1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 7 8 9 #include <map> 10 #include <set> 11 #include <string> 12 13 #include "base/compiler_specific.h" 14 #include "base/gtest_prod_util.h" 15 #include "base/memory/singleton.h" 16 #include "base/synchronization/lock.h" 17 #include "content/public/browser/child_process_security_policy.h" 18 #include "webkit/common/fileapi/file_system_types.h" 19 #include "webkit/common/resource_type.h" 20 21 class GURL; 22 23 namespace base { 24 class FilePath; 25 } 26 27 namespace fileapi { 28 class FileSystemURL; 29 } 30 31 namespace content { 32 33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl 34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) { 35 public: 36 // Object can only be created through GetInstance() so the constructor is 37 // private. 38 virtual ~ChildProcessSecurityPolicyImpl(); 39 40 static ChildProcessSecurityPolicyImpl* GetInstance(); 41 42 // ChildProcessSecurityPolicy implementation. 43 virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; 44 virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; 45 virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE; 46 virtual void GrantCreateReadWriteFile(int child_id, 47 const base::FilePath& file) OVERRIDE; 48 virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE; 49 virtual void GrantDeleteFrom(int child_id, 50 const base::FilePath& dir) OVERRIDE; 51 virtual void GrantReadFileSystem( 52 int child_id, 53 const std::string& filesystem_id) OVERRIDE; 54 virtual void GrantWriteFileSystem( 55 int child_id, 56 const std::string& filesystem_id) OVERRIDE; 57 virtual void GrantCreateFileForFileSystem( 58 int child_id, 59 const std::string& filesystem_id) OVERRIDE; 60 virtual void GrantCreateReadWriteFileSystem( 61 int child_id, 62 const std::string& filesystem_id) OVERRIDE; 63 virtual void GrantCopyIntoFileSystem( 64 int child_id, 65 const std::string& filesystem_id) OVERRIDE; 66 virtual void GrantDeleteFromFileSystem( 67 int child_id, 68 const std::string& filesystem_id) OVERRIDE; 69 virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; 70 virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE; 71 virtual bool CanCreateReadWriteFile(int child_id, 72 const base::FilePath& file) OVERRIDE; 73 virtual bool CanReadFileSystem(int child_id, 74 const std::string& filesystem_id) OVERRIDE; 75 virtual bool CanReadWriteFileSystem( 76 int child_id, 77 const std::string& filesystem_id) OVERRIDE; 78 virtual bool CanCopyIntoFileSystem(int child_id, 79 const std::string& filesystem_id) OVERRIDE; 80 virtual bool CanDeleteFromFileSystem( 81 int child_id, 82 const std::string& filesystem_id) OVERRIDE; 83 84 // Pseudo schemes are treated differently than other schemes because they 85 // cannot be requested like normal URLs. There is no mechanism for revoking 86 // pseudo schemes. 87 void RegisterPseudoScheme(const std::string& scheme); 88 89 // Returns true iff |scheme| has been registered as pseudo scheme. 90 bool IsPseudoScheme(const std::string& scheme); 91 92 // Upon creation, child processes should register themselves by calling this 93 // this method exactly once. 94 void Add(int child_id); 95 96 // Upon creation, worker thread child processes should register themselves by 97 // calling this this method exactly once. Workers that are not shared will 98 // inherit permissions from their parent renderer process identified with 99 // |main_render_process_id|. 100 void AddWorker(int worker_child_id, int main_render_process_id); 101 102 // Upon destruction, child processess should unregister themselves by caling 103 // this method exactly once. 104 void Remove(int child_id); 105 106 // Whenever the browser processes commands the child process to request a URL, 107 // it should call this method to grant the child process the capability to 108 // request the URL, along with permission to request all URLs of the same 109 // scheme. 110 void GrantRequestURL(int child_id, const GURL& url); 111 112 // Whenever the browser process drops a file icon on a tab, it should call 113 // this method to grant the child process the capability to request this one 114 // file:// URL, but not all urls of the file:// scheme. 115 void GrantRequestSpecificFileURL(int child_id, const GURL& url); 116 117 // Revokes all permissions granted to the given file. 118 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file); 119 120 // Grant the child process the ability to use Web UI Bindings. 121 void GrantWebUIBindings(int child_id); 122 123 // Grant the child process the ability to read raw cookies. 124 void GrantReadRawCookies(int child_id); 125 126 // Revoke read raw cookies permission. 127 void RevokeReadRawCookies(int child_id); 128 129 // Grants permission to send system exclusive message to any MIDI devices. 130 void GrantSendMidiSysExMessage(int child_id); 131 132 // Before servicing a child process's request for a URL, the browser should 133 // call this method to determine whether the process has the capability to 134 // request the URL. 135 bool CanRequestURL(int child_id, const GURL& url); 136 137 // Returns true if the process is permitted to load pages from 138 // the given origin in main frames or subframes. 139 // Only might return false if --site-per-process flag is used. 140 bool CanLoadPage(int child_id, 141 const GURL& url, 142 ResourceType::Type resource_type); 143 144 // Explicit permissions checks for FileSystemURL specified files. 