Roll src/third_party/WebKit f298044:aa8346d (svn 202628:202629)
[chromium-blink-merge.git] / content / browser / child_process_security_policy_impl.h
blob309b667bccb235cecea5869c3a7397aa0bd03e25
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
9 #include <map>
10 #include <set>
11 #include <string>
13 #include "base/compiler_specific.h"
14 #include "base/gtest_prod_util.h"
15 #include "base/memory/singleton.h"
16 #include "base/synchronization/lock.h"
17 #include "content/public/browser/child_process_security_policy.h"
18 #include "content/public/common/resource_type.h"
19 #include "storage/common/fileapi/file_system_types.h"
21 class GURL;
23 namespace base {
24 class FilePath;
27 namespace storage {
28 class FileSystemURL;
31 namespace content {
33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
35 public:
36 // Object can only be created through GetInstance() so the constructor is
37 // private.
38 ~ChildProcessSecurityPolicyImpl() override;
40 static ChildProcessSecurityPolicyImpl* GetInstance();
42 // ChildProcessSecurityPolicy implementation.
43 void RegisterWebSafeScheme(const std::string& scheme) override;
44 bool IsWebSafeScheme(const std::string& scheme) override;
45 void GrantReadFile(int child_id, const base::FilePath& file) override;
46 void GrantCreateReadWriteFile(int child_id,
47 const base::FilePath& file) override;
48 void GrantCopyInto(int child_id, const base::FilePath& dir) override;
49 void GrantDeleteFrom(int child_id, const base::FilePath& dir) override;
50 void GrantReadFileSystem(int child_id,
51 const std::string& filesystem_id) override;
52 void GrantWriteFileSystem(int child_id,
53 const std::string& filesystem_id) override;
54 void GrantCreateFileForFileSystem(int child_id,
55 const std::string& filesystem_id) override;
56 void GrantCreateReadWriteFileSystem(
57 int child_id,
58 const std::string& filesystem_id) override;
59 void GrantCopyIntoFileSystem(int child_id,
60 const std::string& filesystem_id) override;
61 void GrantDeleteFromFileSystem(int child_id,
62 const std::string& filesystem_id) override;
63 void GrantScheme(int child_id, const std::string& scheme) override;
64 bool CanReadFile(int child_id, const base::FilePath& file) override;
65 bool CanCreateReadWriteFile(int child_id,
66 const base::FilePath& file) override;
67 bool CanReadFileSystem(int child_id,
68 const std::string& filesystem_id) override;
69 bool CanReadWriteFileSystem(int child_id,
70 const std::string& filesystem_id) override;
71 bool CanCopyIntoFileSystem(int child_id,
72 const std::string& filesystem_id) override;
73 bool CanDeleteFromFileSystem(int child_id,
74 const std::string& filesystem_id) override;
75 bool HasWebUIBindings(int child_id) override;
76 void GrantSendMidiSysExMessage(int child_id) override;
77 bool CanAccessDataForOrigin(int child_id, const GURL& url) override;
79 // Pseudo schemes are treated differently than other schemes because they
80 // cannot be requested like normal URLs. There is no mechanism for revoking
81 // pseudo schemes.
82 void RegisterPseudoScheme(const std::string& scheme);
84 // Returns true iff |scheme| has been registered as pseudo scheme.
85 bool IsPseudoScheme(const std::string& scheme);
87 // Upon creation, child processes should register themselves by calling this
88 // this method exactly once.
89 void Add(int child_id);
91 // Upon creation, worker thread child processes should register themselves by
92 // calling this this method exactly once. Workers that are not shared will
93 // inherit permissions from their parent renderer process identified with
94 // |main_render_process_id|.
95 void AddWorker(int worker_child_id, int main_render_process_id);
97 // Upon destruction, child processess should unregister themselves by caling
98 // this method exactly once.
99 void Remove(int child_id);
101 // Whenever the browser processes commands the child process to request a URL,
102 // it should call this method to grant the child process the capability to
103 // request the URL, along with permission to request all URLs of the same
104 // scheme.
105 void GrantRequestURL(int child_id, const GURL& url);
107 // Whenever the browser process drops a file icon on a tab, it should call
108 // this method to grant the child process the capability to request this one
109 // file:// URL, but not all urls of the file:// scheme.
110 void GrantRequestSpecificFileURL(int child_id, const GURL& url);
112 // Revokes all permissions granted to the given file.
113 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
115 // Grant the child process the ability to use Web UI Bindings.
116 void GrantWebUIBindings(int child_id);
118 // Grant the child process the ability to read raw cookies.
119 void GrantReadRawCookies(int child_id);
121 // Revoke read raw cookies permission.
