content/browser/child_process_security_policy_impl.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
   6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
   7
   8
   9 #include <map>
  10 #include <set>
  11 #include <string>
  12
  13 #include "base/compiler_specific.h"
  14 #include "base/gtest_prod_util.h"
  15 #include "base/memory/singleton.h"
  16 #include "base/synchronization/lock.h"
  17 #include "content/public/browser/child_process_security_policy.h"
  18 #include "content/public/common/resource_type.h"
  19 #include "storage/common/fileapi/file_system_types.h"
  20
  21 class GURL;
  22
  23 namespace base {
  24 class FilePath;
  25 }
  26
  27 namespace storage {
  28 class FileSystemURL;
  29 }
  30
  31 namespace content {
  32
  33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
  34     : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
  35  public:
  36   // Object can only be created through GetInstance() so the constructor is
  37   // private.
  38   ~ChildProcessSecurityPolicyImpl() override;
  39
  40   static ChildProcessSecurityPolicyImpl* GetInstance();
  41
  42   // ChildProcessSecurityPolicy implementation.
  43   void RegisterWebSafeScheme(const std::string& scheme) override;
  44   bool IsWebSafeScheme(const std::string& scheme) override;
  45   void GrantReadFile(int child_id, const base::FilePath& file) override;
  46   void GrantCreateReadWriteFile(int child_id,
  47                                 const base::FilePath& file) override;
  48   void GrantCopyInto(int child_id, const base::FilePath& dir) override;
  49   void GrantDeleteFrom(int child_id, const base::FilePath& dir) override;
  50   void GrantReadFileSystem(int child_id,
  51                            const std::string& filesystem_id) override;
  52   void GrantWriteFileSystem(int child_id,
  53                             const std::string& filesystem_id) override;
  54   void GrantCreateFileForFileSystem(int child_id,
  55                                     const std::string& filesystem_id) override;
  56   void GrantCreateReadWriteFileSystem(
  57       int child_id,
  58       const std::string& filesystem_id) override;
  59   void GrantCopyIntoFileSystem(int child_id,
  60                                const std::string& filesystem_id) override;
  61   void GrantDeleteFromFileSystem(int child_id,
  62                                  const std::string& filesystem_id) override;
  63   void GrantScheme(int child_id, const std::string& scheme) override;
  64   bool CanReadFile(int child_id, const base::FilePath& file) override;
  65   bool CanCreateReadWriteFile(int child_id,
  66                               const base::FilePath& file) override;
  67   bool CanReadFileSystem(int child_id,
  68                          const std::string& filesystem_id) override;
  69   bool CanReadWriteFileSystem(int child_id,
  70                               const std::string& filesystem_id) override;
  71   bool CanCopyIntoFileSystem(int child_id,
  72                              const std::string& filesystem_id) override;
  73   bool CanDeleteFromFileSystem(int child_id,
  74                                const std::string& filesystem_id) override;
  75   bool HasWebUIBindings(int child_id) override;
  76   void GrantSendMidiSysExMessage(int child_id) override;
  77   bool CanAccessDataForOrigin(int child_id, const GURL& url) override;
  78
  79   // Pseudo schemes are treated differently than other schemes because they
  80   // cannot be requested like normal URLs.  There is no mechanism for revoking
  81   // pseudo schemes.
  82   void RegisterPseudoScheme(const std::string& scheme);
  83
  84   // Returns true iff |scheme| has been registered as pseudo scheme.
  85   bool IsPseudoScheme(const std::string& scheme);
  86
  87   // Upon creation, child processes should register themselves by calling this
  88   // this method exactly once.
  89   void Add(int child_id);
  90
  91   // Upon creation, worker thread child processes should register themselves by
  92   // calling this this method exactly once. Workers that are not shared will
  93   // inherit permissions from their parent renderer process identified with
  94   // |main_render_process_id|.
  95   void AddWorker(int worker_child_id, int main_render_process_id);
  96
  97   // Upon destruction, child processess should unregister themselves by caling
  98   // this method exactly once.
  99   void Remove(int child_id);
 100
 101   // Whenever the browser processes commands the child process to request a URL,
 102   // it should call this method to grant the child process the capability to
 103   // request the URL, along with permission to request all URLs of the same
 104   // scheme.
 105   void GrantRequestURL(int child_id, const GURL& url);
 106
 107   // Whenever the browser process drops a file icon on a tab, it should call
 108   // this method to grant the child process the capability to request this one
 109   // file:// URL, but not all urls of the file:// scheme.
 110   void GrantRequestSpecificFileURL(int child_id, const GURL& url);
 111
 112   // Revokes all permissions granted to the given file.
 113   void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
 114
 115   // Grant the child process the ability to use Web UI Bindings.
 116   void GrantWebUIBindings(int child_id);
 117
 118   // Grant the child process the ability to read raw cookies.
 119   void GrantReadRawCookies(int child_id);
 120
 121   // Revoke read raw cookies permission.
 122   void RevokeReadRawCookies(int child_id);
 123
 124   // Before servicing a child process's request for a URL, the browser should
 125   // call this method to determine whether the process has the capability to
 126   // request the URL.
