search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add an exponential backoff to rechecking the app list doodle.
[chromium-blink-merge.git] / content / browser / child_process_security_policy_unittest.cc
blob678e3d207f844a82f8f6593fa4f4834544d16d01
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <set>
6 #include <string>
7
8 #include "base/basictypes.h"
9 #include "base/files/file_path.h"
10 #include "content/browser/child_process_security_policy_impl.h"
11 #include "content/public/common/url_constants.h"
12 #include "content/test/test_content_browser_client.h"
13 #include "storage/browser/fileapi/file_permission_policy.h"
14 #include "storage/browser/fileapi/file_system_url.h"
15 #include "storage/browser/fileapi/isolated_context.h"
16 #include "storage/common/fileapi/file_system_types.h"
17 #include "testing/gtest/include/gtest/gtest.h"
18 #include "url/gurl.h"
19
20 namespace content {
21 namespace {
22
23 const int kRendererID = 42;
24 const int kWorkerRendererID = kRendererID + 1;
25
26 #if defined(FILE_PATH_USES_DRIVE_LETTERS)
27 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x)
28 #else
29 #define TEST_PATH(x) FILE_PATH_LITERAL(x)
30 #endif
31
32 class ChildProcessSecurityPolicyTestBrowserClient
33 : public TestContentBrowserClient {
34 public:
35 ChildProcessSecurityPolicyTestBrowserClient() {}
36
37 bool IsHandledURL(const GURL& url) override {
38 return schemes_.find(url.scheme()) != schemes_.end();
39 }
40
41 void ClearSchemes() {
42 schemes_.clear();
43 }
44
45 void AddScheme(const std::string& scheme) {
46 schemes_.insert(scheme);
47 }
48
49 private:
50 std::set<std::string> schemes_;
51 };
52
53 } // namespace
54
55 class ChildProcessSecurityPolicyTest : public testing::Test {
56 public:
57 ChildProcessSecurityPolicyTest() : old_browser_client_(NULL) {
58 }
59
60 void SetUp() override {
61 old_browser_client_ = SetBrowserClientForTesting(&test_browser_client_);
62
63 // Claim to always handle chrome:// URLs because the CPSP's notion of
64 // allowing WebUI bindings is hard-wired to this particular scheme.
65 test_browser_client_.AddScheme(kChromeUIScheme);
66
67 // Claim to always handle file:// URLs like the browser would.
68 // net::URLRequest::IsHandledURL() no longer claims support for default
69 // protocols as this is the responsibility of the browser (which is
70 // responsible for adding the appropriate ProtocolHandler).
71 test_browser_client_.AddScheme(url::kFileScheme);
72 }
73
74 void TearDown() override {
75 test_browser_client_.ClearSchemes();
76 SetBrowserClientForTesting(old_browser_client_);
77 }
78
79 protected:
80 void RegisterTestScheme(const std::string& scheme) {
81 test_browser_client_.AddScheme(scheme);
82 }
83
84 void GrantPermissionsForFile(ChildProcessSecurityPolicyImpl* p,
85 int child_id,
86 const base::FilePath& file,
87 int permissions) {
88 p->GrantPermissionsForFile(child_id, file, permissions);
89 }
90
91 void CheckHasNoFileSystemPermission(ChildProcessSecurityPolicyImpl* p,
92 const std::string& child_id) {
93 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, child_id));
94 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, child_id));
95 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, child_id));
96 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, child_id));
97 }
98
99 void CheckHasNoFileSystemFilePermission(ChildProcessSecurityPolicyImpl* p,
100 const base::FilePath& file,
101 const storage::FileSystemURL& url) {
102 EXPECT_FALSE(p->CanReadFile(kRendererID, file));
103 EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file));
104 EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
105 EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
106 EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
107 EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
108 EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url));
109 EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url));
110 }
111
112 private:
113 ChildProcessSecurityPolicyTestBrowserClient test_browser_client_;
114 ContentBrowserClient* old_browser_client_;
115 };
116
117
118 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) {