122 void RevokeReadRawCookies(int child_id);
124 // Before servicing a child process's request for a URL, the browser should
125 // call this method to determine whether the process has the capability to
126 // request the URL.
127 bool CanRequestURL(int child_id, const GURL& url);
129 // Whether the process is allowed to commit a document from the given URL.
130 // This is more restrictive than CanRequestURL, since CanRequestURL allows
131 // requests that might lead to cross-process navigations or external protocol
132 // handlers.
133 bool CanCommitURL(int child_id, const GURL& url);
135 // Explicit permissions checks for FileSystemURL specified files.
136 bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url);
137 bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url);
138 bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url);
139 bool CanCreateReadWriteFileSystemFile(int child_id,
140 const storage::FileSystemURL& url);
141 bool CanCopyIntoFileSystemFile(int child_id,
142 const storage::FileSystemURL& url);
143 bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url);
145 // Returns true if the specified child_id has been granted ReadRawCookies.
146 bool CanReadRawCookies(int child_id);
148 // Sets the process as only permitted to use and see the cookies for the
149 // given origin.
150 // Origin lock is applied only if the --site-per-process flag is used.
151 void LockToOrigin(int child_id, const GURL& gurl);
153 // Register FileSystem type and permission policy which should be used
154 // for the type. The |policy| must be a bitwise-or'd value of
155 // storage::FilePermissionPolicy.
156 void RegisterFileSystemPermissionPolicy(storage::FileSystemType type,
157 int policy);
159 // Returns true if sending system exclusive messages is allowed.
160 bool CanSendMidiSysExMessage(int child_id);
162 private:
163 friend class ChildProcessSecurityPolicyInProcessBrowserTest;
164 friend class ChildProcessSecurityPolicyTest;
165 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
166 NoLeak);
167 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
169 class SecurityState;
171 typedef std::set<std::string> SchemeSet;
172 typedef std::map<int, SecurityState*> SecurityStateMap;
173 typedef std::map<int, int> WorkerToMainProcessMap;
174 typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap;
176 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
177 ChildProcessSecurityPolicyImpl();
178 friend struct base::DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
180 // Adds child process during registration.
181 void AddChild(int child_id);
183 // Determines if certain permissions were granted for a file to given child
184 // process. |permissions| is an internally defined bit-set.
185 bool ChildProcessHasPermissionsForFile(int child_id,
186 const base::FilePath& file,
187 int permissions);
189 // Grant a particular permission set for a file. |permissions| is an
190 // internally defined bit-set.
191 void GrantPermissionsForFile(int child_id,
192 const base::FilePath& file,
193 int permissions);
195 // Grants access permission to the given isolated file system
196 // identified by |filesystem_id|. See comments for
197 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
198 void GrantPermissionsForFileSystem(
199 int child_id,
200 const std::string& filesystem_id,
201 int permission);
203 // Determines if certain permissions were granted for a file. |permissions|
204 // is an internally defined bit-set. If |child_id| is a worker process,
205 // this returns true if either the worker process or its parent renderer
206 // has permissions for the file.
207 bool HasPermissionsForFile(int child_id,
208 const base::FilePath& file,
209 int permissions);
211 // Determines if certain permissions were granted for a file in FileSystem
212 // API. |permissions| is an internally defined bit-set.
213 bool HasPermissionsForFileSystemFile(int child_id,
214 const storage::FileSystemURL& url,
215 int permissions);
217 // Determines if certain permissions were granted for a file system.
218 // |permissions| is an internally defined bit-set.
219 bool HasPermissionsForFileSystem(
220 int child_id,
221 const std::string& filesystem_id,
222 int permission);
224 // You must acquire this lock before reading or writing any members of this
225 // class. You must not block while holding this lock.
226 base::Lock lock_;
228 // These schemes are white-listed for all child processes. This set is
229 // protected by |lock_|.
230 SchemeSet web_safe_schemes_;
232 // These schemes do not actually represent retrievable URLs. For example,
233 // the the URLs in the "about" scheme are aliases to other URLs. This set is
234 // protected by |lock_|.
235 SchemeSet pseudo_schemes_;
237 // This map holds a SecurityState for each child process. The key for the
238 // map is the ID of the ChildProcessHost. The SecurityState objects are
239 // owned by this object and are protected by |lock_|. References to them must
240 // not escape this class.
241 SecurityStateMap security_state_;
243 // This maps keeps the record of which js worker thread child process
244 // corresponds to which main js thread child process.
245 WorkerToMainProcessMap worker_map_;
247 FileSystemPermissionPolicyMap file_system_policy_map_;
249 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
252 } // namespace content
254 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_