1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 7 8 9 #include <map> 10 #include <set> 11 #include <string> 12 13 #include "base/compiler_specific.h" 14 #include "base/gtest_prod_util.h" 15 #include "base/memory/singleton.h" 16 #include "base/synchronization/lock.h" 17 #include "content/public/browser/child_process_security_policy.h" 18 #include "webkit/common/fileapi/file_system_types.h" 19 #include "webkit/common/resource_type.h" 20 21 class GURL; 22 23 namespace base { 24 class FilePath; 25 } 26 27 namespace fileapi { 28 class FileSystemURL; 29 } 30 31 namespace content { 32 33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl 34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) { 35 public: 36 // Object can only be created through GetInstance() so the constructor is 37 // private. 38 virtual ~ChildProcessSecurityPolicyImpl(); 39 40 static ChildProcessSecurityPolicyImpl* GetInstance(); 41 42 // ChildProcessSecurityPolicy implementation. 43 virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; 44 virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; 45 virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE; 46 virtual void GrantCreateReadWriteFile(int child_id, 47 const base::FilePath& file) OVERRIDE; 48 virtual void GrantCreateWriteFile(int child_id, 49 const base::FilePath& file) OVERRIDE; 50 virtual void GrantReadFileSystem( 51 int child_id, 52 const std::string& filesystem_id) OVERRIDE; 53 virtual void GrantWriteFileSystem( 54 int child_id, 55 const std::string& filesystem_id) OVERRIDE; 56 virtual void GrantCreateFileForFileSystem( 57 int child_id, 58 const std::string& filesystem_id) OVERRIDE; 59 virtual void GrantCopyIntoFileSystem( 60 int child_id, 61 const std::string& filesystem_id) OVERRIDE; 62 virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; 63 virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE; 64 virtual bool CanWriteFile(int child_id, const base::FilePath& file) OVERRIDE; 65 virtual bool CanCreateFile(int child_id, const base::FilePath& file) OVERRIDE; 66 virtual bool CanCreateWriteFile(int child_id, 67 const base::FilePath& file) OVERRIDE; 68 virtual bool CanReadFileSystem(int child_id, 69 const std::string& filesystem_id) OVERRIDE; 70 virtual bool CanReadWriteFileSystem( 71 int child_id, 72 const std::string& filesystem_id) OVERRIDE; 73 virtual bool CanCopyIntoFileSystem(int child_id, 74 const std::string& filesystem_id) OVERRIDE; 75 76 // Pseudo schemes are treated differently than other schemes because they 77 // cannot be requested like normal URLs. There is no mechanism for revoking 78 // pseudo schemes. 79 void RegisterPseudoScheme(const std::string& scheme); 80 81 // Returns true iff |scheme| has been registered as pseudo scheme. 82 bool IsPseudoScheme(const std::string& scheme); 83 84 // Upon creation, child processes should register themselves by calling this 85 // this method exactly once. 86 void Add(int child_id); 87 88 // Upon creation, worker thread child processes should register themselves by 89 // calling this this method exactly once. Workers that are not shared will 90 // inherit permissions from their parent renderer process identified with 91 // |main_render_process_id|. 92 void AddWorker(int worker_child_id, int main_render_process_id); 93 94 // Upon destruction, child processess should unregister themselves by caling 95 // this method exactly once. 96 void Remove(int child_id); 97 98 // Whenever the browser processes commands the child process to request a URL, 99 // it should call this method to grant the child process the capability to 100 // request the URL, along with permission to request all URLs of the same 101 // scheme. 102 void GrantRequestURL(int child_id, const GURL& url); 103 104 // Whenever the browser process drops a file icon on a tab, it should call 105 // this method to grant the child process the capability to request this one 106 // file:// URL, but not all urls of the file:// scheme. 107 void GrantRequestSpecificFileURL(int child_id, const GURL& url); 108 109 // Grants the child process permission to enumerate all the files in 110 // this directory and read those files. 111 void GrantReadDirectory(int child_id, const base::FilePath& directory); 112 113 // Revokes all permissions granted to the given file. 114 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file); 115 116 // Grant the child process the ability to use Web UI Bindings. 117 void GrantWebUIBindings(int child_id); 118 119 // Grant the child process the ability to read raw cookies. 120 void GrantReadRawCookies(int child_id); 121 122 // Revoke read raw cookies permission. 123 void RevokeReadRawCookies(int child_id); 124 125 // Before servicing a child process's request for a URL, the browser should 126 // call this method to determine whether the process has the capability to 127 // request the URL. 128 bool CanRequestURL(int child_id, const GURL& url); 129 130 // Returns true if the process is permitted to load pages from 131 // the given origin in main frames or subframes. 132 // Only might return false if --site-per-process flag is used. 133 bool CanLoadPage(int child_id, 134 const GURL& url, 135 ResourceType::Type resource_type); 136 137 // Before servicing a child process's request to enumerate a directory 138 // the browser should call this method to check for the capability. 139 bool CanReadDirectory(int child_id, const base::FilePath& directory); 140 141 // Deprecated: Use CanReadFile, etc. methods instead. 142 // Determines if certain permissions were granted for a file. |permissions| 143 // must be a bitwise-or'd value of base::PlatformFileFlags. 