1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "content/browser/child_process_security_policy_impl.h"
6
7 #include "base/command_line.h"
8 #include "base/files/file_path.h"
9 #include "base/logging.h"
10 #include "base/metrics/histogram.h"
11 #include "base/platform_file.h"
12 #include "base/stl_util.h"
13 #include "base/strings/string_util.h"
14 #include "content/browser/plugin_process_host.h"
15 #include "content/browser/site_instance_impl.h"
16 #include "content/public/browser/child_process_data.h"
17 #include "content/public/browser/content_browser_client.h"
18 #include "content/public/browser/render_process_host.h"
19 #include "content/public/common/bindings_policy.h"
20 #include "content/public/common/content_switches.h"
21 #include "content/public/common/url_constants.h"
22 #include "net/base/net_util.h"
23 #include "net/url_request/url_request.h"
24 #include "url/gurl.h"
25 #include "webkit/browser/fileapi/file_permission_policy.h"
26 #include "webkit/browser/fileapi/file_system_url.h"
27 #include "webkit/browser/fileapi/isolated_context.h"
28 #include "webkit/common/fileapi/file_system_util.h"
29
30 namespace content {
31
32 namespace {
33
34 // Used internally only. These bit positions have no relationship to any
35 // underlying OS and can be changed to accommodate finer-grained permissions.
36 enum ChildProcessSecurityPermissions {
37 READ_FILE_PERMISSION = 1 << 0,
38 WRITE_FILE_PERMISSION = 1 << 1,
39 CREATE_NEW_FILE_PERMISSION = 1 << 2,
40 CREATE_OVERWRITE_FILE_PERMISSION = 1 << 3,
41 DELETE_FILE_PERMISSION = 1 << 4,
42
43 // Used by Media Galleries API
44 COPY_INTO_FILE_PERMISSION = 1 << 5,
45 };
46
47 // Used internally only. Bitmasks that are actually used by the Grant* and Can*
48 // methods. These contain one or more ChildProcessSecurityPermissions.
49 enum ChildProcessSecurityGrants {
50 READ_FILE_GRANT = READ_FILE_PERMISSION,
51 WRITE_FILE_GRANT = WRITE_FILE_PERMISSION,
52
53 CREATE_NEW_FILE_GRANT = CREATE_NEW_FILE_PERMISSION |
54 COPY_INTO_FILE_PERMISSION,
55
56 CREATE_READ_WRITE_FILE_GRANT = CREATE_NEW_FILE_PERMISSION |
57 CREATE_OVERWRITE_FILE_PERMISSION |
58 READ_FILE_PERMISSION |
59 WRITE_FILE_PERMISSION |
60 COPY_INTO_FILE_PERMISSION |
61 DELETE_FILE_PERMISSION,
62
63 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION,
64 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION,
65 };
66
67 } // namespace
68
69 // The SecurityState class is used to maintain per-child process security state
70 // information.
71 class ChildProcessSecurityPolicyImpl::SecurityState {
72 public:
SecurityState()73 SecurityState()
74 : enabled_bindings_(0),
75 can_read_raw_cookies_(false),
76 can_send_midi_sysex_(false) { }
77
~SecurityState()78 ~SecurityState() {
79 scheme_policy_.clear();
80 fileapi::IsolatedContext* isolated_context =
81 fileapi::IsolatedContext::GetInstance();
82 for (FileSystemMap::iterator iter = filesystem_permissions_.begin();
83 iter != filesystem_permissions_.end();
84 ++iter) {
85 isolated_context->RemoveReference(iter->first);
86 }
87 UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.PerChildFilePermissions",
88 file_permissions_.size());
89 }
90
91 // Grant permission to request URLs with the specified scheme.
GrantScheme(const std::string & scheme)92 void GrantScheme(const std::string& scheme) {
93 scheme_policy_[scheme] = true;
94 }
95
96 // Revoke permission to request URLs with the specified scheme.
RevokeScheme(const std::string & scheme)97 void RevokeScheme(const std::string& scheme) {
98 scheme_policy_[scheme] = false;
99 }
100
101 // Grant certain permissions to a file.
GrantPermissionsForFile(const base::FilePath & file,int permissions)102 void GrantPermissionsForFile(const base::FilePath& file, int permissions) {
103 base::FilePath stripped = file.StripTrailingSeparators();
104 file_permissions_[stripped] |= permissions;
105 UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.FilePermissionPathLength",
106 stripped.value().size());
107 }
108
109 // Grant navigation to a file but not the file:// scheme in general.
GrantRequestOfSpecificFile(const base::FilePath & file)110 void GrantRequestOfSpecificFile(const base::FilePath &file) {
111 request_file_set_.insert(file.StripTrailingSeparators());
112 }
113
114 // Revokes all permissions granted to a file.
RevokeAllPermissionsForFile(const base::FilePath & file)115 void RevokeAllPermissionsForFile(const base::FilePath& file) {
116 base::FilePath stripped = file.StripTrailingSeparators();
117 file_permissions_.erase(stripped);
118 request_file_set_.erase(stripped);
119 }
120
121 // Grant certain permissions to a file.
GrantPermissionsForFileSystem(const std::string & filesystem_id,int permissions)122 void GrantPermissionsForFileSystem(const std::string& filesystem_id,
123 int permissions) {
124 if (!ContainsKey(filesystem_permissions_, filesystem_id))
125 fileapi::IsolatedContext::GetInstance()->AddReference(filesystem_id);
126 filesystem_permissions_[filesystem_id] |= permissions;
127 }
128
HasPermissionsForFileSystem(const std::string & filesystem_id,int permissions)129 bool HasPermissionsForFileSystem(const std::string& filesystem_id,
130 int permissions) {
131 FileSystemMap::const_iterator it =
132 filesystem_permissions_.find(filesystem_id);
133 if (it == filesystem_permissions_.end())
134 return false;
135 return (it->second & permissions) == permissions;
136 }
137
138 #if defined(OS_ANDROID)
139 // Determine if the certain permissions have been granted to a content URI.
