| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ | 5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ |
| 6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ | 6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/macros.h" | 11 #include "base/macros.h" |
| 12 | 12 |
| 13 #include "sandbox/linux/syscall_broker/broker_file_permission.h" |
| 14 |
| 13 namespace sandbox { | 15 namespace sandbox { |
| 14 namespace syscall_broker { | 16 namespace syscall_broker { |
| 15 | 17 |
| 16 // BrokerPolicy allows to define the security policy enforced by a | 18 // BrokerPolicy allows to define the security policy enforced by a |
| 17 // BrokerHost. The BrokerHost will evaluate requests sent over its | 19 // BrokerHost. The BrokerHost will evaluate requests sent over its |
| 18 // IPC channel according to the BrokerPolicy. | 20 // IPC channel according to the BrokerPolicy. |
| 19 // Some of the methods of this class can be used in an async-signal safe | 21 // Some of the methods of this class can be used in an async-signal safe |
| 20 // way. | 22 // way. |
| 21 class BrokerPolicy { | 23 class BrokerPolicy { |
| 22 public: | 24 public: |
| 23 // |denied_errno| is the error code returned when IPC requests for system | 25 // |denied_errno| is the error code returned when IPC requests for system |
| 24 // calls such as open() or access() are denied because a file is not in the | 26 // calls such as open() or access() are denied because a file is not in the |
| 25 // whitelist. EACCESS would be a typical value. | 27 // whitelist. EACCESS would be a typical value. |
| 26 // |allowed_r_files| and |allowed_w_files| are white lists of files that | 28 // |permissions| is a list of BrokerPermission objects that define |
| 27 // should be allowed for opening, respectively for reading and writing. | 29 // what the broker will allow. |
| 28 // A file available read-write should be listed in both. | |
| 29 BrokerPolicy(int denied_errno, | 30 BrokerPolicy(int denied_errno, |
| 30 const std::vector<std::string>& allowed_r_files, | 31 const std::vector<BrokerFilePermission>& permissions); |
| 31 const std::vector<std::string>& allowed_w_files_); | 32 |
| 32 ~BrokerPolicy(); | 33 ~BrokerPolicy(); |
| 33 | 34 |
| 34 // Check if calling access() should be allowed on |requested_filename| with | 35 // Check if calling access() should be allowed on |requested_filename| with |
| 35 // mode |requested_mode|. | 36 // mode |requested_mode|. |
| 36 // Note: access() being a system call to check permissions, this can get a bit | 37 // Note: access() being a system call to check permissions, this can get a bit |
| 37 // confusing. We're checking if calling access() should even be allowed with | 38 // confusing. We're checking if calling access() should even be allowed with |
| 38 // the same policy we would use for open(). | 39 // If |file_to_open| is not NULL, a pointer to the path will be returned. |
| 39 // If |file_to_access| is not NULL, we will return the matching pointer from | 40 // In the case of a recursive match, this will be the requested_filename, |
| 40 // the whitelist. For paranoia a caller should then use |file_to_access|. See | 41 // otherwise it will return the matching pointer from the |
| 42 // whitelist. For paranoia a caller should then use |file_to_access|. See |
| 41 // GetFileNameIfAllowedToOpen() for more explanation. | 43 // GetFileNameIfAllowedToOpen() for more explanation. |
| 42 // return true if calling access() on this file should be allowed, false | 44 // return true if calling access() on this file should be allowed, false |
| 43 // otherwise. | 45 // otherwise. |
| 44 // Async signal safe if and only if |file_to_access| is NULL. | 46 // Async signal safe if and only if |file_to_access| is NULL. |
| 45 bool GetFileNameIfAllowedToAccess(const char* requested_filename, | 47 bool GetFileNameIfAllowedToAccess(const char* requested_filename, |
| 46 int requested_mode, | 48 int requested_mode, |
| 47 const char** file_to_access) const; | 49 const char** file_to_access) const; |
| 48 | 50 |
| 49 // Check if |requested_filename| can be opened with flags |requested_flags|. | 51 // Check if |requested_filename| can be opened with flags |requested_flags|. |
| 50 // If |file_to_open| is not NULL, we will return the matching pointer from the | 52 // If |file_to_open| is not NULL, a pointer to the path will be returned. |
| 53 // In the case of a recursive match, this will be the requested_filename, |
| 54 // otherwise it will return the matching pointer from the |
| 51 // whitelist. For paranoia, a caller should then use |file_to_open| rather | 55 // whitelist. For paranoia, a caller should then use |file_to_open| rather |
| 52 // than |requested_filename|, so that it never attempts to open an | 56 // than |requested_filename|, so that it never attempts to open an |
| 53 // attacker-controlled file name, even if an attacker managed to fool the | 57 // attacker-controlled file name, even if an attacker managed to fool the |
| 54 // string comparison mechanism. | 58 // string comparison mechanism. |
| 59 // |unlink_after_open| if not NULL will be set to point to true if the |
| 60 // policy requests the caller unlink the path after opening. |
| 55 // Return true if opening should be allowed, false otherwise. | 61 // Return true if opening should be allowed, false otherwise. |
| 56 // Async signal safe if and only if |file_to_open| is NULL. | 62 // Async signal safe if and only if |file_to_open| is NULL. |
| 57 bool GetFileNameIfAllowedToOpen(const char* requested_filename, | 63 bool GetFileNameIfAllowedToOpen(const char* requested_filename, |
| 58 int requested_flags, | 64 int requested_flags, |
| 59 const char** file_to_open) const; | 65 const char** file_to_open, |
| 66 bool* unlink_after_open) const; |
| 60 int denied_errno() const { return denied_errno_; } | 67 int denied_errno() const { return denied_errno_; } |
| 61 | 68 |
| 62 private: | 69 private: |
| 63 const int denied_errno_; | 70 const int denied_errno_; |
| 64 const std::vector<std::string> allowed_r_files_; | 71 // The permissions_ vector is used as storage for the BrokerFilePermission |
| 65 const std::vector<std::string> allowed_w_files_; | 72 // objects but is not referenced outside of the constructor as |
| 73 // vectors are unfriendly in async signal safe code. |
| 74 const std::vector<BrokerFilePermission> permissions_; |
| 75 // permissions_array_ is set up to point to the backing store of |
| 76 // permissions_ and is used in async signal safe methods. |
| 77 const BrokerFilePermission* permissions_array_; |
| 78 const size_t num_of_permissions_; |
| 79 |
| 66 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy); | 80 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy); |
| 67 }; | 81 }; |
| 68 | 82 |
| 69 } // namespace syscall_broker | 83 } // namespace syscall_broker |
| 70 | 84 |
| 71 } // namespace sandbox | 85 } // namespace sandbox |
| 72 | 86 |
| 73 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ | 87 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 761903003:
Update from https://crrev.com/306655 (Closed)
Base URL: git@github.com:domokit/mojo.git@master