Home | History | Annotate | Download | only in browser
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
      6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
      7 
      8 
      9 #include <map>
     10 #include <set>
     11 #include <string>
     12 
     13 #include "base/compiler_specific.h"
     14 #include "base/gtest_prod_util.h"
     15 #include "base/memory/singleton.h"
     16 #include "base/synchronization/lock.h"
     17 #include "content/public/browser/child_process_security_policy.h"
     18 #include "webkit/common/fileapi/file_system_types.h"
     19 #include "webkit/common/resource_type.h"
     20 
     21 class GURL;
     22 
     23 namespace base {
     24 class FilePath;
     25 }
     26 
     27 namespace fileapi {
     28 class FileSystemURL;
     29 }
     30 
     31 namespace content {
     32 
     33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
     34     : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
     35  public:
     36   // Object can only be created through GetInstance() so the constructor is
     37   // private.
     38   virtual ~ChildProcessSecurityPolicyImpl();
     39 
     40   static ChildProcessSecurityPolicyImpl* GetInstance();
     41 
     42   // ChildProcessSecurityPolicy implementation.
     43   virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE;
     44   virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE;
     45   virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE;
     46   virtual void GrantCreateReadWriteFile(int child_id,
     47                                         const base::FilePath& file) OVERRIDE;
     48   virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE;
     49   virtual void GrantDeleteFrom(int child_id,
     50                                const base::FilePath& dir) OVERRIDE;
     51   virtual void GrantReadFileSystem(
     52       int child_id,
     53       const std::string& filesystem_id) OVERRIDE;
     54   virtual void GrantWriteFileSystem(
     55       int child_id,
     56       const std::string& filesystem_id) OVERRIDE;
     57   virtual void GrantCreateFileForFileSystem(
     58       int child_id,
     59       const std::string& filesystem_id) OVERRIDE;
     60   virtual void GrantCreateReadWriteFileSystem(
     61       int child_id,
     62       const std::string& filesystem_id) OVERRIDE;
     63   virtual void GrantCopyIntoFileSystem(
     64       int child_id,
     65       const std::string& filesystem_id) OVERRIDE;
     66   virtual void GrantDeleteFromFileSystem(
     67       int child_id,
     68       const std::string& filesystem_id) OVERRIDE;
     69   virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE;
     70   virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE;
     71   virtual bool CanCreateReadWriteFile(int child_id,
     72                                       const base::FilePath& file) OVERRIDE;
     73   virtual bool CanReadFileSystem(int child_id,
     74                                  const std::string& filesystem_id) OVERRIDE;
     75   virtual bool CanReadWriteFileSystem(
     76       int child_id,
     77       const std::string& filesystem_id) OVERRIDE;
     78   virtual bool CanCopyIntoFileSystem(int child_id,
     79                                      const std::string& filesystem_id) OVERRIDE;
     80   virtual bool CanDeleteFromFileSystem(
     81       int child_id,
     82       const std::string& filesystem_id) OVERRIDE;
     83 
     84   // Pseudo schemes are treated differently than other schemes because they
     85   // cannot be requested like normal URLs.  There is no mechanism for revoking
     86   // pseudo schemes.
     87   void RegisterPseudoScheme(const std::string& scheme);
     88 
     89   // Returns true iff |scheme| has been registered as pseudo scheme.
     90   bool IsPseudoScheme(const std::string& scheme);
     91 
     92   // Upon creation, child processes should register themselves by calling this
     93   // this method exactly once.
     94   void Add(int child_id);
     95 
     96   // Upon creation, worker thread child processes should register themselves by
     97   // calling this this method exactly once. Workers that are not shared will
     98   // inherit permissions from their parent renderer process identified with
     99   // |main_render_process_id|.
    100   void AddWorker(int worker_child_id, int main_render_process_id);
    101 
    102   // Upon destruction, child processess should unregister themselves by caling
    103   // this method exactly once.
    104   void Remove(int child_id);
    105 
    106   // Whenever the browser processes commands the child process to request a URL,
    107   // it should call this method to grant the child process the capability to
    108   // request the URL, along with permission to request all URLs of the same
    109   // scheme.
    110   void GrantRequestURL(int child_id, const GURL& url);
    111 
    112   // Whenever the browser process drops a file icon on a tab, it should call
    113   // this method to grant the child process the capability to request this one
    114   // file:// URL, but not all urls of the file:// scheme.
    115   void GrantRequestSpecificFileURL(int child_id, const GURL& url);
    116 
    117   // Revokes all permissions granted to the given file.
    118   void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
    119 
    120   // Grant the child process the ability to use Web UI Bindings.
    121   void GrantWebUIBindings(int child_id);
    122 
    123   // Grant the child process the ability to read raw cookies.
    124   void GrantReadRawCookies(int child_id);
    125 
    126   // Revoke read raw cookies permission.
    127   void RevokeReadRawCookies(int child_id);
    128 
    129   // Grants permission to send system exclusive message to any MIDI devices.
    130   void GrantSendMidiSysExMessage(int child_id);
    131 
    132   // Before servicing a child process's request for a URL, the browser should
    133   // call this method to determine whether the process has the capability to
    134   // request the URL.
    135   bool CanRequestURL(int child_id, const GURL& url);
    136 
    137   // Returns true if the process is permitted to load pages from
    138   // the given origin in main frames or subframes.
    139   // Only might return false if --site-per-process flag is used.
    140   bool CanLoadPage(int child_id,
    141                    const GURL& url,
    142                    ResourceType::Type resource_type);
    143 
    144   // Explicit permissions checks for FileSystemURL specified files.