 127   bool CanRequestURL(int child_id, const GURL& url);
 128
 129   // Whether the process is allowed to commit a document from the given URL.
 130   // This is more restrictive than CanRequestURL, since CanRequestURL allows
 131   // requests that might lead to cross-process navigations or external protocol
 132   // handlers.
 133   bool CanCommitURL(int child_id, const GURL& url);
 134
 135   // Explicit permissions checks for FileSystemURL specified files.
 136   bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url);
 137   bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url);
 138   bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url);
 139   bool CanCreateReadWriteFileSystemFile(int child_id,
 140                                         const storage::FileSystemURL& url);
 141   bool CanCopyIntoFileSystemFile(int child_id,
 142                                  const storage::FileSystemURL& url);
 143   bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url);
 144
 145   // Returns true if the specified child_id has been granted ReadRawCookies.
 146   bool CanReadRawCookies(int child_id);
 147
 148   // Sets the process as only permitted to use and see the cookies for the
 149   // given origin.
 150   // Origin lock is applied only if the --site-per-process flag is used.
 151   void LockToOrigin(int child_id, const GURL& gurl);
 152
 153   // Register FileSystem type and permission policy which should be used
 154   // for the type.  The |policy| must be a bitwise-or'd value of
 155   // storage::FilePermissionPolicy.
 156   void RegisterFileSystemPermissionPolicy(storage::FileSystemType type,
 157                                           int policy);
 158
 159   // Returns true if sending system exclusive messages is allowed.
 160   bool CanSendMidiSysExMessage(int child_id);
 161
 162  private:
 163   friend class ChildProcessSecurityPolicyInProcessBrowserTest;
 164   friend class ChildProcessSecurityPolicyTest;
 165   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
 166                            NoLeak);
 167   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
 168
 169   class SecurityState;
 170
 171   typedef std::set<std::string> SchemeSet;
 172   typedef std::map<int, SecurityState*> SecurityStateMap;
 173   typedef std::map<int, int> WorkerToMainProcessMap;
 174   typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap;
 175
 176   // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
 177   ChildProcessSecurityPolicyImpl();
 178   friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
 179
 180   // Adds child process during registration.
 181   void AddChild(int child_id);
 182
 183   // Determines if certain permissions were granted for a file to given child
 184   // process. |permissions| is an internally defined bit-set.
 185   bool ChildProcessHasPermissionsForFile(int child_id,
 186                                          const base::FilePath& file,
 187                                          int permissions);
 188
 189   // Grant a particular permission set for a file. |permissions| is an
 190   // internally defined bit-set.
 191   void GrantPermissionsForFile(int child_id,
 192                                const base::FilePath& file,
 193                                int permissions);
 194
 195   // Grants access permission to the given isolated file system
 196   // identified by |filesystem_id|.  See comments for
 197   // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
 198   void GrantPermissionsForFileSystem(
 199       int child_id,
 200       const std::string& filesystem_id,
 201       int permission);
 202
 203   // Determines if certain permissions were granted for a file. |permissions|
 204   // is an internally defined bit-set. If |child_id| is a worker process,
 205   // this returns true if either the worker process or its parent renderer
 206   // has permissions for the file.
 207   bool HasPermissionsForFile(int child_id,
 208                              const base::FilePath& file,
 209                              int permissions);
 210
 211   // Determines if certain permissions were granted for a file in FileSystem
 212   // API. |permissions| is an internally defined bit-set.
 213   bool HasPermissionsForFileSystemFile(int child_id,
 214                                        const storage::FileSystemURL& url,
 215                                        int permissions);
 216
 217   // Determines if certain permissions were granted for a file system.
 218   // |permissions| is an internally defined bit-set.
 219   bool HasPermissionsForFileSystem(
 220       int child_id,
 221       const std::string& filesystem_id,
 222       int permission);
 223
 224   // You must acquire this lock before reading or writing any members of this
 225   // class.  You must not block while holding this lock.
 226   base::Lock lock_;
 227
 228   // These schemes are white-listed for all child processes.  This set is
 229   // protected by |lock_|.
 230   SchemeSet web_safe_schemes_;
 231
 232   // These schemes do not actually represent retrievable URLs.  For example,
 233   // the the URLs in the "about" scheme are aliases to other URLs.  This set is
 234   // protected by |lock_|.
 235   SchemeSet pseudo_schemes_;
 236
 237   // This map holds a SecurityState for each child process.  The key for the
 238   // map is the ID of the ChildProcessHost.  The SecurityState objects are
 239   // owned by this object and are protected by |lock_|.  References to them must
 240   // not escape this class.
 241   SecurityStateMap security_state_;
 242
 243   // This maps keeps the record of which js worker thread child process
 244   // corresponds to which main js thread child process.
 245   WorkerToMainProcessMap worker_map_;
 246
 247   FileSystemPermissionPolicyMap file_system_policy_map_;
 248
 249   DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
 250 };
 251
 252 }  // namespace content
 253
 254 #endif  // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_