1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "content/browser/child_process_security_policy_impl.h"
7 #include "base/command_line.h"
8 #include "base/files/file_path.h"
9 #include "base/logging.h"
10 #include "base/metrics/histogram.h"
11 #include "base/stl_util.h"
12 #include "base/strings/string_util.h"
13 #include "content/browser/plugin_process_host.h"
14 #include "content/browser/site_instance_impl.h"
15 #include "content/public/browser/child_process_data.h"
16 #include "content/public/browser/content_browser_client.h"
17 #include "content/public/browser/render_process_host.h"
18 #include "content/public/common/bindings_policy.h"
19 #include "content/public/common/content_switches.h"
20 #include "content/public/common/url_constants.h"
21 #include "net/base/filename_util.h"
22 #include "net/url_request/url_request.h"
24 #include "webkit/browser/fileapi/file_permission_policy.h"
25 #include "webkit/browser/fileapi/file_system_url.h"
26 #include "webkit/browser/fileapi/isolated_context.h"
27 #include "webkit/common/fileapi/file_system_util.h"
33 // Used internally only. These bit positions have no relationship to any
34 // underlying OS and can be changed to accommodate finer-grained permissions.
35 enum ChildProcessSecurityPermissions
{
36 READ_FILE_PERMISSION
= 1 << 0,
37 WRITE_FILE_PERMISSION
= 1 << 1,
38 CREATE_NEW_FILE_PERMISSION
= 1 << 2,
39 CREATE_OVERWRITE_FILE_PERMISSION
= 1 << 3,
40 DELETE_FILE_PERMISSION
= 1 << 4,
42 // Used by Media Galleries API
43 COPY_INTO_FILE_PERMISSION
= 1 << 5,
46 // Used internally only. Bitmasks that are actually used by the Grant* and Can*
47 // methods. These contain one or more ChildProcessSecurityPermissions.
48 enum ChildProcessSecurityGrants
{
49 READ_FILE_GRANT
= READ_FILE_PERMISSION
,
50 WRITE_FILE_GRANT
= WRITE_FILE_PERMISSION
,
52 CREATE_NEW_FILE_GRANT
= CREATE_NEW_FILE_PERMISSION
|
53 COPY_INTO_FILE_PERMISSION
,
55 CREATE_READ_WRITE_FILE_GRANT
= CREATE_NEW_FILE_PERMISSION
|
56 CREATE_OVERWRITE_FILE_PERMISSION
|
57 READ_FILE_PERMISSION
|
58 WRITE_FILE_PERMISSION
|
59 COPY_INTO_FILE_PERMISSION
|
60 DELETE_FILE_PERMISSION
,
62 COPY_INTO_FILE_GRANT
= COPY_INTO_FILE_PERMISSION
,
63 DELETE_FILE_GRANT
= DELETE_FILE_PERMISSION
,
68 // The SecurityState class is used to maintain per-child process security state
70 class ChildProcessSecurityPolicyImpl::SecurityState
{
73 : enabled_bindings_(0),
74 can_read_raw_cookies_(false),
75 can_send_midi_sysex_(false) { }
78 scheme_policy_
.clear();
79 storage::IsolatedContext
* isolated_context
=
80 storage::IsolatedContext::GetInstance();
81 for (FileSystemMap::iterator iter
= filesystem_permissions_
.begin();
82 iter
!= filesystem_permissions_
.end();
84 isolated_context
->RemoveReference(iter
->first
);
86 UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.PerChildFilePermissions",
87 file_permissions_
.size());
90 // Grant permission to request URLs with the specified scheme.
91 void GrantScheme(const std::string
& scheme
) {
92 scheme_policy_
[scheme
] = true;
95 // Revoke permission to request URLs with the specified scheme.
96 void RevokeScheme(const std::string
& scheme
) {
97 scheme_policy_
[scheme
] = false;
100 // Grant certain permissions to a file.