119 ChildProcessSecurityPolicyImpl* p =
120 ChildProcessSecurityPolicyImpl::GetInstance();
121
122 EXPECT_TRUE(p->IsWebSafeScheme(url::kHttpScheme));
123 EXPECT_TRUE(p->IsWebSafeScheme(url::kHttpsScheme));
124 EXPECT_TRUE(p->IsWebSafeScheme(url::kFtpScheme));
125 EXPECT_TRUE(p->IsWebSafeScheme(url::kDataScheme));
126 EXPECT_TRUE(p->IsWebSafeScheme("feed"));
127 EXPECT_TRUE(p->IsWebSafeScheme(url::kBlobScheme));
128 EXPECT_TRUE(p->IsWebSafeScheme(url::kFileSystemScheme));
129
130 EXPECT_FALSE(p->IsWebSafeScheme("registered-web-safe-scheme"));
131 p->RegisterWebSafeScheme("registered-web-safe-scheme");
132 EXPECT_TRUE(p->IsWebSafeScheme("registered-web-safe-scheme"));
133
134 EXPECT_FALSE(p->IsWebSafeScheme(kChromeUIScheme));
135 }
136
137 TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) {
138 ChildProcessSecurityPolicyImpl* p =
139 ChildProcessSecurityPolicyImpl::GetInstance();
140
141 EXPECT_TRUE(p->IsPseudoScheme(url::kAboutScheme));
142 EXPECT_TRUE(p->IsPseudoScheme(url::kJavaScriptScheme));
143 EXPECT_TRUE(p->IsPseudoScheme(kViewSourceScheme));
144
145 EXPECT_FALSE(p->IsPseudoScheme("registered-pseudo-scheme"));
146 p->RegisterPseudoScheme("registered-pseudo-scheme");
147 EXPECT_TRUE(p->IsPseudoScheme("registered-pseudo-scheme"));
148
149 EXPECT_FALSE(p->IsPseudoScheme(kChromeUIScheme));
150 }
151
152 TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
153 ChildProcessSecurityPolicyImpl* p =
154 ChildProcessSecurityPolicyImpl::GetInstance();
155
156 p->Add(kRendererID);
157
158 // Safe
159 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/")));
160 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/")));
161 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
162 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
163 EXPECT_TRUE(p->CanRequestURL(kRendererID,
164 GURL("view-source:http://www.google.com/")));
165 EXPECT_TRUE(p->CanRequestURL(
166 kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
167
168 // Dangerous
169 EXPECT_FALSE(p->CanRequestURL(kRendererID,
170 GURL("file:///etc/passwd")));
171 EXPECT_FALSE(p->CanRequestURL(kRendererID,
172 GURL("chrome://foo/bar")));
173
174 p->Remove(kRendererID);
175 }
176
177 TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
178 ChildProcessSecurityPolicyImpl* p =
179 ChildProcessSecurityPolicyImpl::GetInstance();
180
181 p->Add(kRendererID);
182
183 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank")));
184 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK")));
185 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK")));
186 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank")));
187
188 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory")));
189 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
190 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
191 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang")));
192
193 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory")));
194 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
195 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe")));
196
197 // Requests for about: pages should be denied.
198 p->GrantRequestURL(kRendererID, GURL("about:crash"));
199 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
200
201 // These requests for chrome:// pages should be granted.
202 GURL chrome_url("chrome://foo");
203 p->GrantRequestURL(kRendererID, chrome_url);
204 EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
205
206 p->Remove(kRendererID);
207 }
208
209 TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
210 ChildProcessSecurityPolicyImpl* p =
211 ChildProcessSecurityPolicyImpl::GetInstance();
212
213 p->Add(kRendererID);
214
215 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
216 p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
217 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
218
219 p->Remove(kRendererID);
220 }
221
222 TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
223 ChildProcessSecurityPolicyImpl* p =
224 ChildProcessSecurityPolicyImpl::GetInstance();
225
226 p->Add(kRendererID);
227
228 // Currently, "asdf" is destined for ShellExecute, so it is allowed.
