Home | History | Annotate | Download | only in browser 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
      6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
      7 
      8 
      9 #include <map>
     10 #include <set>
     11 #include <string>
     12 
     13 #include "base/compiler_specific.h"
     14 #include "base/gtest_prod_util.h"
     15 #include "base/memory/singleton.h"
     16 #include "base/synchronization/lock.h"
     17 #include "content/public/browser/child_process_security_policy.h"
     18 #include "content/public/common/resource_type.h"
     19 #include "storage/common/fileapi/file_system_types.h"
     20 
     21 class GURL;
     22 
     23 namespace base {
     24 class FilePath;
     25 }
     26 
     27 namespace storage {
     28 class FileSystemURL;
     29 }
     30 
     31 namespace content {
     32 
     33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
     34     : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
     35  public:
     36   // Object can only be created through GetInstance() so the constructor is
     37   // private.
     38   virtual ~ChildProcessSecurityPolicyImpl();
     39 
     40   static ChildProcessSecurityPolicyImpl* GetInstance();
     41 
     42   // ChildProcessSecurityPolicy implementation.
     43   virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE;
     44   virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE;
     45   virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE;
     46   virtual void GrantCreateReadWriteFile(int child_id,
     47                                         const base::FilePath& file) OVERRIDE;
     48   virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE;
     49   virtual void GrantDeleteFrom(int child_id,
     50                                const base::FilePath& dir) OVERRIDE;
     51   virtual void GrantReadFileSystem(
     52       int child_id,
     53       const std::string& filesystem_id) OVERRIDE;
     54   virtual void GrantWriteFileSystem(
     55       int child_id,
     56       const std::string& filesystem_id) OVERRIDE;
     57   virtual void GrantCreateFileForFileSystem(
     58       int child_id,
     59       const std::string& filesystem_id) OVERRIDE;
     60   virtual void GrantCreateReadWriteFileSystem(
     61       int child_id,
     62       const std::string& filesystem_id) OVERRIDE;
     63   virtual void GrantCopyIntoFileSystem(
     64       int child_id,
     65       const std::string& filesystem_id) OVERRIDE;
     66   virtual void GrantDeleteFromFileSystem(
     67       int child_id,
     68       const std::string& filesystem_id) OVERRIDE;
     69   virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE;
     70   virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE;
     71   virtual bool CanCreateReadWriteFile(int child_id,
     72                                       const base::FilePath& file) OVERRIDE;
     73   virtual bool CanReadFileSystem(int child_id,
     74                                  const std::string& filesystem_id) OVERRIDE;
     75   virtual bool CanReadWriteFileSystem(
     76       int child_id,
     77       const std::string& filesystem_id) OVERRIDE;
     78   virtual bool CanCopyIntoFileSystem(int child_id,
     79                                      const std::string& filesystem_id) OVERRIDE;
     80   virtual bool CanDeleteFromFileSystem(
     81       int child_id,
     82       const std::string& filesystem_id) OVERRIDE;
     83   virtual bool HasWebUIBindings(int child_id) OVERRIDE;
     84 
     85   // Pseudo schemes are treated differently than other schemes because they
     86   // cannot be requested like normal URLs.  There is no mechanism for revoking
     87   // pseudo schemes.
     88   void RegisterPseudoScheme(const std::string& scheme);
     89 
     90   // Returns true iff |scheme| has been registered as pseudo scheme.
     91   bool IsPseudoScheme(const std::string& scheme);
     92 
     93   // Upon creation, child processes should register themselves by calling this
     94   // this method exactly once.
     95   void Add(int child_id);
     96 
     97   // Upon creation, worker thread child processes should register themselves by
     98   // calling this this method exactly once. Workers that are not shared will
     99   // inherit permissions from their parent renderer process identified with
    100   // |main_render_process_id|.
    101   void AddWorker(int worker_child_id, int main_render_process_id);
    102 
    103   // Upon destruction, child processess should unregister themselves by caling
    104   // this method exactly once.
    105   void Remove(int child_id);
    106 
    107   // Whenever the browser processes commands the child process to request a URL,
    108   // it should call this method to grant the child process the capability to
    109   // request the URL, along with permission to request all URLs of the same
    110   // scheme.
    111   void GrantRequestURL(int child_id, const GURL& url);
    112 
    113   // Whenever the browser process drops a file icon on a tab, it should call
    114   // this method to grant the child process the capability to request this one
    115   // file:// URL, but not all urls of the file:// scheme.
    116   void GrantRequestSpecificFileURL(int child_id, const GURL& url);
    117 
    118   // Revokes all permissions granted to the given file.
    119   void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
    120 
    121   // Grant the child process the ability to use Web UI Bindings.
    122   void GrantWebUIBindings(int child_id);
    123 
    124   // Grant the child process the ability to read raw cookies.
    125   void GrantReadRawCookies(int child_id);
    126 
    127   // Revoke read raw cookies permission.
    128   void RevokeReadRawCookies(int child_id);
    129 
    130   // Grants permission to send system exclusive message to any MIDI devices.
    131   void GrantSendMidiSysExMessage(int child_id);
    132 
    133   // Before servicing a child process's request for a URL, the browser should
    134   // call this method to determine whether the process has the capability to
    135   // request the URL.
    136   bool CanRequestURL(int child_id, const GURL& url);
    137 
    138   // Returns true if the process is permitted to load pages from
    139   // the given origin in main frames or subframes.