101 void GrantPermissionsForFile(const base::FilePath
& file
, int permissions
) {
102 base::FilePath stripped
= file
.StripTrailingSeparators();
103 file_permissions_
[stripped
] |= permissions
;
104 UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.FilePermissionPathLength",
105 stripped
.value().size());
108 // Grant navigation to a file but not the file:// scheme in general.
109 void GrantRequestOfSpecificFile(const base::FilePath
&file
) {
110 request_file_set_
.insert(file
.StripTrailingSeparators());
113 // Revokes all permissions granted to a file.
114 void RevokeAllPermissionsForFile(const base::FilePath
& file
) {
115 base::FilePath stripped
= file
.StripTrailingSeparators();
116 file_permissions_
.erase(stripped
);
117 request_file_set_
.erase(stripped
);
120 // Grant certain permissions to a file.
121 void GrantPermissionsForFileSystem(const std::string
& filesystem_id
,
123 if (!ContainsKey(filesystem_permissions_
, filesystem_id
))
124 storage::IsolatedContext::GetInstance()->AddReference(filesystem_id
);
125 filesystem_permissions_
[filesystem_id
] |= permissions
;
128 bool HasPermissionsForFileSystem(const std::string
& filesystem_id
,
130 FileSystemMap::const_iterator it
=
131 filesystem_permissions_
.find(filesystem_id
);
132 if (it
== filesystem_permissions_
.end())
134 return (it
->second
& permissions
) == permissions
;
137 #if defined(OS_ANDROID)
138 // Determine if the certain permissions have been granted to a content URI.
139 bool HasPermissionsForContentUri(const base::FilePath
& file
,
141 DCHECK(!file
.empty());
142 DCHECK(file
.IsContentUri());
145 base::FilePath file_path
= file
.StripTrailingSeparators();
146 FileMap::const_iterator it
= file_permissions_
.find(file_path
);
147 if (it
!= file_permissions_
.end())
148 return (it
->second
& permissions
) == permissions
;
153 void GrantBindings(int bindings
) {
154 enabled_bindings_
|= bindings
;
157 void GrantReadRawCookies() {
158 can_read_raw_cookies_
= true;
161 void RevokeReadRawCookies() {
162 can_read_raw_cookies_
= false;
165 void GrantPermissionForMidiSysEx() {
166 can_send_midi_sysex_
= true;
169 // Determine whether permission has been granted to request |url|.
170 bool CanRequestURL(const GURL
& url
) {
171 // Having permission to a scheme implies permssion to all of its URLs.
172 SchemeMap::const_iterator
judgment(scheme_policy_
.find(url
.scheme()));
173 if (judgment
!= scheme_policy_
.end())
174 return judgment
->second
;
176 // file:// URLs are more granular. The child may have been given
177 // permission to a specific file but not the file:// scheme in general.
178 if (url
.SchemeIs(url::kFileScheme
)) {
180 if (net::FileURLToFilePath(url
, &path
))
181 return ContainsKey(request_file_set_
, path
);
184 return false; // Unmentioned schemes are disallowed.
187 // Determine if the certain permissions have been granted to a file.
188 bool HasPermissionsForFile(const base::FilePath
& file
, int permissions
) {
189 #if defined(OS_ANDROID)
190 if (file
.IsContentUri())
191 return HasPermissionsForContentUri(file
, permissions
);
193 if (!permissions
|| file
.empty() || !file
.IsAbsolute())
195 base::FilePath current_path
= file
.StripTrailingSeparators();
196 base::FilePath last_path
;
198 while (current_path
!= last_path
) {
199 base::FilePath base_name
= current_path
.BaseName();
200 if (base_name
.value() == base::FilePath::kParentDirectory
) {
202 } else if (skip
> 0) {
203 if (base_name
.value() != base::FilePath::kCurrentDirectory
)
206 FileMap::const_iterator it
= file_permissions_
.find(current_path
);
207 if (it
!= file_permissions_
.end())
208 return (it
->second
& permissions
) == permissions
;
210 last_path
= current_path
;
211 current_path
= current_path
.DirName();
217 bool CanLoadPage(const GURL
& gurl
) {
218 if (origin_lock_
.is_empty())
221 // TODO(creis): We must pass the valid browser_context to convert hosted
222 // apps URLs. Currently, hosted apps cannot be loaded in this mode.