229 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
230
231 // Once we register "asdf", we default to deny.
232 RegisterTestScheme("asdf");
233 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
234
235 // We can allow new schemes by adding them to the whitelist.
236 p->RegisterWebSafeScheme("asdf");
237 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
238
239 // Cleanup.
240 p->Remove(kRendererID);
241 }
242
243 TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
244 ChildProcessSecurityPolicyImpl* p =
245 ChildProcessSecurityPolicyImpl::GetInstance();
246
247 p->Add(kRendererID);
248
249 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
250 p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
251 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
252
253 // We should forget our state if we repeat a renderer id.
254 p->Remove(kRendererID);
255 p->Add(kRendererID);
256 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
257 p->Remove(kRendererID);
258 }
259
260 TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
261 ChildProcessSecurityPolicyImpl* p =
262 ChildProcessSecurityPolicyImpl::GetInstance();
263
264 p->Add(kRendererID);
265
266 // View source is determined by the embedded scheme.
267 EXPECT_TRUE(p->CanRequestURL(kRendererID,
268 GURL("view-source:http://www.google.com/")));
269 EXPECT_FALSE(p->CanRequestURL(kRendererID,
270 GURL("view-source:file:///etc/passwd")));
271 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
272 EXPECT_FALSE(p->CanRequestURL(
273 kRendererID, GURL("view-source:view-source:http://www.google.com/")));
274
275 p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
276 // View source needs to be able to request the embedded scheme.
277 EXPECT_TRUE(p->CanRequestURL(kRendererID,
278 GURL("view-source:file:///etc/passwd")));
279 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
280
281 p->Remove(kRendererID);
282 }
283
284 TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
285 ChildProcessSecurityPolicyImpl* p =
286 ChildProcessSecurityPolicyImpl::GetInstance();
287
288 p->Add(kRendererID);
289
290 GURL icon_url("file:///tmp/foo.png");
291 GURL sensitive_url("file:///etc/passwd");
292 EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url));
293 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
294
295 p->GrantRequestSpecificFileURL(kRendererID, icon_url);
296 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
297 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
298
299 p->GrantRequestURL(kRendererID, icon_url);
300 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
301 EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
302
303 p->Remove(kRendererID);
304 }
305
306 TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) {
307 ChildProcessSecurityPolicyImpl* p =
308 ChildProcessSecurityPolicyImpl::GetInstance();
309
310 p->Add(kRendererID);
311 std::string read_id =
312 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
313 storage::kFileSystemTypeTest, "read_filesystem", base::FilePath());
314 std::string read_write_id =
315 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
316 storage::kFileSystemTypeTest,
317 "read_write_filesystem",
318 base::FilePath());
319 std::string copy_into_id =
320 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
321 storage::kFileSystemTypeTest,
322 "copy_into_filesystem",
323 base::FilePath());
324 std::string delete_from_id =
325 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
326 storage::kFileSystemTypeTest,
327 "delete_from_filesystem",
328 base::FilePath());
329
330 // Test initially having no permissions.
331 CheckHasNoFileSystemPermission(p, read_id);
332 CheckHasNoFileSystemPermission(p, read_write_id);
333 CheckHasNoFileSystemPermission(p, copy_into_id);
334 CheckHasNoFileSystemPermission(p, delete_from_id);
335
336 // Testing varying combinations of grants and checks.
337 p->GrantReadFileSystem(kRendererID, read_id);
338 EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_id));
339 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, read_id));
340 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_id));
341 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_id));
342
343 p->GrantReadFileSystem(kRendererID, read_write_id);
344 p->GrantWriteFileSystem(kRendererID, read_write_id);
345 EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_write_id));
346 EXPECT_TRUE(p->CanReadWriteFileSystem(kRendererID, read_write_id));
347 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_write_id));
348 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_write_id));
349
350 p->GrantCopyIntoFileSystem(kRendererID, copy_into_id);
351 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, copy_into_id));
352 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, copy_into_id));
353 EXPECT_TRUE(p->CanCopyIntoFileSystem(kRendererID, copy_into_id));
354 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, copy_into_id));
355
356 p->GrantDeleteFromFileSystem(kRendererID, delete_from_id);
357 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, delete_from_id));
358 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, delete_from_id));
359 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, delete_from_id));
360 EXPECT_TRUE(p->CanDeleteFromFileSystem(kRendererID, delete_from_id));
361
362 // Test revoke permissions on renderer ID removal.
363 p->Remove(kRendererID);
364 CheckHasNoFileSystemPermission(p, read_id);
365 CheckHasNoFileSystemPermission(p, read_write_id);
366 CheckHasNoFileSystemPermission(p, copy_into_id);
367 CheckHasNoFileSystemPermission(p, delete_from_id);
368
369 // Test having no permissions upon re-adding same renderer ID.
370 p->Add(kRendererID);
371 CheckHasNoFileSystemPermission(p, read_id);
372 CheckHasNoFileSystemPermission(p, read_write_id);
373 CheckHasNoFileSystemPermission(p, copy_into_id);
374 CheckHasNoFileSystemPermission(p, delete_from_id);
375
376 // Cleanup.
377 p->Remove(kRendererID);
378 storage::IsolatedContext::GetInstance()->RevokeFileSystem(read_id);
379 storage::IsolatedContext::GetInstance()->RevokeFileSystem(read_write_id);
380 storage::IsolatedContext::GetInstance()->RevokeFileSystem(copy_into_id);
381 storage::IsolatedContext::GetInstance()->RevokeFileSystem(delete_from_id);
382 }
383
384 TEST_F(ChildProcessSecurityPolicyTest, FilePermissionGrantingAndRevoking) {
385 ChildProcessSecurityPolicyImpl* p =
386 ChildProcessSecurityPolicyImpl::GetInstance();
387
388 p->RegisterFileSystemPermissionPolicy(
389 storage::kFileSystemTypeTest,
390 storage::FILE_PERMISSION_USE_FILE_PERMISSION);
391
392 p->Add(kRendererID);
393 base::FilePath file(TEST_PATH("/dir/testfile"));
394 file = file.NormalizePathSeparators();
395 storage::FileSystemURL url = storage::FileSystemURL::CreateForTest(
396 GURL("http://foo/"), storage::kFileSystemTypeTest, file);
397
398 // Test initially having no permissions.
399 CheckHasNoFileSystemFilePermission(p, file, url);
400
401 // Testing every combination of permissions granting and revoking.
402 p->GrantReadFile(kRendererID, file);
403 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
404 EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file));
405 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
406 EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
407 EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
408 EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
409 EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url));
410 EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url));
411 p->RevokeAllPermissionsForFile(kRendererID, file);
412 CheckHasNoFileSystemFilePermission(p, file, url);
413
414 p->GrantCreateReadWriteFile(kRendererID, file);
415 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
416 EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file));
417 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
418 EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
419 EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
420 EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
421 EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url));
422 EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url));
423 p->RevokeAllPermissionsForFile(kRendererID, file);
424 CheckHasNoFileSystemFilePermission(p, file, url);
425
426 // Test revoke permissions on renderer ID removal.
427 p->GrantCreateReadWriteFile(kRendererID, file);
428 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
429 EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file));
430 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
431 EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
432 EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
433 EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
434 EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url));
435 EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url));
436 p->Remove(kRendererID);
437 CheckHasNoFileSystemFilePermission(p, file, url);
438
439 // Test having no permissions upon re-adding same renderer ID.
