| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ |
| #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ |
| |
| |
| #include <map> |
| #include <set> |
| #include <string> |
| |
| #include "base/compiler_specific.h" |
| #include "base/gtest_prod_util.h" |
| #include "base/memory/singleton.h" |
| #include "base/synchronization/lock.h" |
| #include "content/public/browser/child_process_security_policy.h" |
| #include "content/public/common/resource_type.h" |
| #include "webkit/common/fileapi/file_system_types.h" |
| |
| class GURL; |
| |
| namespace base { |
| class FilePath; |
| } |
| |
| namespace storage { |
| class FileSystemURL; |
| } |
| |
| namespace content { |
| |
| class CONTENT_EXPORT ChildProcessSecurityPolicyImpl |
| : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) { |
| public: |
| // Object can only be created through GetInstance() so the constructor is |
| // private. |
| virtual ~ChildProcessSecurityPolicyImpl(); |
| |
| static ChildProcessSecurityPolicyImpl* GetInstance(); |
| |
| // ChildProcessSecurityPolicy implementation. |
| virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; |
| virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; |
| virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE; |
| virtual void GrantCreateReadWriteFile(int child_id, |
| const base::FilePath& file) OVERRIDE; |
| virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE; |
| virtual void GrantDeleteFrom(int child_id, |
| const base::FilePath& dir) OVERRIDE; |
| virtual void GrantReadFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual void GrantWriteFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual void GrantCreateFileForFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual void GrantCreateReadWriteFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual void GrantCopyIntoFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual void GrantDeleteFromFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; |
| virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE; |
| virtual bool CanCreateReadWriteFile(int child_id, |
| const base::FilePath& file) OVERRIDE; |
| virtual bool CanReadFileSystem(int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual bool CanReadWriteFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual bool CanCopyIntoFileSystem(int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual bool CanDeleteFromFileSystem( |
| int child_id, |
| const std::string& filesystem_id) OVERRIDE; |
| virtual bool HasWebUIBindings(int child_id) OVERRIDE; |
| |
| // Pseudo schemes are treated differently than other schemes because they |
| // cannot be requested like normal URLs. There is no mechanism for revoking |
| // pseudo schemes. |
| void RegisterPseudoScheme(const std::string& scheme); |
| |
| // Returns true iff |scheme| has been registered as pseudo scheme. |
| bool IsPseudoScheme(const std::string& scheme); |
| |
| // Upon creation, child processes should register themselves by calling this |
| // this method exactly once. |
| void Add(int child_id); |
| |
| // Upon creation, worker thread child processes should register themselves by |
| // calling this this method exactly once. Workers that are not shared will |
| // inherit permissions from their parent renderer process identified with |
| // |main_render_process_id|. |
| void AddWorker(int worker_child_id, int main_render_process_id); |
| |
| // Upon destruction, child processess should unregister themselves by caling |
| // this method exactly once. |
| void Remove(int child_id); |
| |
| // Whenever the browser processes commands the child process to request a URL, |
| // it should call this method to grant the child process the capability to |
| // request the URL, along with permission to request all URLs of the same |
| // scheme. |
| void GrantRequestURL(int child_id, const GURL& url); |
| |
| // Whenever the browser process drops a file icon on a tab, it should call |
| // this method to grant the child process the capability to request this one |
| // file:// URL, but not all urls of the file:// scheme. |
| void GrantRequestSpecificFileURL(int child_id, const GURL& url); |
| |
| // Revokes all permissions granted to the given file. |
| void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file); |
| |
| // Grant the child process the ability to use Web UI Bindings. |
| void GrantWebUIBindings(int child_id); |
| |
| // Grant the child process the ability to read raw cookies. |
| void GrantReadRawCookies(int child_id); |
| |
| // Revoke read raw cookies permission. |
| void RevokeReadRawCookies(int child_id); |
| |
| // Grants permission to send system exclusive message to any MIDI devices. |
| void GrantSendMidiSysExMessage(int child_id); |
| |
| // Before servicing a child process's request for a URL, the browser should |
| // call this method to determine whether the process has the capability to |
| // request the URL. |
| bool CanRequestURL(int child_id, const GURL& url); |
| |
| // Returns true if the process is permitted to load pages from |
| // the given origin in main frames or subframes. |
| // Only might return false if --site-per-process flag is used. |
| bool CanLoadPage(int child_id, |
| const GURL& url, |
| ResourceType resource_type); |
| |
| // Explicit permissions checks for FileSystemURL specified files. |
| bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url); |
| bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url); |
| bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url); |
| bool CanCreateReadWriteFileSystemFile(int child_id, |
| const storage::FileSystemURL& url); |
| bool CanCopyIntoFileSystemFile(int child_id, |
| const storage::FileSystemURL& url); |
| bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url); |
| |
| // Returns true if the specified child_id has been granted ReadRawCookies. |
| bool CanReadRawCookies(int child_id); |
| |
| // Returns true if the process is permitted to read and modify the cookies for |
| // the given origin. Does not affect cookies attached to or set by network |
| // requests. |
| // Only might return false if the very experimental |
| // --enable-strict-site-isolation or --site-per-process flags are used. |
| bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl); |
| |
| // Returns true if the process is permitted to attach cookies to (or have |
| // cookies set by) network requests. |
| // Only might return false if the very experimental |
| // --enable-strict-site-isolation or --site-per-process flags are used. |
| bool CanSendCookiesForOrigin(int child_id, const GURL& gurl); |
| |
| // Sets the process as only permitted to use and see the cookies for the |
| // given origin. |
| // Only used if the very experimental --enable-strict-site-isolation or |
| // --site-per-process flags are used. |
| void LockToOrigin(int child_id, const GURL& gurl); |
| |
| // Register FileSystem type and permission policy which should be used |
| // for the type. The |policy| must be a bitwise-or'd value of |
| // storage::FilePermissionPolicy. |
| void RegisterFileSystemPermissionPolicy(storage::FileSystemType type, |
| int policy); |
| |
| // Returns true if sending system exclusive messages is allowed. |
| bool CanSendMidiSysExMessage(int child_id); |
| |
| private: |
| friend class ChildProcessSecurityPolicyInProcessBrowserTest; |
| friend class ChildProcessSecurityPolicyTest; |
| FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, |
| NoLeak); |
| FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions); |
| |
| class SecurityState; |
| |
| typedef std::set<std::string> SchemeSet; |
| typedef std::map<int, SecurityState*> SecurityStateMap; |
| typedef std::map<int, int> WorkerToMainProcessMap; |
| typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap; |
| |
| // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). |
| ChildProcessSecurityPolicyImpl(); |
| friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; |
| |
| // Adds child process during registration. |
| void AddChild(int child_id); |
| |
| // Determines if certain permissions were granted for a file to given child |
| // process. |permissions| is an internally defined bit-set. |
| bool ChildProcessHasPermissionsForFile(int child_id, |
| const base::FilePath& file, |
| int permissions); |
| |
| // Grant a particular permission set for a file. |permissions| is an |
| // internally defined bit-set. |
| void GrantPermissionsForFile(int child_id, |
| const base::FilePath& file, |
| int permissions); |
| |
| // Grants access permission to the given isolated file system |
| // identified by |filesystem_id|. See comments for |
| // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. |
| void GrantPermissionsForFileSystem( |
| int child_id, |
| const std::string& filesystem_id, |
| int permission); |
| |
| // Determines if certain permissions were granted for a file. |permissions| |
| // is an internally defined bit-set. If |child_id| is a worker process, |
| // this returns true if either the worker process or its parent renderer |
| // has permissions for the file. |
| bool HasPermissionsForFile(int child_id, |
| const base::FilePath& file, |
| int permissions); |
| |
| // Determines if certain permissions were granted for a file in FileSystem |
| // API. |permissions| is an internally defined bit-set. |
| bool HasPermissionsForFileSystemFile(int child_id, |
| const storage::FileSystemURL& url, |
| int permissions); |
| |
| // Determines if certain permissions were granted for a file system. |
| // |permissions| is an internally defined bit-set. |
| bool HasPermissionsForFileSystem( |
| int child_id, |
| const std::string& filesystem_id, |
| int permission); |
| |
| // You must acquire this lock before reading or writing any members of this |
| // class. You must not block while holding this lock. |
| base::Lock lock_; |
| |
| // These schemes are white-listed for all child processes. This set is |
| // protected by |lock_|. |
| SchemeSet web_safe_schemes_; |
| |
| // These schemes do not actually represent retrievable URLs. For example, |
| // the the URLs in the "about" scheme are aliases to other URLs. This set is |
| // protected by |lock_|. |
| SchemeSet pseudo_schemes_; |
| |
| // This map holds a SecurityState for each child process. The key for the |
| // map is the ID of the ChildProcessHost. The SecurityState objects are |
| // owned by this object and are protected by |lock_|. References to them must |
| // not escape this class. |
| SecurityStateMap security_state_; |
| |
| // This maps keeps the record of which js worker thread child process |
| // corresponds to which main js thread child process. |
| WorkerToMainProcessMap worker_map_; |
| |
| FileSystemPermissionPolicyMap file_system_policy_map_; |
| |
| DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); |
| }; |
| |
| } // namespace content |
| |
| #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ |
