| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ |
| 6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ |
| 7 |
| 8 #include <string> |
| 9 #include <vector> |
| 10 |
| 11 #include "base/macros.h" |
| 12 |
| 13 namespace sandbox { |
| 14 namespace syscall_broker { |
| 15 |
| 16 // BrokerPolicy allows to define the security policy enforced by a |
| 17 // BrokerHost. The BrokerHost will evaluate requests sent over its |
| 18 // IPC channel according to the BrokerPolicy. |
| 19 // Some of the methods of this class can be used in an async-signal safe |
| 20 // way. |
| 21 class BrokerPolicy { |
| 22 public: |
| 23 // |denied_errno| is the error code returned when IPC requests for system |
| 24 // calls such as open() or access() are denied because a file is not in the |
| 25 // whitelist. EACCESS would be a typical value. |
| 26 // |allowed_r_files| and |allowed_w_files| are white lists of files that |
| 27 // should be allowed for opening, respectively for reading and writing. |
| 28 // A file available read-write should be listed in both. |
| 29 BrokerPolicy(int denied_errno, |
| 30 const std::vector<std::string>& allowed_r_files, |
| 31 const std::vector<std::string>& allowed_w_files_); |
| 32 ~BrokerPolicy(); |
| 33 |
| 34 // Check if calling access() should be allowed on |requested_filename| with |
| 35 // mode |requested_mode|. |
| 36 // Note: access() being a system call to check permissions, this can get a bit |
| 37 // confusing. We're checking if calling access() should even be allowed with |
| 38 // the same policy we would use for open(). |
| 39 // If |file_to_access| is not NULL, we will return the matching pointer from |
| 40 // the whitelist. For paranoia a caller should then use |file_to_access|. See |
| 41 // GetFileNameIfAllowedToOpen() for more explanation. |
| 42 // return true if calling access() on this file should be allowed, false |
| 43 // otherwise. |
| 44 // Async signal safe if and only if |file_to_access| is NULL. |
| 45 bool GetFileNameIfAllowedToAccess(const char* requested_filename, |
| 46 int requested_mode, |
| 47 const char** file_to_access) const; |
| 48 |
| 49 // Check if |requested_filename| can be opened with flags |requested_flags|. |
| 50 // If |file_to_open| is not NULL, we will return the matching pointer from the |
| 51 // whitelist. For paranoia, a caller should then use |file_to_open| rather |
| 52 // than |requested_filename|, so that it never attempts to open an |
| 53 // attacker-controlled file name, even if an attacker managed to fool the |
| 54 // string comparison mechanism. |
| 55 // Return true if opening should be allowed, false otherwise. |
| 56 // Async signal safe if and only if |file_to_open| is NULL. |
| 57 bool GetFileNameIfAllowedToOpen(const char* requested_filename, |
| 58 int requested_flags, |
| 59 const char** file_to_open) const; |
| 60 int denied_errno() const { return denied_errno_; } |
| 61 |
| 62 private: |
| 63 const int denied_errno_; |
| 64 const std::vector<std::string> allowed_r_files_; |
| 65 const std::vector<std::string> allowed_w_files_; |
| 66 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy); |
| 67 }; |
| 68 |
| 69 } // namespace syscall_broker |
| 70 |
| 71 } // namespace sandbox |
| 72 |
| 73 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 693943003:
Update from https://crrev.com/302630 (Closed)
Base URL: git@github.com:domokit/mojo.git@master