[Session restore] Rename group name Enabled to Restore.
[chromium-blink-merge.git] / content / browser / child_process_security_policy_impl.h
blobdb673c1bdafae5b88f466c9495c98b243e55fa02
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
9 #include <map>
10 #include <set>
11 #include <string>
13 #include "base/compiler_specific.h"
14 #include "base/gtest_prod_util.h"
15 #include "base/memory/singleton.h"
16 #include "base/synchronization/lock.h"
17 #include "content/public/browser/child_process_security_policy.h"
18 #include "content/public/common/resource_type.h"
19 #include "storage/common/fileapi/file_system_types.h"
21 class GURL;
23 namespace base {
24 class FilePath;
27 namespace storage {
28 class FileSystemURL;
31 namespace content {
33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
35 public:
36 // Object can only be created through GetInstance() so the constructor is
37 // private.
38 ~ChildProcessSecurityPolicyImpl() override;
40 static ChildProcessSecurityPolicyImpl* GetInstance();
42 // ChildProcessSecurityPolicy implementation.
43 void RegisterWebSafeScheme(const std::string& scheme) override;
44 bool IsWebSafeScheme(const std::string& scheme) override;
45 void GrantReadFile(int child_id, const base::FilePath& file) override;
46 void GrantCreateReadWriteFile(int child_id,
47 const base::FilePath& file) override;
48 void GrantCopyInto(int child_id, const base::FilePath& dir) override;
49 void GrantDeleteFrom(int child_id, const base::FilePath& dir) override;
50 void GrantReadFileSystem(int child_id,
51 const std::string& filesystem_id) override;
52 void GrantWriteFileSystem(int child_id,
53 const std::string& filesystem_id) override;
54 void GrantCreateFileForFileSystem(int child_id,
55 const std::string& filesystem_id) override;
56 void GrantCreateReadWriteFileSystem(
57 int child_id,
58 const std::string& filesystem_id) override;
59 void GrantCopyIntoFileSystem(int child_id,
60 const std::string& filesystem_id) override;
61 void GrantDeleteFromFileSystem(int child_id,
62 const std::string& filesystem_id) override;
63 void GrantScheme(int child_id, const std::string& scheme) override;
64 bool CanReadFile(int child_id, const base::FilePath& file) override;
65 bool CanCreateReadWriteFile(int child_id,
66 const base::FilePath& file) override;
67 bool CanReadFileSystem(int child_id,
68 const std::string& filesystem_id) override;
69 bool CanReadWriteFileSystem(int child_id,
70 const std::string& filesystem_id) override;
71 bool CanCopyIntoFileSystem(int child_id,
72 const std::string& filesystem_id) override;
73 bool CanDeleteFromFileSystem(int child_id,
74 const std::string& filesystem_id) override;
75 bool HasWebUIBindings(int child_id) override;
76 void GrantSendMidiSysExMessage(int child_id) override;
78 // Pseudo schemes are treated differently than other schemes because they
79 // cannot be requested like normal URLs. There is no mechanism for revoking
80 // pseudo schemes.
81 void RegisterPseudoScheme(const std::string& scheme);
83 // Returns true iff |scheme| has been registered as pseudo scheme.
84 bool IsPseudoScheme(const std::string& scheme);
86 // Upon creation, child processes should register themselves by calling this
87 // this method exactly once.
88 void Add(int child_id);
90 // Upon creation, worker thread child processes should register themselves by
91 // calling this this method exactly once. Workers that are not shared will
92 // inherit permissions from their parent renderer process identified with
93 // |main_render_process_id|.
94 void AddWorker(int worker_child_id, int main_render_process_id);
96 // Upon destruction, child processess should unregister themselves by caling
97 // this method exactly once.
98 void Remove(int child_id);
100 // Whenever the browser processes commands the child process to request a URL,
101 // it should call this method to grant the child process the capability to
102 // request the URL, along with permission to request all URLs of the same
103 // scheme.
104 void GrantRequestURL(int child_id, const GURL& url);
106 // Whenever the browser process drops a file icon on a tab, it should call
107 // this method to grant the child process the capability to request this one
108 // file:// URL, but not all urls of the file:// scheme.
109 void GrantRequestSpecificFileURL(int child_id, const GURL& url);
111 // Revokes all permissions granted to the given file.
112 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
114 // Grant the child process the ability to use Web UI Bindings.
115 void GrantWebUIBindings(int child_id);
117 // Grant the child process the ability to read raw cookies.
118 void GrantReadRawCookies(int child_id);
120 // Revoke read raw cookies permission.
121 void RevokeReadRawCookies(int child_id);
123 // Before servicing a child process's request for a URL, the browser should
124 // call this method to determine whether the process has the capability to
125 // request the URL.
126 bool CanRequestURL(int child_id, const GURL& url);
128 // Returns true if the process is permitted to load pages from
129 // the given origin in main frames or subframes.
