sandbox: Extend BrokerPolicy to support file creation

sandbox/linux/syscall_broker/broker_policy.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
 
 #include <string>
 #include <vector>
 
 #include "base/macros.h"
+#include "base/memory/scoped_ptr.h"
 
 namespace sandbox {
 namespace syscall_broker {
 
+struct BrokerPermission {

[Jorge Lucangeli Obes, 2014/11/12 17:29:42]

I thought about this a little last night. I think this should be extracted to a
separate file and the different permissions should be made into classes:

BrokerPermission (which composes a string or a base::FilePath).
      |
BrokerPermissionReadOnly...

That way we don't need macros and we let polymorphism take care of the if
statements.

+  std::string path;  // Allowed Path
+  bool recursive;    // Allow everything under this path. |path| must be a dir.
+  bool unlink;       // unlink after openning.
+  bool allow_read;
+  bool allow_write;
+  bool allow_create;
+
+  BrokerPermission(std::string path_,
+                   bool recursive_,
+                   bool unlink_,
+                   bool allow_read_,
+                   bool allow_write_,
+                   bool allow_create_)
+      : path(path_),
+        recursive(recursive_),
+        unlink(unlink_),
+        allow_read(allow_read_),
+        allow_write(allow_write_),
+        allow_create(allow_create_) {}
+};
+
+#define BROKER_PERM_READ_ONLY(path) \
+  BrokerPermission(path, false, false, true, false, false)
+
+#define BROKER_PERM_READ_ONLY_RECURSIVE(path) \
+  BrokerPermission(path, true, false, true, false, false)
+
+#define BROKER_PERM_WRITE_ONLY(path) \
+  BrokerPermission(path, false, false, false, true, false)
+
+#define BROKER_PERM_READ_WRITE(path) \
+  BrokerPermission(path, false, false, true, true, false)
+
+#define BROKER_PERM_READ_WRITE_CREATE(path) \
+  BrokerPermission(path, false, false, true, true, true)
+
+#define BROKER_PERM_READ_WRITE_CREATE_UNLINK(path) \
+  BrokerPermission(path, false, true, true, true, true)
+
+#define BROKER_PERM_READ_WRITE_CREATE_UNLINK_RECURSIVE(path) \
+  BrokerPermission(path, true, true, true, true, true)
+
 // BrokerPolicy allows to define the security policy enforced by a
 // BrokerHost. The BrokerHost will evaluate requests sent over its
 // IPC channel according to the BrokerPolicy.
 // Some of the methods of this class can be used in an async-signal safe
 // way.
 class BrokerPolicy {
  public:
   // |denied_errno| is the error code returned when IPC requests for system
   // calls such as open() or access() are denied because a file is not in the
   // whitelist. EACCESS would be a typical value.
-  // |allowed_r_files| and |allowed_w_files| are white lists of files that
-  // should be allowed for opening, respectively for reading and writing.
-  // A file available read-write should be listed in both.
+  // |permissions| is a list of BrokerPermission objects that define
+  // what the broker will allow.
   BrokerPolicy(int denied_errno,
-               const std::vector<std::string>& allowed_r_files,
-               const std::vector<std::string>& allowed_w_files_);
+               const std::vector<BrokerPermission>& permissions);
+
   ~BrokerPolicy();
 
   // Check if calling access() should be allowed on |requested_filename| with
   // mode |requested_mode|.
   // Note: access() being a system call to check permissions, this can get a bit
   // confusing. We're checking if calling access() should even be allowed with
   // the same policy we would use for open().
   // If |file_to_access| is not NULL, we will return the matching pointer from
   // the whitelist. For paranoia a caller should then use |file_to_access|. See
   // GetFileNameIfAllowedToOpen() for more explanation.
   // return true if calling access() on this file should be allowed, false
   // otherwise.
   // Async signal safe if and only if |file_to_access| is NULL.
   bool GetFileNameIfAllowedToAccess(const char* requested_filename,
                                     int requested_mode,
                                     const char** file_to_access) const;
 
   // Check if |requested_filename| can be opened with flags |requested_flags|.
   // If |file_to_open| is not NULL, we will return the matching pointer from the
   // whitelist. For paranoia, a caller should then use |file_to_open| rather
   // than |requested_filename|, so that it never attempts to open an
   // attacker-controlled file name, even if an attacker managed to fool the
   // string comparison mechanism.
   // Return true if opening should be allowed, false otherwise.
   // Async signal safe if and only if |file_to_open| is NULL.
   bool GetFileNameIfAllowedToOpen(const char* requested_filename,
                                   int requested_flags,
-                                  const char** file_to_open) const;
+                                  const char** file_to_open,
+                                  bool* unlink_after_open) const;
   int denied_errno() const { return denied_errno_; }
 
  private:
   const int denied_errno_;
-  const std::vector<std::string> allowed_r_files_;
-  const std::vector<std::string> allowed_w_files_;
+  const std::vector<BrokerPermission> permissions_;
+  const BrokerPermission* permissions_array_;
+  const size_t num_of_permissions_;
+
   DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
 };
 
 }  // namespace syscall_broker
 
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_