223 // See http://crbug.com/160576.
224 GURL site_gurl
= SiteInstanceImpl::GetSiteForURL(NULL
, gurl
);
225 return origin_lock_
== site_gurl
;
228 bool CanAccessCookiesForOrigin(const GURL
& gurl
) {
229 if (origin_lock_
.is_empty())
231 // TODO(creis): We must pass the valid browser_context to convert hosted
232 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
233 // See http://crbug.com/160576.
234 GURL site_gurl
= SiteInstanceImpl::GetSiteForURL(NULL
, gurl
);
235 return origin_lock_
== site_gurl
;
238 bool CanSendCookiesForOrigin(const GURL
& gurl
) {
239 // We only block cross-site cookies on network requests if the
240 // --enable-strict-site-isolation flag is passed. This is expected to break
241 // compatibility with many sites. The similar --site-per-process flag only
242 // blocks JavaScript access to cross-site cookies (in
243 // CanAccessCookiesForOrigin).
244 const base::CommandLine
& command_line
=
245 *base::CommandLine::ForCurrentProcess();
246 if (!command_line
.HasSwitch(switches::kEnableStrictSiteIsolation
))
249 if (origin_lock_
.is_empty())
251 // TODO(creis): We must pass the valid browser_context to convert hosted
252 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
253 // See http://crbug.com/160576.
254 GURL site_gurl
= SiteInstanceImpl::GetSiteForURL(NULL
, gurl
);
255 return origin_lock_
== site_gurl
;
258 void LockToOrigin(const GURL
& gurl
) {
262 bool has_web_ui_bindings() const {
263 return enabled_bindings_
& BINDINGS_POLICY_WEB_UI
;
266 bool can_read_raw_cookies() const {
267 return can_read_raw_cookies_
;
270 bool can_send_midi_sysex() const {
271 return can_send_midi_sysex_
;
275 typedef std::map
<std::string
, bool> SchemeMap
;
277 typedef int FilePermissionFlags
; // bit-set of base::File::Flags
278 typedef std::map
<base::FilePath
, FilePermissionFlags
> FileMap
;
279 typedef std::map
<std::string
, FilePermissionFlags
> FileSystemMap
;
280 typedef std::set
<base::FilePath
> FileSet
;
282 // Maps URL schemes to whether permission has been granted or revoked:
283 // |true| means the scheme has been granted.
284 // |false| means the scheme has been revoked.
285 // If a scheme is not present in the map, then it has never been granted
287 SchemeMap scheme_policy_
;
289 // The set of files the child process is permited to upload to the web.
290 FileMap file_permissions_
;
292 // The set of files the child process is permitted to load.
293 FileSet request_file_set_
;
295 int enabled_bindings_
;
297 bool can_read_raw_cookies_
;
299 bool can_send_midi_sysex_
;
303 // The set of isolated filesystems the child process is permitted to access.
304 FileSystemMap filesystem_permissions_
;
306 DISALLOW_COPY_AND_ASSIGN(SecurityState
);
309 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() {
310 // We know about these schemes and believe them to be safe.
311 RegisterWebSafeScheme(url::kHttpScheme
);
312 RegisterWebSafeScheme(url::kHttpsScheme
);
313 RegisterWebSafeScheme(url::kFtpScheme
);
314 RegisterWebSafeScheme(url::kDataScheme
);
315 RegisterWebSafeScheme("feed");
316 RegisterWebSafeScheme(url::kBlobScheme
);
317 RegisterWebSafeScheme(url::kFileSystemScheme
);
319 // We know about the following pseudo schemes and treat them specially.