145 bool CanReadFileSystemFile(int child_id, const fileapi::FileSystemURL& url); 146 bool CanWriteFileSystemFile(int child_id, const fileapi::FileSystemURL& url); 147 bool CanCreateFileSystemFile(int child_id, const fileapi::FileSystemURL& url); 148 bool CanCreateReadWriteFileSystemFile(int child_id, 149 const fileapi::FileSystemURL& url); 150 bool CanCopyIntoFileSystemFile(int child_id, 151 const fileapi::FileSystemURL& url); 152 bool CanDeleteFileSystemFile(int child_id, 153 const fileapi::FileSystemURL& url); 154 155 // Returns true if the specified child_id has been granted WebUIBindings. 156 // The browser should check this property before assuming the child process is 157 // allowed to use WebUIBindings. 158 bool HasWebUIBindings(int child_id); 159 160 // Returns true if the specified child_id has been granted ReadRawCookies. 161 bool CanReadRawCookies(int child_id); 162 163 // Returns true if the process is permitted to read and modify the cookies for 164 // the given origin. Does not affect cookies attached to or set by network 165 // requests. 166 // Only might return false if the very experimental 167 // --enable-strict-site-isolation or --site-per-process flags are used. 168 bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl); 169 170 // Returns true if the process is permitted to attach cookies to (or have 171 // cookies set by) network requests. 172 // Only might return false if the very experimental 173 // --enable-strict-site-isolation or --site-per-process flags are used. 174 bool CanSendCookiesForOrigin(int child_id, const GURL& gurl); 175 176 // Sets the process as only permitted to use and see the cookies for the 177 // given origin. 178 // Only used if the very experimental --enable-strict-site-isolation or 179 // --site-per-process flags are used. 180 void LockToOrigin(int child_id, const GURL& gurl); 181 182 // Register FileSystem type and permission policy which should be used 183 // for the type. The |policy| must be a bitwise-or'd value of 184 // fileapi::FilePermissionPolicy. 185 void RegisterFileSystemPermissionPolicy( 186 fileapi::FileSystemType type, 187 int policy); 188 189 // Returns true if sending system exclusive messages is allowed. 190 bool CanSendMidiSysExMessage(int child_id); 191 192 private: 193 friend class ChildProcessSecurityPolicyInProcessBrowserTest; 194 friend class ChildProcessSecurityPolicyTest; 195 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, 196 NoLeak); 197 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions); 198 199 class SecurityState; 200 201 typedef std::set<std::string> SchemeSet; 202 typedef std::map<int, SecurityState*> SecurityStateMap; 203 typedef std::map<int, int> WorkerToMainProcessMap; 204 typedef std::map<fileapi::FileSystemType, int> FileSystemPermissionPolicyMap; 205 206 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). 207 ChildProcessSecurityPolicyImpl(); 208 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; 209 210 // Adds child process during registration. 211 void AddChild(int child_id); 212 213 // Determines if certain permissions were granted for a file to given child 214 // process. |permissions| is an internally defined bit-set. 215 bool ChildProcessHasPermissionsForFile(int child_id, 216 const base::FilePath& file, 217 int permissions); 218 219 // Grant a particular permission set for a file. |permissions| is an 220 // internally defined bit-set. 221 void GrantPermissionsForFile(int child_id, 222 const base::FilePath& file, 223 int permissions); 224 225 // Grants access permission to the given isolated file system 226 // identified by |filesystem_id|. See comments for 227 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. 228 void GrantPermissionsForFileSystem( 229 int child_id, 230 const std::string& filesystem_id, 231 int permission); 232 233 // Determines if certain permissions were granted for a file. |permissions| 234 // is an internally defined bit-set. If |child_id| is a worker process, 235 // this returns true if either the worker process or its parent renderer 236 // has permissions for the file. 237 bool HasPermissionsForFile(int child_id, 238 const base::FilePath& file, 239 int permissions); 240 241 // Determines if certain permissions were granted for a file in FileSystem 242 // API. |permissions| is an internally defined bit-set. 243 bool HasPermissionsForFileSystemFile(int child_id, 244 const fileapi::FileSystemURL& url, 245 int permissions); 246 247 // Determines if certain permissions were granted for a file system. 248 // |permissions| is an internally defined bit-set. 249 bool HasPermissionsForFileSystem( 250 int child_id, 251 const std::string& filesystem_id, 252 int permission); 253 254 // You must acquire this lock before reading or writing any members of this 255 // class. You must not block while holding this lock. 256 base::Lock lock_; 257 258 // These schemes are white-listed for all child processes. This set is 259 // protected by |lock_|. 260 SchemeSet web_safe_schemes_; 261 262 // These schemes do not actually represent retrievable URLs. For example, 263 // the the URLs in the "about" scheme are aliases to other URLs. This set is 264 // protected by |lock_|. 265 SchemeSet pseudo_schemes_; 266 267 // This map holds a SecurityState for each child process. The key for the 268 // map is the ID of the ChildProcessHost. The SecurityState objects are 269 // owned by this object and are protected by |lock_|. References to them must 270 // not escape this class. 271 SecurityStateMap security_state_; 272 273 // This maps keeps the record of which js worker thread child process 274 // corresponds to which main js thread child process. 275 WorkerToMainProcessMap worker_map_; 276 277 FileSystemPermissionPolicyMap file_system_policy_map_; 278 279 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); 280 }; 281 282 } // namespace content 283 284 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 285