    140   // Only might return false if --site-per-process flag is used.
    141   bool CanLoadPage(int child_id,
    142                    const GURL& url,
    143                    ResourceType resource_type);
    144 
    145   // Explicit permissions checks for FileSystemURL specified files.
    146   bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url);
    147   bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url);
    148   bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url);
    149   bool CanCreateReadWriteFileSystemFile(int child_id,
    150                                         const storage::FileSystemURL& url);
    151   bool CanCopyIntoFileSystemFile(int child_id,
    152                                  const storage::FileSystemURL& url);
    153   bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url);
    154 
    155   // Returns true if the specified child_id has been granted ReadRawCookies.
    156   bool CanReadRawCookies(int child_id);
    157 
    158   // Returns true if the process is permitted to read and modify the cookies for
    159   // the given origin.  Does not affect cookies attached to or set by network
    160   // requests.
    161   // Only might return false if the very experimental
    162   // --enable-strict-site-isolation or --site-per-process flags are used.
    163   bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
    164 
    165   // Returns true if the process is permitted to attach cookies to (or have
    166   // cookies set by) network requests.
    167   // Only might return false if the very experimental
    168   // --enable-strict-site-isolation or --site-per-process flags are used.
    169   bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
    170 
    171   // Sets the process as only permitted to use and see the cookies for the
    172   // given origin.
    173   // Only used if the very experimental --enable-strict-site-isolation or
    174   // --site-per-process flags are used.
    175   void LockToOrigin(int child_id, const GURL& gurl);
    176 
    177   // Register FileSystem type and permission policy which should be used
    178   // for the type.  The |policy| must be a bitwise-or'd value of
    179   // storage::FilePermissionPolicy.
    180   void RegisterFileSystemPermissionPolicy(storage::FileSystemType type,
    181                                           int policy);
    182 
    183   // Returns true if sending system exclusive messages is allowed.
    184   bool CanSendMidiSysExMessage(int child_id);
    185 
    186  private:
    187   friend class ChildProcessSecurityPolicyInProcessBrowserTest;
    188   friend class ChildProcessSecurityPolicyTest;
    189   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
    190                            NoLeak);
    191   FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
    192 
    193   class SecurityState;
    194 
    195   typedef std::set<std::string> SchemeSet;
    196   typedef std::map<int, SecurityState*> SecurityStateMap;
    197   typedef std::map<int, int> WorkerToMainProcessMap;
    198   typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap;
    199 
    200   // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
    201   ChildProcessSecurityPolicyImpl();
    202   friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
    203 
    204   // Adds child process during registration.
    205   void AddChild(int child_id);
    206 
    207   // Determines if certain permissions were granted for a file to given child
    208   // process. |permissions| is an internally defined bit-set.
    209   bool ChildProcessHasPermissionsForFile(int child_id,
    210                                          const base::FilePath& file,
    211                                          int permissions);
    212 
    213   // Grant a particular permission set for a file. |permissions| is an
    214   // internally defined bit-set.
    215   void GrantPermissionsForFile(int child_id,
    216                                const base::FilePath& file,
    217                                int permissions);
    218 
    219   // Grants access permission to the given isolated file system
    220   // identified by |filesystem_id|.  See comments for
    221   // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
    222   void GrantPermissionsForFileSystem(
    223       int child_id,
    224       const std::string& filesystem_id,
    225       int permission);
    226 
    227   // Determines if certain permissions were granted for a file. |permissions|
    228   // is an internally defined bit-set. If |child_id| is a worker process,
    229   // this returns true if either the worker process or its parent renderer
    230   // has permissions for the file.
    231   bool HasPermissionsForFile(int child_id,
    232                              const base::FilePath& file,
    233                              int permissions);
    234 
    235   // Determines if certain permissions were granted for a file in FileSystem
    236   // API. |permissions| is an internally defined bit-set.
    237   bool HasPermissionsForFileSystemFile(int child_id,
    238                                        const storage::FileSystemURL& url,
    239                                        int permissions);
    240 
    241   // Determines if certain permissions were granted for a file system.
    242   // |permissions| is an internally defined bit-set.
    243   bool HasPermissionsForFileSystem(
    244       int child_id,
    245       const std::string& filesystem_id,
    246       int permission);
    247 
    248   // You must acquire this lock before reading or writing any members of this
    249   // class.  You must not block while holding this lock.
    250   base::Lock lock_;
    251 
    252   // These schemes are white-listed for all child processes.  This set is
    253   // protected by |lock_|.
    254   SchemeSet web_safe_schemes_;
    255 
    256   // These schemes do not actually represent retrievable URLs.  For example,
    257   // the the URLs in the "about" scheme are aliases to other URLs.  This set is
    258   // protected by |lock_|.
    259   SchemeSet pseudo_schemes_;
    260 
    261   // This map holds a SecurityState for each child process.  The key for the
    262   // map is the ID of the ChildProcessHost.  The SecurityState objects are
    263   // owned by this object and are protected by |lock_|.  References to them must
    264   // not escape this class.
    265   SecurityStateMap security_state_;
    266 
    267   // This maps keeps the record of which js worker thread child process
    268   // corresponds to which main js thread child process.
    269   WorkerToMainProcessMap worker_map_;
    270 
    271   FileSystemPermissionPolicyMap file_system_policy_map_;
    272 
    273   DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
    274 };
    275 
    276 }  // namespace content
    277 
    278 #endif  // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
    279