    145   bool CanReadFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
    146   bool CanWriteFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
    147   bool CanCreateFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
    148   bool CanCreateReadWriteFileSystemFile(int child_id,
    149                                         const fileapi::FileSystemURL& url);
    150   bool CanCopyIntoFileSystemFile(int child_id,
    151                                  const fileapi::FileSystemURL& url);
    152   bool CanDeleteFileSystemFile(int child_id,
    153                                const fileapi::FileSystemURL& url);
    154 
    155   // Returns true if the specified child_id has been granted WebUIBindings.
    156   // The browser should check this property before assuming the child process is
    157   // allowed to use WebUIBindings.
    158   bool HasWebUIBindings(int child_id);
    159 
    160   // Returns true if the specified child_id has been granted ReadRawCookies.
    161   bool CanReadRawCookies(int child_id);
    162 
    163   // Returns true if the process is permitted to read and modify the cookies for
    164   // the given origin.  Does not affect cookies attached to or set by network
    165   // requests.
    166   // Only might return false if the very experimental
    167   // --enable-strict-site-isolation or --site-per-process flags are used.
    168   bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
    169 
    170   // Returns true if the process is permitted to attach cookies to (or have
    171   // cookies set by) network requests.
    172   // Only might return false if the very experimental
    173   // --enable-strict-site-isolation or --site-per-process flags are used.
    174   bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
    175 
    176   // Sets the process as only permitted to use and see the cookies for the
    177   // given origin.
    178   // Only used if the very experimental --enable-strict-site-isolation or
    179   // --site-per-process flags are used.
    180   void LockToOrigin(int child_id, const GURL& gurl);
    181 
    182   // Register FileSystem type and permission policy which should be used
    183   // for the type.  The |policy| must be a bitwise-or'd value of
    184   // fileapi::FilePermissionPolicy.
    185   void RegisterFileSystemPermissionPolicy(
    186       fileapi::FileSystemType type,
    187       int policy);
    188 
    189   // Returns true if sending system exclusive messages is allowed.
    190   bool CanSendMidiSysExMessage(int child_id);
    191 
    192  private:
    193   friend class ChildProcessSecurityPolicyInProcessBrowserTest;
    194   friend class ChildProcessSecurityPolicyTest;
    195   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
    196                            NoLeak);
    197   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
    198 
    199   class SecurityState;
    200 
    201   typedef std::set<std::string> SchemeSet;
    202   typedef std::map<int, SecurityState*> SecurityStateMap;
    203   typedef std::map<int, int> WorkerToMainProcessMap;
    204   typedef std::map<fileapi::FileSystemType, int> FileSystemPermissionPolicyMap;
    205 
    206   // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
    207   ChildProcessSecurityPolicyImpl();
    208   friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
    209 
    210   // Adds child process during registration.
    211   void AddChild(int child_id);
    212 
    213   // Determines if certain permissions were granted for a file to given child
    214   // process. |permissions| is an internally defined bit-set.
    215   bool ChildProcessHasPermissionsForFile(int child_id,
    216                                          const base::FilePath& file,
    217                                          int permissions);
    218 
    219   // Grant a particular permission set for a file. |permissions| is an
    220   // internally defined bit-set.
    221   void GrantPermissionsForFile(int child_id,
    222                                const base::FilePath& file,
    223                                int permissions);
    224 
    225   // Grants access permission to the given isolated file system
    226   // identified by |filesystem_id|.  See comments for
    227   // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
    228   void GrantPermissionsForFileSystem(
    229       int child_id,
    230       const std::string& filesystem_id,
    231       int permission);
    232 
    233   // Determines if certain permissions were granted for a file. |permissions|
    234   // is an internally defined bit-set. If |child_id| is a worker process,
    235   // this returns true if either the worker process or its parent renderer
    236   // has permissions for the file.
    237   bool HasPermissionsForFile(int child_id,
    238                              const base::FilePath& file,
    239                              int permissions);
    240 
    241   // Determines if certain permissions were granted for a file in FileSystem
    242   // API. |permissions| is an internally defined bit-set.
    243   bool HasPermissionsForFileSystemFile(int child_id,
    244                                        const fileapi::FileSystemURL& url,
    245                                        int permissions);
    246 
    247   // Determines if certain permissions were granted for a file system.
    248   // |permissions| is an internally defined bit-set.
    249   bool HasPermissionsForFileSystem(
    250       int child_id,
    251       const std::string& filesystem_id,
    252       int permission);
    253 
    254   // You must acquire this lock before reading or writing any members of this
    255   // class.  You must not block while holding this lock.
    256   base::Lock lock_;
    257 
    258   // These schemes are white-listed for all child processes.  This set is
    259   // protected by |lock_|.
    260   SchemeSet web_safe_schemes_;
    261 
    262   // These schemes do not actually represent retrievable URLs.  For example,
    263   // the the URLs in the "about" scheme are aliases to other URLs.  This set is
    264   // protected by |lock_|.
    265   SchemeSet pseudo_schemes_;
    266 
    267   // This map holds a SecurityState for each child process.  The key for the
    268   // map is the ID of the ChildProcessHost.  The SecurityState objects are
    269   // owned by this object and are protected by |lock_|.  References to them must
    270   // not escape this class.
    271   SecurityStateMap security_state_;
    272 
    273   // This maps keeps the record of which js worker thread child process
    274   // corresponds to which main js thread child process.
    275   WorkerToMainProcessMap worker_map_;
    276 
    277   FileSystemPermissionPolicyMap file_system_policy_map_;
    278 
    279   DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
    280 };
    281 
    282 }  // namespace content
    283 
    284 #endif  // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
    285