320 RegisterPseudoScheme(url::kAboutScheme
);
321 RegisterPseudoScheme(url::kJavaScriptScheme
);
322 RegisterPseudoScheme(kViewSourceScheme
);
325 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() {
326 web_safe_schemes_
.clear();
327 pseudo_schemes_
.clear();
328 STLDeleteContainerPairSecondPointers(security_state_
.begin(),
329 security_state_
.end());
330 security_state_
.clear();
334 ChildProcessSecurityPolicy
* ChildProcessSecurityPolicy::GetInstance() {
335 return ChildProcessSecurityPolicyImpl::GetInstance();
338 ChildProcessSecurityPolicyImpl
* ChildProcessSecurityPolicyImpl::GetInstance() {
339 return Singleton
<ChildProcessSecurityPolicyImpl
>::get();
342 void ChildProcessSecurityPolicyImpl::Add(int child_id
) {
343 base::AutoLock
lock(lock_
);
347 void ChildProcessSecurityPolicyImpl::AddWorker(int child_id
,
348 int main_render_process_id
) {
349 base::AutoLock
lock(lock_
);
351 worker_map_
[child_id
] = main_render_process_id
;
354 void ChildProcessSecurityPolicyImpl::Remove(int child_id
) {
355 base::AutoLock
lock(lock_
);
356 SecurityStateMap::iterator it
= security_state_
.find(child_id
);
357 if (it
== security_state_
.end())
358 return; // May be called multiple times.
361 security_state_
.erase(it
);
362 worker_map_
.erase(child_id
);
365 void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme(
366 const std::string
& scheme
) {
367 base::AutoLock
lock(lock_
);
368 DCHECK_EQ(0U, web_safe_schemes_
.count(scheme
)) << "Add schemes at most once.";
369 DCHECK_EQ(0U, pseudo_schemes_
.count(scheme
))
370 << "Web-safe implies not pseudo.";
372 web_safe_schemes_
.insert(scheme
);
375 bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme(
376 const std::string
& scheme
) {
377 base::AutoLock
lock(lock_
);
379 return ContainsKey(web_safe_schemes_
, scheme
);
382 void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme(
383 const std::string
& scheme
) {
384 base::AutoLock
lock(lock_
);
385 DCHECK_EQ(0U, pseudo_schemes_
.count(scheme
)) << "Add schemes at most once.";
386 DCHECK_EQ(0U, web_safe_schemes_
.count(scheme
))
387 << "Pseudo implies not web-safe.";
389 pseudo_schemes_
.insert(scheme
);
392 bool ChildProcessSecurityPolicyImpl::IsPseudoScheme(
393 const std::string
& scheme
) {
394 base::AutoLock
lock(lock_
);
396 return ContainsKey(pseudo_schemes_
, scheme
);
399 void ChildProcessSecurityPolicyImpl::GrantRequestURL(
400 int child_id
, const GURL
& url
) {
403 return; // Can't grant the capability to request invalid URLs.
405 if (IsWebSafeScheme(url
.scheme()))
406 return; // The scheme has already been whitelisted for every child process.
408 if (IsPseudoScheme(url
.scheme())) {
409 // The view-source scheme is a special case of a pseudo-URL that eventually
410 // results in requesting its embedded URL.
411 if (url
.SchemeIs(kViewSourceScheme
)) {
412 // URLs with the view-source scheme typically look like:
413 // view-source:http://www.google.com/a
414 // In order to request these URLs, the child_id needs to be able to
415 // request the embedded URL.
416 GrantRequestURL(child_id
, GURL(url
.GetContent()));
419 return; // Can't grant the capability to request pseudo schemes.
423 base::AutoLock
lock(lock_
);
424 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
425 if (state
== security_state_
.end())
428 // When the child process has been commanded to request this scheme,
429 // we grant it the capability to request all URLs of that scheme.