440 p->Add(kRendererID);
441 CheckHasNoFileSystemFilePermission(p, file, url);
442
443 // Cleanup.
444 p->Remove(kRendererID);
445 }
446
447 TEST_F(ChildProcessSecurityPolicyTest, FilePermissions) {
448 base::FilePath granted_file = base::FilePath(TEST_PATH("/home/joe"));
449 base::FilePath sibling_file = base::FilePath(TEST_PATH("/home/bob"));
450 base::FilePath child_file = base::FilePath(TEST_PATH("/home/joe/file"));
451 base::FilePath parent_file = base::FilePath(TEST_PATH("/home"));
452 base::FilePath parent_slash_file = base::FilePath(TEST_PATH("/home/"));
453 base::FilePath child_traversal1 =
454 base::FilePath(TEST_PATH("/home/joe/././file"));
455 base::FilePath child_traversal2 = base::FilePath(
456 TEST_PATH("/home/joe/file/../otherfile"));
457 base::FilePath evil_traversal1 =
458 base::FilePath(TEST_PATH("/home/joe/../../etc/passwd"));
459 base::FilePath evil_traversal2 = base::FilePath(
460 TEST_PATH("/home/joe/./.././../etc/passwd"));
461 base::FilePath self_traversal =
462 base::FilePath(TEST_PATH("/home/joe/../joe/file"));
463 base::FilePath relative_file = base::FilePath(FILE_PATH_LITERAL("home/joe"));
464
465 ChildProcessSecurityPolicyImpl* p =
466 ChildProcessSecurityPolicyImpl::GetInstance();
467
468 // Grant permissions for a file.
469 p->Add(kRendererID);
470 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
471 base::File::FLAG_OPEN));
472
473 GrantPermissionsForFile(p, kRendererID, granted_file,
474 base::File::FLAG_OPEN |
475 base::File::FLAG_OPEN_TRUNCATED |
476 base::File::FLAG_READ |
477 base::File::FLAG_WRITE);
478 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
479 base::File::FLAG_OPEN |
480 base::File::FLAG_OPEN_TRUNCATED |
481 base::File::FLAG_READ |
482 base::File::FLAG_WRITE));
483 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
484 base::File::FLAG_OPEN |
485 base::File::FLAG_READ));
486 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
487 base::File::FLAG_CREATE));
488 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, 0));
489 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
490 base::File::FLAG_CREATE |
491 base::File::FLAG_OPEN_TRUNCATED |
492 base::File::FLAG_READ |
493 base::File::FLAG_WRITE));
494 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, sibling_file,
495 base::File::FLAG_OPEN |
496 base::File::FLAG_READ));
497 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, parent_file,
498 base::File::FLAG_OPEN |
499 base::File::FLAG_READ));
500 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_file,
501 base::File::FLAG_OPEN |
502 base::File::FLAG_READ));
503 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal1,
504 base::File::FLAG_OPEN |
505 base::File::FLAG_READ));
506 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal2,
507 base::File::FLAG_OPEN |
508 base::File::FLAG_READ));
509 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal1,
510 base::File::FLAG_OPEN |
511 base::File::FLAG_READ));
512 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal2,
513 base::File::FLAG_OPEN |
514 base::File::FLAG_READ));
515 // CPSP doesn't allow this case for the sake of simplicity.
516 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, self_traversal,
517 base::File::FLAG_OPEN |
518 base::File::FLAG_READ));
519 p->Remove(kRendererID);
520
521 // Grant permissions for the directory the file is in.
522 p->Add(kRendererID);
523 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
524 base::File::FLAG_OPEN));
525 GrantPermissionsForFile(p, kRendererID, parent_file,
526 base::File::FLAG_OPEN |
527 base::File::FLAG_READ);
528 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
529 base::File::FLAG_OPEN));
530 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
531 base::File::FLAG_READ |
532 base::File::FLAG_WRITE));
533 p->Remove(kRendererID);
534
535 // Grant permissions for the directory the file is in (with trailing '/').
