Revert 268405 "Make sure that ScratchBuffer::Allocate() always r..."
[chromium-blink-merge.git] / content / browser / child_process_security_policy_impl.h
blob005292cdf2b6842ee189554fde93875e8fed0774
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
9 #include <map>
10 #include <set>
11 #include <string>
13 #include "base/compiler_specific.h"
14 #include "base/gtest_prod_util.h"
15 #include "base/memory/singleton.h"
16 #include "base/synchronization/lock.h"
17 #include "content/public/browser/child_process_security_policy.h"
18 #include "webkit/common/fileapi/file_system_types.h"
19 #include "webkit/common/resource_type.h"
21 class GURL;
23 namespace base {
24 class FilePath;
27 namespace fileapi {
28 class FileSystemURL;
31 namespace content {
33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
35 public:
36 // Object can only be created through GetInstance() so the constructor is
37 // private.
38 virtual ~ChildProcessSecurityPolicyImpl();
40 static ChildProcessSecurityPolicyImpl* GetInstance();
42 // ChildProcessSecurityPolicy implementation.
43 virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE;
44 virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE;
45 virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE;
46 virtual void GrantCreateReadWriteFile(int child_id,
47 const base::FilePath& file) OVERRIDE;
48 virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE;
49 virtual void GrantDeleteFrom(int child_id,
50 const base::FilePath& dir) OVERRIDE;
51 virtual void GrantReadFileSystem(
52 int child_id,
53 const std::string& filesystem_id) OVERRIDE;
54 virtual void GrantWriteFileSystem(
55 int child_id,
56 const std::string& filesystem_id) OVERRIDE;
57 virtual void GrantCreateFileForFileSystem(
58 int child_id,
59 const std::string& filesystem_id) OVERRIDE;
60 virtual void GrantCreateReadWriteFileSystem(
61 int child_id,
62 const std::string& filesystem_id) OVERRIDE;
63 virtual void GrantCopyIntoFileSystem(
64 int child_id,
65 const std::string& filesystem_id) OVERRIDE;
66 virtual void GrantDeleteFromFileSystem(
67 int child_id,
68 const std::string& filesystem_id) OVERRIDE;
69 virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE;
70 virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE;
71 virtual bool CanCreateReadWriteFile(int child_id,
72 const base::FilePath& file) OVERRIDE;
73 virtual bool CanReadFileSystem(int child_id,
74 const std::string& filesystem_id) OVERRIDE;
75 virtual bool CanReadWriteFileSystem(
76 int child_id,
77 const std::string& filesystem_id) OVERRIDE;
78 virtual bool CanCopyIntoFileSystem(int child_id,
79 const std::string& filesystem_id) OVERRIDE;
80 virtual bool CanDeleteFromFileSystem(
81 int child_id,
82 const std::string& filesystem_id) OVERRIDE;
84 // Pseudo schemes are treated differently than other schemes because they
85 // cannot be requested like normal URLs. There is no mechanism for revoking
86 // pseudo schemes.
87 void RegisterPseudoScheme(const std::string& scheme);
89 // Returns true iff |scheme| has been registered as pseudo scheme.
90 bool IsPseudoScheme(const std::string& scheme);
92 // Upon creation, child processes should register themselves by calling this
93 // this method exactly once.
94 void Add(int child_id);
96 // Upon creation, worker thread child processes should register themselves by
97 // calling this this method exactly once. Workers that are not shared will
98 // inherit permissions from their parent renderer process identified with
99 // |main_render_process_id|.
100 void AddWorker(int worker_child_id, int main_render_process_id);
102 // Upon destruction, child processess should unregister themselves by caling
103 // this method exactly once.
104 void Remove(int child_id);
106 // Whenever the browser processes commands the child process to request a URL,
107 // it should call this method to grant the child process the capability to
108 // request the URL, along with permission to request all URLs of the same
109 // scheme.
110 void GrantRequestURL(int child_id, const GURL& url);
112 // Whenever the browser process drops a file icon on a tab, it should call
113 // this method to grant the child process the capability to request this one
114 // file:// URL, but not all urls of the file:// scheme.
115 void GrantRequestSpecificFileURL(int child_id, const GURL& url);
117 // Revokes all permissions granted to the given file.
118 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
120 // Grant the child process the ability to use Web UI Bindings.
121 void GrantWebUIBindings(int child_id);
123 // Grant the child process the ability to read raw cookies.
124 void GrantReadRawCookies(int child_id);
126 // Revoke read raw cookies permission.
127 void RevokeReadRawCookies(int child_id);
129 // Grants permission to send system exclusive message to any MIDI devices.
130 void GrantSendMidiSysExMessage(int child_id);
132 // Before servicing a child process's request for a URL, the browser should
133 // call this method to determine whether the process has the capability to
134 // request the URL.
135 bool CanRequestURL(int child_id, const GURL& url);
137 // Returns true if the process is permitted to load pages from
138 // the given origin in main frames or subframes.
139 // Only might return false if --site-per-process flag is used.