430 state
->second
->GrantScheme(url
.scheme());
434 void ChildProcessSecurityPolicyImpl::GrantRequestSpecificFileURL(
437 if (!url
.SchemeIs(url::kFileScheme
))
441 base::AutoLock
lock(lock_
);
442 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
443 if (state
== security_state_
.end())
446 // When the child process has been commanded to request a file:// URL,
447 // then we grant it the capability for that URL only.
449 if (net::FileURLToFilePath(url
, &path
))
450 state
->second
->GrantRequestOfSpecificFile(path
);
454 void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id
,
455 const base::FilePath
& file
) {
456 GrantPermissionsForFile(child_id
, file
, READ_FILE_GRANT
);
459 void ChildProcessSecurityPolicyImpl::GrantCreateReadWriteFile(
460 int child_id
, const base::FilePath
& file
) {
461 GrantPermissionsForFile(child_id
, file
, CREATE_READ_WRITE_FILE_GRANT
);
464 void ChildProcessSecurityPolicyImpl::GrantCopyInto(int child_id
,
465 const base::FilePath
& dir
) {
466 GrantPermissionsForFile(child_id
, dir
, COPY_INTO_FILE_GRANT
);
469 void ChildProcessSecurityPolicyImpl::GrantDeleteFrom(
470 int child_id
, const base::FilePath
& dir
) {
471 GrantPermissionsForFile(child_id
, dir
, DELETE_FILE_GRANT
);
474 void ChildProcessSecurityPolicyImpl::GrantPermissionsForFile(
475 int child_id
, const base::FilePath
& file
, int permissions
) {
476 base::AutoLock
lock(lock_
);
478 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
479 if (state
== security_state_
.end())
482 state
->second
->GrantPermissionsForFile(file
, permissions
);
485 void ChildProcessSecurityPolicyImpl::RevokeAllPermissionsForFile(
486 int child_id
, const base::FilePath
& file
) {
487 base::AutoLock
lock(lock_
);
489 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
490 if (state
== security_state_
.end())
493 state
->second
->RevokeAllPermissionsForFile(file
);
496 void ChildProcessSecurityPolicyImpl::GrantReadFileSystem(
497 int child_id
, const std::string
& filesystem_id
) {
498 GrantPermissionsForFileSystem(child_id
, filesystem_id
, READ_FILE_GRANT
);
501 void ChildProcessSecurityPolicyImpl::GrantWriteFileSystem(
502 int child_id
, const std::string
& filesystem_id
) {
503 GrantPermissionsForFileSystem(child_id
, filesystem_id
, WRITE_FILE_GRANT
);
506 void ChildProcessSecurityPolicyImpl::GrantCreateFileForFileSystem(
507 int child_id
, const std::string
& filesystem_id
) {
508 GrantPermissionsForFileSystem(child_id
, filesystem_id
, CREATE_NEW_FILE_GRANT
);
511 void ChildProcessSecurityPolicyImpl::GrantCreateReadWriteFileSystem(
512 int child_id
, const std::string
& filesystem_id
) {
513 GrantPermissionsForFileSystem(
514 child_id
, filesystem_id
, CREATE_READ_WRITE_FILE_GRANT
);
517 void ChildProcessSecurityPolicyImpl::GrantCopyIntoFileSystem(
518 int child_id
, const std::string
& filesystem_id
) {
519 GrantPermissionsForFileSystem(child_id
, filesystem_id
, COPY_INTO_FILE_GRANT
);
522 void ChildProcessSecurityPolicyImpl::GrantDeleteFromFileSystem(
523 int child_id
, const std::string
& filesystem_id
) {
524 GrantPermissionsForFileSystem(child_id
, filesystem_id
, DELETE_FILE_GRANT
);
527 void ChildProcessSecurityPolicyImpl::GrantSendMidiSysExMessage(int child_id
) {
528 base::AutoLock
lock(lock_
);
530 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
531 if (state
== security_state_
.end())
534 state
->second
->GrantPermissionForMidiSysEx();
537 void ChildProcessSecurityPolicyImpl::GrantScheme(int child_id
,
538 const std::string
& scheme
) {
539 base::AutoLock
lock(lock_
);
541 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
542 if (state
== security_state_
.end())
545 state
->second
->GrantScheme(scheme
);
548 void ChildProcessSecurityPolicyImpl::GrantWebUIBindings(int child_id
) {
549 base::AutoLock
lock(lock_
);
551 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
552 if (state
== security_state_
.end())
555 state
->second
->GrantBindings(BINDINGS_POLICY_WEB_UI
);
557 // Web UI bindings need the ability to request chrome: URLs.