130 // Only might return false if --site-per-process flag is used.
131 bool CanLoadPage(int child_id,
132 const GURL& url,
133 ResourceType resource_type);
135 // Explicit permissions checks for FileSystemURL specified files.
136 bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url);
137 bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url);
138 bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url);
139 bool CanCreateReadWriteFileSystemFile(int child_id,
140 const storage::FileSystemURL& url);
141 bool CanCopyIntoFileSystemFile(int child_id,
142 const storage::FileSystemURL& url);
143 bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url);
145 // Returns true if the specified child_id has been granted ReadRawCookies.
146 bool CanReadRawCookies(int child_id);
148 // Returns true if the process is permitted to read and modify the cookies for
149 // the given origin. Does not affect cookies attached to or set by network
150 // requests.
151 // Only might return false if the very experimental
152 // --enable-strict-site-isolation or --site-per-process flags are used.
153 bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
155 // Returns true if the process is permitted to attach cookies to (or have
156 // cookies set by) network requests.
157 // Only might return false if the very experimental
158 // --enable-strict-site-isolation or --site-per-process flags are used.
159 bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
161 // Sets the process as only permitted to use and see the cookies for the
162 // given origin.
163 // Only used if the very experimental --enable-strict-site-isolation or
164 // --site-per-process flags are used.
165 void LockToOrigin(int child_id, const GURL& gurl);
167 // Register FileSystem type and permission policy which should be used
168 // for the type. The |policy| must be a bitwise-or'd value of
169 // storage::FilePermissionPolicy.
170 void RegisterFileSystemPermissionPolicy(storage::FileSystemType type,
171 int policy);
173 // Returns true if sending system exclusive messages is allowed.
174 bool CanSendMidiSysExMessage(int child_id);
176 private:
177 friend class ChildProcessSecurityPolicyInProcessBrowserTest;
178 friend class ChildProcessSecurityPolicyTest;
179 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
180 NoLeak);
181 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
183 class SecurityState;
185 typedef std::set<std::string> SchemeSet;
186 typedef std::map<int, SecurityState*> SecurityStateMap;
187 typedef std::map<int, int> WorkerToMainProcessMap;
188 typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap;
190 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
191 ChildProcessSecurityPolicyImpl();
192 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
194 // Adds child process during registration.
195 void AddChild(int child_id);
197 // Determines if certain permissions were granted for a file to given child
198 // process. |permissions| is an internally defined bit-set.
199 bool ChildProcessHasPermissionsForFile(int child_id,
200 const base::FilePath& file,
201 int permissions);
203 // Grant a particular permission set for a file. |permissions| is an
204 // internally defined bit-set.
205 void GrantPermissionsForFile(int child_id,
206 const base::FilePath& file,
207 int permissions);
209 // Grants access permission to the given isolated file system
210 // identified by |filesystem_id|. See comments for
211 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
212 void GrantPermissionsForFileSystem(
213 int child_id,
214 const std::string& filesystem_id,
215 int permission);
217 // Determines if certain permissions were granted for a file. |permissions|
218 // is an internally defined bit-set. If |child_id| is a worker process,
219 // this returns true if either the worker process or its parent renderer
220 // has permissions for the file.
221 bool HasPermissionsForFile(int child_id,
222 const base::FilePath& file,
223 int permissions);
225 // Determines if certain permissions were granted for a file in FileSystem
226 // API. |permissions| is an internally defined bit-set.
227 bool HasPermissionsForFileSystemFile(int child_id,
228 const storage::FileSystemURL& url,
229 int permissions);
231 // Determines if certain permissions were granted for a file system.
232 // |permissions| is an internally defined bit-set.
233 bool HasPermissionsForFileSystem(
234 int child_id,
235 const std::string& filesystem_id,
236 int permission);
238 // You must acquire this lock before reading or writing any members of this
239 // class. You must not block while holding this lock.
240 base::Lock lock_;
242 // These schemes are white-listed for all child processes. This set is
243 // protected by |lock_|.
244 SchemeSet web_safe_schemes_;
246 // These schemes do not actually represent retrievable URLs. For example,
247 // the the URLs in the "about" scheme are aliases to other URLs. This set is
248 // protected by |lock_|.
249 SchemeSet pseudo_schemes_;
251 // This map holds a SecurityState for each child process. The key for the
252 // map is the ID of the ChildProcessHost. The SecurityState objects are
253 // owned by this object and are protected by |lock_|. References to them must
254 // not escape this class.
255 SecurityStateMap security_state_;
257 // This maps keeps the record of which js worker thread child process
258 // corresponds to which main js thread child process.
259 WorkerToMainProcessMap worker_map_;
261 FileSystemPermissionPolicyMap file_system_policy_map_;
263 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
266 } // namespace content
268 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_