144 bool HasPermissionsForFile(int child_id, 145 const base::FilePath& file, 146 int permissions); 147 148 // Deprecated: Use CanReadFileSystemFile, etc. methods instead. 149 // Determines if certain permissions were granted for a file in FileSystem 150 // API. |permissions| must be a bitwise-or'd value of base::PlatformFileFlags. 151 bool HasPermissionsForFileSystemFile(int child_id, 152 const fileapi::FileSystemURL& url, 153 int permissions); 154 155 // Explicit permissions checks for FileSystemURL specified files. 156 bool CanReadFileSystemFile(int child_id, const fileapi::FileSystemURL& url); 157 bool CanWriteFileSystemFile(int child_id, const fileapi::FileSystemURL& url); 158 bool CanCreateFileSystemFile(int child_id, const fileapi::FileSystemURL& url); 159 bool CanCreateWriteFileSystemFile(int child_id, 160 const fileapi::FileSystemURL& url); 161 162 // Returns true if the specified child_id has been granted WebUIBindings. 163 // The browser should check this property before assuming the child process is 164 // allowed to use WebUIBindings. 165 bool HasWebUIBindings(int child_id); 166 167 // Returns true if the specified child_id has been granted ReadRawCookies. 168 bool CanReadRawCookies(int child_id); 169 170 // Returns true if the process is permitted to read and modify the cookies for 171 // the given origin. Does not affect cookies attached to or set by network 172 // requests. 173 // Only might return false if the very experimental 174 // --enable-strict-site-isolation or --site-per-process flags are used. 175 bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl); 176 177 // Returns true if the process is permitted to attach cookies to (or have 178 // cookies set by) network requests. 179 // Only might return false if the very experimental 180 // --enable-strict-site-isolation or --site-per-process flags are used. 181 bool CanSendCookiesForOrigin(int child_id, const GURL& gurl); 182 183 // Sets the process as only permitted to use and see the cookies for the 184 // given origin. 185 // Only used if the very experimental --enable-strict-site-isolation or 186 // --site-per-process flags are used. 187 void LockToOrigin(int child_id, const GURL& gurl); 188 189 // Determines if certain permissions were granted for a file fystem. 190 // |permissions| must be a bitwise-or'd value of base::PlatformFileFlags. 191 bool HasPermissionsForFileSystem( 192 int child_id, 193 const std::string& filesystem_id, 194 int permission); 195 196 // Register FileSystem type and permission policy which should be used 197 // for the type. The |policy| must be a bitwise-or'd value of 198 // fileapi::FilePermissionPolicy. 199 void RegisterFileSystemPermissionPolicy( 200 fileapi::FileSystemType type, 201 int policy); 202 203 private: 204 friend class ChildProcessSecurityPolicyInProcessBrowserTest; 205 friend class ChildProcessSecurityPolicyTest; 206 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, 207 NoLeak); 208 209 class SecurityState; 210 211 typedef std::set<std::string> SchemeSet; 212 typedef std::map<int, SecurityState*> SecurityStateMap; 213 typedef std::map<int, int> WorkerToMainProcessMap; 214 typedef std::map<fileapi::FileSystemType, int> FileSystemPermissionPolicyMap; 215 216 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). 217 ChildProcessSecurityPolicyImpl(); 218 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; 219 220 // Adds child process during registration. 221 void AddChild(int child_id); 222 223 // Determines if certain permissions were granted for a file to given child 224 // process. |permissions| must be a bitwise-or'd value of 225 // base::PlatformFileFlags. 226 bool ChildProcessHasPermissionsForFile(int child_id, 227 const base::FilePath& file, 228 int permissions); 229 230 // Grant a particular permission set for a file. |permissions| is a bit-set 231 // of base::PlatformFileFlags. 232 void GrantPermissionsForFile(int child_id, 233 const base::FilePath& file, 234 int permissions); 235 236 // Grants access permission to the given isolated file system 237 // identified by |filesystem_id|. See comments for 238 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. 239 void GrantPermissionsForFileSystem( 240 int child_id, 241 const std::string& filesystem_id, 242 int permission); 243 244 // You must acquire this lock before reading or writing any members of this 245 // class. You must not block while holding this lock. 246 base::Lock lock_; 247 248 // These schemes are white-listed for all child processes. This set is 249 // protected by |lock_|. 250 SchemeSet web_safe_schemes_; 251 252 // These schemes do not actually represent retrievable URLs. For example, 253 // the the URLs in the "about" scheme are aliases to other URLs. This set is 254 // protected by |lock_|. 255 SchemeSet pseudo_schemes_; 256 257 // This map holds a SecurityState for each child process. The key for the 258 // map is the ID of the ChildProcessHost. The SecurityState objects are 259 // owned by this object and are protected by |lock_|. References to them must 260 // not escape this class. 261 SecurityStateMap security_state_; 262 263 // This maps keeps the record of which js worker thread child process 264 // corresponds to which main js thread child process. 265 WorkerToMainProcessMap worker_map_; 266 267 FileSystemPermissionPolicyMap file_system_policy_map_; 268 269 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); 270 }; 271 272 } // namespace content 273 274 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 275