Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(350)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/linux/syscall_broker/broker_policy.h

Issue 761903003: Update from https://crrev.com/306655 (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/linux/syscall_broker/broker_host.cc ('k') | sandbox/linux/syscall_broker/broker_policy.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/linux/syscall_broker/broker_policy.h
diff --git a/sandbox/linux/syscall_broker/broker_policy.h b/sandbox/linux/syscall_broker/broker_policy.h
index ef5bdfa138c5872224a659d8655828d0ee78562b..d5146edc06a200fe963610b8015199806255db2d 100644
--- a/sandbox/linux/syscall_broker/broker_policy.h
+++ b/sandbox/linux/syscall_broker/broker_policy.h
@@ -10,6 +10,8 @@
#include "base/macros.h"
+#include "sandbox/linux/syscall_broker/broker_file_permission.h"
+
namespace sandbox {
namespace syscall_broker {
@@ -23,21 +25,21 @@ class BrokerPolicy {
// |denied_errno| is the error code returned when IPC requests for system
// calls such as open() or access() are denied because a file is not in the
// whitelist. EACCESS would be a typical value.
- // |allowed_r_files| and |allowed_w_files| are white lists of files that
- // should be allowed for opening, respectively for reading and writing.
- // A file available read-write should be listed in both.
+ // |permissions| is a list of BrokerPermission objects that define
+ // what the broker will allow.
BrokerPolicy(int denied_errno,
- const std::vector<std::string>& allowed_r_files,
- const std::vector<std::string>& allowed_w_files_);
+ const std::vector<BrokerFilePermission>& permissions);
+
~BrokerPolicy();
// Check if calling access() should be allowed on |requested_filename| with
// mode |requested_mode|.
// Note: access() being a system call to check permissions, this can get a bit
// confusing. We're checking if calling access() should even be allowed with
- // the same policy we would use for open().
- // If |file_to_access| is not NULL, we will return the matching pointer from
- // the whitelist. For paranoia a caller should then use |file_to_access|. See
+ // If |file_to_open| is not NULL, a pointer to the path will be returned.
+ // In the case of a recursive match, this will be the requested_filename,
+ // otherwise it will return the matching pointer from the
+ // whitelist. For paranoia a caller should then use |file_to_access|. See
// GetFileNameIfAllowedToOpen() for more explanation.
// return true if calling access() on this file should be allowed, false
// otherwise.
@@ -47,22 +49,34 @@ class BrokerPolicy {
const char** file_to_access) const;
// Check if |requested_filename| can be opened with flags |requested_flags|.
- // If |file_to_open| is not NULL, we will return the matching pointer from the
+ // If |file_to_open| is not NULL, a pointer to the path will be returned.
+ // In the case of a recursive match, this will be the requested_filename,
+ // otherwise it will return the matching pointer from the
// whitelist. For paranoia, a caller should then use |file_to_open| rather
// than |requested_filename|, so that it never attempts to open an
// attacker-controlled file name, even if an attacker managed to fool the
// string comparison mechanism.
+ // |unlink_after_open| if not NULL will be set to point to true if the
+ // policy requests the caller unlink the path after opening.
// Return true if opening should be allowed, false otherwise.
// Async signal safe if and only if |file_to_open| is NULL.
bool GetFileNameIfAllowedToOpen(const char* requested_filename,
int requested_flags,
- const char** file_to_open) const;
+ const char** file_to_open,
+ bool* unlink_after_open) const;
int denied_errno() const { return denied_errno_; }
private:
const int denied_errno_;
- const std::vector<std::string> allowed_r_files_;
- const std::vector<std::string> allowed_w_files_;
+ // The permissions_ vector is used as storage for the BrokerFilePermission
+ // objects but is not referenced outside of the constructor as
+ // vectors are unfriendly in async signal safe code.
+ const std::vector<BrokerFilePermission> permissions_;
+ // permissions_array_ is set up to point to the backing store of
+ // permissions_ and is used in async signal safe methods.
+ const BrokerFilePermission* permissions_array_;
+ const size_t num_of_permissions_;
+
DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
};
« no previous file with comments | « sandbox/linux/syscall_broker/broker_host.cc ('k') | sandbox/linux/syscall_broker/broker_policy.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698