1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
11 #include "base/macros.h"
13 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
16 namespace syscall_broker
{
18 // BrokerPolicy allows to define the security policy enforced by a
19 // BrokerHost. The BrokerHost will evaluate requests sent over its
20 // IPC channel according to the BrokerPolicy.
21 // Some of the methods of this class can be used in an async-signal safe
25 // |denied_errno| is the error code returned when IPC requests for system
26 // calls such as open() or access() are denied because a file is not in the
27 // whitelist. EACCESS would be a typical value.
28 // |permissions| is a list of BrokerPermission objects that define
29 // what the broker will allow.
30 BrokerPolicy(int denied_errno
,
31 const std::vector
<BrokerFilePermission
>& permissions
);
35 // Check if calling access() should be allowed on |requested_filename| with
36 // mode |requested_mode|.
37 // Note: access() being a system call to check permissions, this can get a bit
38 // confusing. We're checking if calling access() should even be allowed with
39 // If |file_to_open| is not NULL, a pointer to the path will be returned.
40 // In the case of a recursive match, this will be the requested_filename,
41 // otherwise it will return the matching pointer from the
42 // whitelist. For paranoia a caller should then use |file_to_access|. See
43 // GetFileNameIfAllowedToOpen() for more explanation.
44 // return true if calling access() on this file should be allowed, false
46 // Async signal safe if and only if |file_to_access| is NULL.
47 bool GetFileNameIfAllowedToAccess(const char* requested_filename
,
49 const char** file_to_access
) const;
51 // Check if |requested_filename| can be opened with flags |requested_flags|.
52 // If |file_to_open| is not NULL, a pointer to the path will be returned.
53 // In the case of a recursive match, this will be the requested_filename,
54 // otherwise it will return the matching pointer from the
55 // whitelist. For paranoia, a caller should then use |file_to_open| rather
56 // than |requested_filename|, so that it never attempts to open an
57 // attacker-controlled file name, even if an attacker managed to fool the
58 // string comparison mechanism.
59 // |unlink_after_open| if not NULL will be set to point to true if the
60 // policy requests the caller unlink the path after opening.
61 // Return true if opening should be allowed, false otherwise.
62 // Async signal safe if and only if |file_to_open| is NULL.
63 bool GetFileNameIfAllowedToOpen(const char* requested_filename
,
65 const char** file_to_open
,
66 bool* unlink_after_open
) const;
67 int denied_errno() const { return denied_errno_
; }
70 const int denied_errno_
;
71 // The permissions_ vector is used as storage for the BrokerFilePermission
72 // objects but is not referenced outside of the constructor as
73 // vectors are unfriendly in async signal safe code.
74 const std::vector
<BrokerFilePermission
> permissions_
;
75 // permissions_array_ is set up to point to the backing store of
76 // permissions_ and is used in async signal safe methods.
77 const BrokerFilePermission
* permissions_array_
;
78 const size_t num_of_permissions_
;
80 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy
);
83 } // namespace syscall_broker
85 } // namespace sandbox
87 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_