content/browser/child_process_security_policy_impl.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
   6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
   7
   8
   9 #include <map>
  10 #include <set>
  11 #include <string>
  12
  13 #include "base/compiler_specific.h"
  14 #include "base/gtest_prod_util.h"
  15 #include "base/memory/singleton.h"
  16 #include "base/synchronization/lock.h"
  17 #include "content/public/browser/child_process_security_policy.h"
  18 #include "webkit/common/fileapi/file_system_types.h"
  19 #include "webkit/common/resource_type.h"
  20
  21 class GURL;
  22
  23 namespace base {
  24 class FilePath;
  25 }
  26
  27 namespace fileapi {
  28 class FileSystemURL;
  29 }
  30
  31 namespace content {
  32
  33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
  34     : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
  35  public:
  36   // Object can only be created through GetInstance() so the constructor is
  37   // private.
  38   virtual ~ChildProcessSecurityPolicyImpl();
  39
  40   static ChildProcessSecurityPolicyImpl* GetInstance();
  41
  42   // ChildProcessSecurityPolicy implementation.
  43   virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE;
  44   virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE;
  45   virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE;
  46   virtual void GrantCreateReadWriteFile(int child_id,
  47                                         const base::FilePath& file) OVERRIDE;
  48   virtual void GrantCreateWriteFile(int child_id,
  49                                     const base::FilePath& file) OVERRIDE;
  50   virtual void GrantReadFileSystem(
  51       int child_id,
  52       const std::string& filesystem_id) OVERRIDE;
  53   virtual void GrantWriteFileSystem(
  54       int child_id,
  55       const std::string& filesystem_id) OVERRIDE;
  56   virtual void GrantCreateFileForFileSystem(
  57       int child_id,
  58       const std::string& filesystem_id) OVERRIDE;
  59   virtual void GrantCopyIntoFileSystem(
  60       int child_id,
  61       const std::string& filesystem_id) OVERRIDE;
  62   virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE;
  63   virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE;
  64   virtual bool CanWriteFile(int child_id, const base::FilePath& file) OVERRIDE;
  65   virtual bool CanCreateFile(int child_id, const base::FilePath& file) OVERRIDE;
  66   virtual bool CanCreateWriteFile(int child_id,
  67                                   const base::FilePath& file) OVERRIDE;
  68   virtual bool CanReadFileSystem(int child_id,
  69                                  const std::string& filesystem_id) OVERRIDE;
  70   virtual bool CanReadWriteFileSystem(
  71       int child_id,
  72       const std::string& filesystem_id) OVERRIDE;
  73   virtual bool CanCopyIntoFileSystem(int child_id,
  74                                      const std::string& filesystem_id) OVERRIDE;
  75
  76   // Pseudo schemes are treated differently than other schemes because they
  77   // cannot be requested like normal URLs.  There is no mechanism for revoking
  78   // pseudo schemes.
  79   void RegisterPseudoScheme(const std::string& scheme);
  80
  81   // Returns true iff |scheme| has been registered as pseudo scheme.
  82   bool IsPseudoScheme(const std::string& scheme);
  83
  84   // Upon creation, child processes should register themselves by calling this
  85   // this method exactly once.
  86   void Add(int child_id);
  87
  88   // Upon creation, worker thread child processes should register themselves by
  89   // calling this this method exactly once. Workers that are not shared will
  90   // inherit permissions from their parent renderer process identified with
  91   // |main_render_process_id|.
  92   void AddWorker(int worker_child_id, int main_render_process_id);
  93
  94   // Upon destruction, child processess should unregister themselves by caling
  95   // this method exactly once.
  96   void Remove(int child_id);
  97
  98   // Whenever the browser processes commands the child process to request a URL,
  99   // it should call this method to grant the child process the capability to
 100   // request the URL, along with permission to request all URLs of the same
 101   // scheme.
 102   void GrantRequestURL(int child_id, const GURL& url);
 103
 104   // Whenever the browser process drops a file icon on a tab, it should call
 105   // this method to grant the child process the capability to request this one
 106   // file:// URL, but not all urls of the file:// scheme.
 107   void GrantRequestSpecificFileURL(int child_id, const GURL& url);
 108
 109   // Grants the child process permission to enumerate all the files in
 110   // this directory and read those files.
 111   void GrantReadDirectory(int child_id, const base::FilePath& directory);
 112
 113   // Revokes all permissions granted to the given file.
 114   void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
 115
 116   // Grant the child process the ability to use Web UI Bindings.
 117   void GrantWebUIBindings(int child_id);
 118
 119   // Grant the child process the ability to read raw cookies.
 120   void GrantReadRawCookies(int child_id);
 121
 122   // Revoke read raw cookies permission.
 123   void RevokeReadRawCookies(int child_id);
 124
 125   // Grants permission to send system exclusive message to any MIDI devices.
 126   void GrantSendMIDISysExMessage(int child_id);
 127
 128   // Before servicing a child process's request for a URL, the browser should
 129   // call this method to determine whether the process has the capability to
 130   // request the URL.
 131   bool CanRequestURL(int child_id, const GURL& url);
 132
 133   // Returns true if the process is permitted to load pages from
 134   // the given origin in main frames or subframes.
 135   // Only might return false if --site-per-process flag is used.
 136   bool CanLoadPage(int child_id,
 137                    const GURL& url,
 138                    ResourceType::Type resource_type);
 139
 140   // Before servicing a child process's request to enumerate a directory
 141   // the browser should call this method to check for the capability.
 142   bool CanReadDirectory(int child_id, const base::FilePath& directory);
 143
 144   // Explicit permissions checks for FileSystemURL specified files.