558 state
->second
->GrantScheme(kChromeUIScheme
);
560 // Web UI pages can contain links to file:// URLs.
561 state
->second
->GrantScheme(url::kFileScheme
);
564 void ChildProcessSecurityPolicyImpl::GrantReadRawCookies(int child_id
) {
565 base::AutoLock
lock(lock_
);
567 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
568 if (state
== security_state_
.end())
571 state
->second
->GrantReadRawCookies();
574 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id
) {
575 base::AutoLock
lock(lock_
);
577 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
578 if (state
== security_state_
.end())
581 state
->second
->RevokeReadRawCookies();
584 bool ChildProcessSecurityPolicyImpl::CanLoadPage(int child_id
,
586 ResourceType resource_type
) {
587 // If --site-per-process flag is passed, we should enforce
588 // stronger security restrictions on page navigation.
589 if (base::CommandLine::ForCurrentProcess()->HasSwitch(
590 switches::kSitePerProcess
) &&
591 IsResourceTypeFrame(resource_type
)) {
592 // TODO(nasko): Do the proper check for site-per-process, once
593 // out-of-process iframes is ready to go.
599 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
600 int child_id
, const GURL
& url
) {
602 return false; // Can't request invalid URLs.
604 if (IsWebSafeScheme(url
.scheme()))
605 return true; // The scheme has been white-listed for every child process.
607 if (IsPseudoScheme(url
.scheme())) {
608 // There are a number of special cases for pseudo schemes.
610 if (url
.SchemeIs(kViewSourceScheme
)) {
611 // A view-source URL is allowed if the child process is permitted to
612 // request the embedded URL. Careful to avoid pointless recursion.
613 GURL
child_url(url
.GetContent());
614 if (child_url
.SchemeIs(kViewSourceScheme
) &&
615 url
.SchemeIs(kViewSourceScheme
))
618 return CanRequestURL(child_id
, child_url
);
621 if (LowerCaseEqualsASCII(url
.spec(), url::kAboutBlankURL
))
622 return true; // Every child process can request <about:blank>.
624 // URLs like <about:memory> and <about:crash> shouldn't be requestable by
625 // any child process. Also, this case covers <javascript:...>, which should
626 // be handled internally by the process and not kicked up to the browser.
630 if (!GetContentClient()->browser()->IsHandledURL(url
) &&
631 !net::URLRequest::IsHandledURL(url
)) {
632 return true; // This URL request is destined for ShellExecute.
636 base::AutoLock
lock(lock_
);
638 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
639 if (state
== security_state_
.end())
642 // Otherwise, we consult the child process's security state to see if it is
643 // allowed to request the URL.