536 p->Add(kRendererID);
537 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
538 base::File::FLAG_OPEN));
539 GrantPermissionsForFile(p, kRendererID, parent_slash_file,
540 base::File::FLAG_OPEN |
541 base::File::FLAG_READ);
542 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
543 base::File::FLAG_OPEN));
544 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
545 base::File::FLAG_READ |
546 base::File::FLAG_WRITE));
547
548 // Grant permissions for the file (should overwrite the permissions granted
549 // for the directory).
550 GrantPermissionsForFile(p, kRendererID, granted_file,
551 base::File::FLAG_TEMPORARY);
552 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
553 base::File::FLAG_OPEN));
554 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
555 base::File::FLAG_TEMPORARY));
556
557 // Revoke all permissions for the file (it should inherit its permissions
558 // from the directory again).
559 p->RevokeAllPermissionsForFile(kRendererID, granted_file);
560 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
561 base::File::FLAG_OPEN |
562 base::File::FLAG_READ));
563 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
564 base::File::FLAG_TEMPORARY));
565 p->Remove(kRendererID);
566
567 // Grant file permissions for the file to main thread renderer process,
568 // make sure its worker thread renderer process inherits those.
569 p->Add(kRendererID);
570 GrantPermissionsForFile(p, kRendererID, granted_file,
571 base::File::FLAG_OPEN |
572 base::File::FLAG_READ);
573 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
574 base::File::FLAG_OPEN |
575 base::File::FLAG_READ));
576 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
577 base::File::FLAG_WRITE));
578 p->AddWorker(kWorkerRendererID, kRendererID);
579 EXPECT_TRUE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
580 base::File::FLAG_OPEN |
581 base::File::FLAG_READ));
582 EXPECT_FALSE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
583 base::File::FLAG_WRITE));
584 p->Remove(kRendererID);
585 EXPECT_FALSE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
586 base::File::FLAG_OPEN |
587 base::File::FLAG_READ));
588 p->Remove(kWorkerRendererID);
589
590 p->Add(kRendererID);
591 GrantPermissionsForFile(p, kRendererID, relative_file,
592 base::File::FLAG_OPEN);
593 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, relative_file,
594 base::File::FLAG_OPEN));
595 p->Remove(kRendererID);
596 }
597
598 TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) {
599 ChildProcessSecurityPolicyImpl* p =
600 ChildProcessSecurityPolicyImpl::GetInstance();
601
602 GURL url("chrome://thumb/http://www.google.com/");
603
604 p->Add(kRendererID);
605
606 EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
607 EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
608 p->GrantWebUIBindings(kRendererID);
609 EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
610 EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
611
612 p->Remove(kRendererID);
613 }
614
615 TEST_F(ChildProcessSecurityPolicyTest, RemoveRace) {
616 ChildProcessSecurityPolicyImpl* p =
617 ChildProcessSecurityPolicyImpl::GetInstance();
618
619 GURL url("file:///etc/passwd");
620 base::FilePath file(TEST_PATH("/etc/passwd"));
621
622 p->Add(kRendererID);
623
624 p->GrantRequestURL(kRendererID, url);
625 p->GrantReadFile(kRendererID, file);
626 p->GrantWebUIBindings(kRendererID);
627
628 EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
629 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
630 EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
631
632 p->Remove(kRendererID);
633
634 // Renderers are added and removed on the UI thread, but the policy can be
635 // queried on the IO thread. The ChildProcessSecurityPolicy needs to be
636 // prepared to answer policy questions about renderers who no longer exist.
637
638 // In this case, we default to secure behavior.
639 EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
640 EXPECT_FALSE(p->CanReadFile(kRendererID, file));
641 EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
642 }
643
644 } // namespace content