140 bool CanLoadPage(int child_id,
141 const GURL& url,
142 ResourceType::Type resource_type);
144 // Explicit permissions checks for FileSystemURL specified files.
145 bool CanReadFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
146 bool CanWriteFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
147 bool CanCreateFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
148 bool CanCreateReadWriteFileSystemFile(int child_id,
149 const fileapi::FileSystemURL& url);
150 bool CanCopyIntoFileSystemFile(int child_id,
151 const fileapi::FileSystemURL& url);
152 bool CanDeleteFileSystemFile(int child_id,
153 const fileapi::FileSystemURL& url);
155 // Returns true if the specified child_id has been granted WebUIBindings.
156 // The browser should check this property before assuming the child process is
157 // allowed to use WebUIBindings.
158 bool HasWebUIBindings(int child_id);
160 // Returns true if the specified child_id has been granted ReadRawCookies.
161 bool CanReadRawCookies(int child_id);
163 // Returns true if the process is permitted to read and modify the cookies for
164 // the given origin. Does not affect cookies attached to or set by network
165 // requests.
166 // Only might return false if the very experimental
167 // --enable-strict-site-isolation or --site-per-process flags are used.
168 bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
170 // Returns true if the process is permitted to attach cookies to (or have
171 // cookies set by) network requests.
172 // Only might return false if the very experimental
173 // --enable-strict-site-isolation or --site-per-process flags are used.
174 bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
176 // Sets the process as only permitted to use and see the cookies for the
177 // given origin.
178 // Only used if the very experimental --enable-strict-site-isolation or
179 // --site-per-process flags are used.
180 void LockToOrigin(int child_id, const GURL& gurl);
182 // Register FileSystem type and permission policy which should be used
183 // for the type. The |policy| must be a bitwise-or'd value of
184 // fileapi::FilePermissionPolicy.
185 void RegisterFileSystemPermissionPolicy(
186 fileapi::FileSystemType type,
187 int policy);
189 // Returns true if sending system exclusive messages is allowed.
190 bool CanSendMidiSysExMessage(int child_id);
192 private:
193 friend class ChildProcessSecurityPolicyInProcessBrowserTest;
194 friend class ChildProcessSecurityPolicyTest;
195 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
196 NoLeak);
197 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
199 class SecurityState;
201 typedef std::set<std::string> SchemeSet;
202 typedef std::map<int, SecurityState*> SecurityStateMap;
203 typedef std::map<int, int> WorkerToMainProcessMap;
204 typedef std::map<fileapi::FileSystemType, int> FileSystemPermissionPolicyMap;
206 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
207 ChildProcessSecurityPolicyImpl();
208 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
210 // Adds child process during registration.
211 void AddChild(int child_id);
213 // Determines if certain permissions were granted for a file to given child
214 // process. |permissions| is an internally defined bit-set.
215 bool ChildProcessHasPermissionsForFile(int child_id,
216 const base::FilePath& file,
217 int permissions);
219 // Grant a particular permission set for a file. |permissions| is an
220 // internally defined bit-set.
221 void GrantPermissionsForFile(int child_id,
222 const base::FilePath& file,
223 int permissions);
225 // Grants access permission to the given isolated file system
226 // identified by |filesystem_id|. See comments for
227 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
228 void GrantPermissionsForFileSystem(
229 int child_id,
230 const std::string& filesystem_id,
231 int permission);
233 // Determines if certain permissions were granted for a file. |permissions|
234 // is an internally defined bit-set. If |child_id| is a worker process,
235 // this returns true if either the worker process or its parent renderer
236 // has permissions for the file.
237 bool HasPermissionsForFile(int child_id,
238 const base::FilePath& file,
239 int permissions);
241 // Determines if certain permissions were granted for a file in FileSystem
242 // API. |permissions| is an internally defined bit-set.
243 bool HasPermissionsForFileSystemFile(int child_id,
244 const fileapi::FileSystemURL& url,
245 int permissions);
247 // Determines if certain permissions were granted for a file system.
248 // |permissions| is an internally defined bit-set.
249 bool HasPermissionsForFileSystem(
250 int child_id,
251 const std::string& filesystem_id,
252 int permission);
254 // You must acquire this lock before reading or writing any members of this
255 // class. You must not block while holding this lock.
256 base::Lock lock_;
258 // These schemes are white-listed for all child processes. This set is
259 // protected by |lock_|.
260 SchemeSet web_safe_schemes_;
262 // These schemes do not actually represent retrievable URLs. For example,
263 // the the URLs in the "about" scheme are aliases to other URLs. This set is
264 // protected by |lock_|.
265 SchemeSet pseudo_schemes_;
267 // This map holds a SecurityState for each child process. The key for the
268 // map is the ID of the ChildProcessHost. The SecurityState objects are
269 // owned by this object and are protected by |lock_|. References to them must
270 // not escape this class.
271 SecurityStateMap security_state_;
273 // This maps keeps the record of which js worker thread child process
274 // corresponds to which main js thread child process.
275 WorkerToMainProcessMap worker_map_;
277 FileSystemPermissionPolicyMap file_system_policy_map_;
279 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
282 } // namespace content
284 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_