644 return state
->second
->CanRequestURL(url
);
648 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id
,
649 const base::FilePath
& file
) {
650 return HasPermissionsForFile(child_id
, file
, READ_FILE_GRANT
);
653 bool ChildProcessSecurityPolicyImpl::CanCreateReadWriteFile(
655 const base::FilePath
& file
) {
656 return HasPermissionsForFile(child_id
, file
, CREATE_READ_WRITE_FILE_GRANT
);
659 bool ChildProcessSecurityPolicyImpl::CanReadFileSystem(
660 int child_id
, const std::string
& filesystem_id
) {
661 return HasPermissionsForFileSystem(child_id
, filesystem_id
, READ_FILE_GRANT
);
664 bool ChildProcessSecurityPolicyImpl::CanReadWriteFileSystem(
665 int child_id
, const std::string
& filesystem_id
) {
666 return HasPermissionsForFileSystem(child_id
, filesystem_id
,
667 READ_FILE_GRANT
| WRITE_FILE_GRANT
);
670 bool ChildProcessSecurityPolicyImpl::CanCopyIntoFileSystem(
671 int child_id
, const std::string
& filesystem_id
) {
672 return HasPermissionsForFileSystem(child_id
, filesystem_id
,
673 COPY_INTO_FILE_GRANT
);
676 bool ChildProcessSecurityPolicyImpl::CanDeleteFromFileSystem(
677 int child_id
, const std::string
& filesystem_id
) {
678 return HasPermissionsForFileSystem(child_id
, filesystem_id
,
682 bool ChildProcessSecurityPolicyImpl::HasPermissionsForFile(
683 int child_id
, const base::FilePath
& file
, int permissions
) {
684 base::AutoLock
lock(lock_
);
685 bool result
= ChildProcessHasPermissionsForFile(child_id
, file
, permissions
);
687 // If this is a worker thread that has no access to a given file,
688 // let's check that its renderer process has access to that file instead.
689 WorkerToMainProcessMap::iterator iter
= worker_map_
.find(child_id
);
690 if (iter
!= worker_map_
.end() && iter
->second
!= 0) {
691 result
= ChildProcessHasPermissionsForFile(iter
->second
,
699 bool ChildProcessSecurityPolicyImpl::HasPermissionsForFileSystemFile(
701 const storage::FileSystemURL
& url
,
706 if (url
.path().ReferencesParent())
709 // Any write access is disallowed on the root path.
710 if (storage::VirtualPath::IsRootPath(url
.path()) &&
711 (permissions
& ~READ_FILE_GRANT
)) {
715 if (url
.mount_type() == storage::kFileSystemTypeIsolated
) {
716 // When Isolated filesystems is overlayed on top of another filesystem,
717 // its per-filesystem permission overrides the underlying filesystem
719 return HasPermissionsForFileSystem(
720 child_id
, url
.mount_filesystem_id(), permissions
);
723 FileSystemPermissionPolicyMap::iterator found
=
724 file_system_policy_map_
.find(url
.type());
725 if (found
== file_system_policy_map_
.end())
728 if ((found
->second
& storage::FILE_PERMISSION_READ_ONLY
) &&
729 permissions
& ~READ_FILE_GRANT
) {
733 if (found
->second
& storage::FILE_PERMISSION_USE_FILE_PERMISSION
)
734 return HasPermissionsForFile(child_id
, url
.path(), permissions
);
736 if (found
->second
& storage::FILE_PERMISSION_SANDBOX
)
742 bool ChildProcessSecurityPolicyImpl::CanReadFileSystemFile(
744 const storage::FileSystemURL
& url
) {
745 return HasPermissionsForFileSystemFile(child_id
, url
, READ_FILE_GRANT
);
748 bool ChildProcessSecurityPolicyImpl::CanWriteFileSystemFile(
750 const storage::FileSystemURL
& url
) {
751 return HasPermissionsForFileSystemFile(child_id
, url
, WRITE_FILE_GRANT
);
754 bool ChildProcessSecurityPolicyImpl::CanCreateFileSystemFile(
756 const storage::FileSystemURL
& url
) {
757 return HasPermissionsForFileSystemFile(child_id
, url
, CREATE_NEW_FILE_GRANT
);
760 bool ChildProcessSecurityPolicyImpl::CanCreateReadWriteFileSystemFile(
762 const storage::FileSystemURL
& url
) {
763 return HasPermissionsForFileSystemFile(child_id
, url
,
764 CREATE_READ_WRITE_FILE_GRANT
);
767 bool ChildProcessSecurityPolicyImpl::CanCopyIntoFileSystemFile(