 145   bool CanReadFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
 146   bool CanWriteFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
 147   bool CanCreateFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
 148   bool CanCreateWriteFileSystemFile(int child_id,
 149                                     const fileapi::FileSystemURL& url);
 150
 151   // Returns true if the specified child_id has been granted WebUIBindings.
 152   // The browser should check this property before assuming the child process is
 153   // allowed to use WebUIBindings.
 154   bool HasWebUIBindings(int child_id);
 155
 156   // Returns true if the specified child_id has been granted ReadRawCookies.
 157   bool CanReadRawCookies(int child_id);
 158
 159   // Returns true if the process is permitted to read and modify the cookies for
 160   // the given origin.  Does not affect cookies attached to or set by network
 161   // requests.
 162   // Only might return false if the very experimental
 163   // --enable-strict-site-isolation or --site-per-process flags are used.
 164   bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
 165
 166   // Returns true if the process is permitted to attach cookies to (or have
 167   // cookies set by) network requests.
 168   // Only might return false if the very experimental
 169   // --enable-strict-site-isolation or --site-per-process flags are used.
 170   bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
 171
 172   // Sets the process as only permitted to use and see the cookies for the
 173   // given origin.
 174   // Only used if the very experimental --enable-strict-site-isolation or
 175   // --site-per-process flags are used.
 176   void LockToOrigin(int child_id, const GURL& gurl);
 177
 178   // Determines if certain permissions were granted for a file fystem.
 179   // |permissions| must be a bitwise-or'd value of base::PlatformFileFlags.
 180   bool HasPermissionsForFileSystem(
 181       int child_id,
 182       const std::string& filesystem_id,
 183       int permission);
 184
 185   // Register FileSystem type and permission policy which should be used
 186   // for the type.  The |policy| must be a bitwise-or'd value of
 187   // fileapi::FilePermissionPolicy.
 188   void RegisterFileSystemPermissionPolicy(
 189       fileapi::FileSystemType type,
 190       int policy);
 191
 192   // Returns true if sending system exclusive messages is allowed.
 193   bool CanSendMIDISysExMessage(int child_id);
 194
 195  private:
 196   friend class ChildProcessSecurityPolicyInProcessBrowserTest;
 197   friend class ChildProcessSecurityPolicyTest;
 198   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
 199                            NoLeak);
 200   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
 201
 202   class SecurityState;
 203
 204   typedef std::set<std::string> SchemeSet;
 205   typedef std::map<int, SecurityState*> SecurityStateMap;
 206   typedef std::map<int, int> WorkerToMainProcessMap;
 207   typedef std::map<fileapi::FileSystemType, int> FileSystemPermissionPolicyMap;
 208
 209   // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
 210   ChildProcessSecurityPolicyImpl();
 211   friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
 212
 213   // Adds child process during registration.
 214   void AddChild(int child_id);
 215
 216   // Determines if certain permissions were granted for a file to given child
 217   // process. |permissions| must be a bitwise-or'd value of
 218   // base::PlatformFileFlags.
 219   bool ChildProcessHasPermissionsForFile(int child_id,
 220                                          const base::FilePath& file,
 221                                          int permissions);
 222
 223   // Grant a particular permission set for a file. |permissions| is a bit-set
 224   // of base::PlatformFileFlags.
 225   void GrantPermissionsForFile(int child_id,
 226                                const base::FilePath& file,
 227                                int permissions);
 228
 229   // Grants access permission to the given isolated file system
 230   // identified by |filesystem_id|.  See comments for
 231   // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
 232   void GrantPermissionsForFileSystem(
 233       int child_id,
 234       const std::string& filesystem_id,
 235       int permission);
 236
 237   // Deprecated: Use CanReadFile, etc. methods instead.
 238   // Determines if certain permissions were granted for a file. |permissions|
 239   // must be a bitwise-or'd value of base::PlatformFileFlags.
 240   bool HasPermissionsForFile(int child_id,
 241                              const base::FilePath& file,
 242                              int permissions);
 243
 244   // Deprecated: Use CanReadFileSystemFile, etc. methods instead.
 245   // Determines if certain permissions were granted for a file in FileSystem
 246   // API. |permissions| must be a bitwise-or'd value of base::PlatformFileFlags.
 247   bool HasPermissionsForFileSystemFile(int child_id,
 248                                        const fileapi::FileSystemURL& url,
 249                                        int permissions);
 250
 251   // You must acquire this lock before reading or writing any members of this
 252   // class.  You must not block while holding this lock.
 253   base::Lock lock_;
 254
 255   // These schemes are white-listed for all child processes.  This set is
 256   // protected by |lock_|.
 257   SchemeSet web_safe_schemes_;
 258
 259   // These schemes do not actually represent retrievable URLs.  For example,
 260   // the the URLs in the "about" scheme are aliases to other URLs.  This set is
 261   // protected by |lock_|.
 262   SchemeSet pseudo_schemes_;
 263
 264   // This map holds a SecurityState for each child process.  The key for the
 265   // map is the ID of the ChildProcessHost.  The SecurityState objects are
 266   // owned by this object and are protected by |lock_|.  References to them must
 267   // not escape this class.
 268   SecurityStateMap security_state_;
 269
 270   // This maps keeps the record of which js worker thread child process
 271   // corresponds to which main js thread child process.
 272   WorkerToMainProcessMap worker_map_;
 273
 274   FileSystemPermissionPolicyMap file_system_policy_map_;
 275
 276   DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
 277 };
 278
 279 }  // namespace content
 280
 281 #endif  // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_