscall_broker | |
| 56 | |
| 57 } // namespace sandbox | |
| 58 | |
| 59 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ | |
| OLD | NEW |