769 const storage::FileSystemURL
& url
) {
770 return HasPermissionsForFileSystemFile(child_id
, url
, COPY_INTO_FILE_GRANT
);
773 bool ChildProcessSecurityPolicyImpl::CanDeleteFileSystemFile(
775 const storage::FileSystemURL
& url
) {
776 return HasPermissionsForFileSystemFile(child_id
, url
, DELETE_FILE_GRANT
);
779 bool ChildProcessSecurityPolicyImpl::HasWebUIBindings(int child_id
) {
780 base::AutoLock
lock(lock_
);
782 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
783 if (state
== security_state_
.end())
786 return state
->second
->has_web_ui_bindings();
789 bool ChildProcessSecurityPolicyImpl::CanReadRawCookies(int child_id
) {
790 base::AutoLock
lock(lock_
);
792 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
793 if (state
== security_state_
.end())
796 return state
->second
->can_read_raw_cookies();
799 void ChildProcessSecurityPolicyImpl::AddChild(int child_id
) {
800 if (security_state_
.count(child_id
) != 0) {
801 NOTREACHED() << "Add child process at most once.";
805 security_state_
[child_id
] = new SecurityState();
808 bool ChildProcessSecurityPolicyImpl::ChildProcessHasPermissionsForFile(
809 int child_id
, const base::FilePath
& file
, int permissions
) {
810 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
811 if (state
== security_state_
.end())
813 return state
->second
->HasPermissionsForFile(file
, permissions
);
816 bool ChildProcessSecurityPolicyImpl::CanAccessCookiesForOrigin(
817 int child_id
, const GURL
& gurl
) {
818 base::AutoLock
lock(lock_
);
819 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
820 if (state
== security_state_
.end())
822 return state
->second
->CanAccessCookiesForOrigin(gurl
);
825 bool ChildProcessSecurityPolicyImpl::CanSendCookiesForOrigin(int child_id
,
827 for (PluginProcessHostIterator iter
; !iter
.Done(); ++iter
) {
828 if (iter
.GetData().id
== child_id
) {
829 if (iter
.GetData().process_type
== PROCESS_TYPE_PLUGIN
) {
830 // NPAPI plugin processes are unsandboxed and so are trusted. Plugins
831 // can make request to any origin.
838 base::AutoLock
lock(lock_
);
839 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
840 if (state
== security_state_
.end())
842 return state
->second
->CanSendCookiesForOrigin(gurl
);
845 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id
,
847 // "gurl" can be currently empty in some cases, such as file://blah.
848 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL
, gurl
) == gurl
);
849 base::AutoLock
lock(lock_
);
850 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
851 DCHECK(state
!= security_state_
.end());
852 state
->second
->LockToOrigin(gurl
);
855 void ChildProcessSecurityPolicyImpl::GrantPermissionsForFileSystem(
857 const std::string
& filesystem_id
,
859 base::AutoLock
lock(lock_
);
861 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
862 if (state
== security_state_
.end())
864 state
->second
->GrantPermissionsForFileSystem(filesystem_id
, permission
);
867 bool ChildProcessSecurityPolicyImpl::HasPermissionsForFileSystem(
869 const std::string
& filesystem_id
,
871 base::AutoLock
lock(lock_
);
873 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
874 if (state
== security_state_
.end())
876 return state
->second
->HasPermissionsForFileSystem(filesystem_id
, permission
);
879 void ChildProcessSecurityPolicyImpl::RegisterFileSystemPermissionPolicy(
880 storage::FileSystemType type
,
882 base::AutoLock
lock(lock_
);
883 file_system_policy_map_
[type
] = policy
;
886 bool ChildProcessSecurityPolicyImpl::CanSendMidiSysExMessage(int child_id
) {
887 base::AutoLock
lock(lock_
);
889 SecurityStateMap::iterator state
= security_state_
.find(child_id
);
890 if (state
== security_state_
.end())
893 return state
->second
->can_send_midi_sysex();
896 } // namespace content