HasPermissionsForContentUri(const base::FilePath & file,int permissions)140 bool HasPermissionsForContentUri(const base::FilePath& file,
141 int permissions) {
142 DCHECK(!file.empty());
143 DCHECK(file.IsContentUri());
144 if (!permissions)
145 return false;
146 base::FilePath file_path = file.StripTrailingSeparators();
147 FileMap::const_iterator it = file_permissions_.find(file_path);
148 if (it != file_permissions_.end())
149 return (it->second & permissions) == permissions;
150 return false;
151 }
152 #endif
153
GrantBindings(int bindings)154 void GrantBindings(int bindings) {
155 enabled_bindings_ |= bindings;
156 }
157
GrantReadRawCookies()158 void GrantReadRawCookies() {
159 can_read_raw_cookies_ = true;
160 }
161
RevokeReadRawCookies()162 void RevokeReadRawCookies() {
163 can_read_raw_cookies_ = false;
164 }
165
GrantPermissionForMIDISysEx()166 void GrantPermissionForMIDISysEx() {
167 can_send_midi_sysex_ = true;
168 }
169
170 // Determine whether permission has been granted to request |url|.
CanRequestURL(const GURL & url)171 bool CanRequestURL(const GURL& url) {
172 // Having permission to a scheme implies permssion to all of its URLs.
173 SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme()));
174 if (judgment != scheme_policy_.end())
175 return judgment->second;
176
177 // file:// URLs are more granular. The child may have been given
178 // permission to a specific file but not the file:// scheme in general.
179 if (url.SchemeIs(chrome::kFileScheme)) {
180 base::FilePath path;
181 if (net::FileURLToFilePath(url, &path))
182 return ContainsKey(request_file_set_, path);
183 }
184
185 return false; // Unmentioned schemes are disallowed.
186 }
187
188 // Determine if the certain permissions have been granted to a file.
HasPermissionsForFile(const base::FilePath & file,int permissions)189 bool HasPermissionsForFile(const base::FilePath& file, int permissions) {
190 #if defined(OS_ANDROID)
191 if (file.IsContentUri())
192 return HasPermissionsForContentUri(file, permissions);
193 #endif
194 if (!permissions || file.empty() || !file.IsAbsolute())
195 return false;
196 base::FilePath current_path = file.StripTrailingSeparators();
197 base::FilePath last_path;
198 int skip = 0;
199 while (current_path != last_path) {
200 base::FilePath base_name = current_path.BaseName();
201 if (base_name.value() == base::FilePath::kParentDirectory) {
202 ++skip;
203 } else if (skip > 0) {
204 if (base_name.value() != base::FilePath::kCurrentDirectory)
205 --skip;
206 } else {
207 FileMap::const_iterator it = file_permissions_.find(current_path);
208 if (it != file_permissions_.end())
209 return (it->second & permissions) == permissions;
210 }
211 last_path = current_path;
212 current_path = current_path.DirName();
213 }
214
215 return false;
216 }
217
CanLoadPage(const GURL & gurl)218 bool CanLoadPage(const GURL& gurl) {
219 if (origin_lock_.is_empty())
220 return true;
221
222 // TODO(creis): We must pass the valid browser_context to convert hosted
223 // apps URLs. Currently, hosted apps cannot be loaded in this mode.
224 // See http://crbug.com/160576.
225 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
226 return origin_lock_ == site_gurl;
227 }
228
CanAccessCookiesForOrigin(const GURL & gurl)229 bool CanAccessCookiesForOrigin(const GURL& gurl) {
230 if (origin_lock_.is_empty())
231 return true;
232 // TODO(creis): We must pass the valid browser_context to convert hosted
233 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
234 // See http://crbug.com/160576.
235 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
236 return origin_lock_ == site_gurl;
237 }
238
CanSendCookiesForOrigin(const GURL & gurl)239 bool CanSendCookiesForOrigin(const GURL& gurl) {
240 // We only block cross-site cookies on network requests if the
241 // --enable-strict-site-isolation flag is passed. This is expected to break
242 // compatibility with many sites. The similar --site-per-process flag only
243 // blocks JavaScript access to cross-site cookies (in
244 // CanAccessCookiesForOrigin).
245 const CommandLine& command_line = *CommandLine::ForCurrentProcess();
246 if (!command_line.HasSwitch(switches::kEnableStrictSiteIsolation))
247 return true;
248
249 if (origin_lock_.is_empty())
250 return true;
251 // TODO(creis): We must pass the valid browser_context to convert hosted
252 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
253 // See http://crbug.com/160576.
254 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
255 return origin_lock_ == site_gurl;
256 }
257
LockToOrigin(const GURL & gurl)258 void LockToOrigin(const GURL& gurl) {
259 origin_lock_ = gurl;
260 }
261
has_web_ui_bindings() const262 bool has_web_ui_bindings() const {
263 return enabled_bindings_ & BINDINGS_POLICY_WEB_UI;
264 }
265
can_read_raw_cookies() const266 bool can_read_raw_cookies() const {
267 return can_read_raw_cookies_;
268 }
269
can_send_midi_sysex() const270 bool can_send_midi_sysex() const {
271 return can_send_midi_sysex_;
272 }
273
274 private:
275 typedef std::map<std::string, bool> SchemeMap;
276
277 typedef int FilePermissionFlags; // bit-set of PlatformFileFlags
278 typedef std::map<base::FilePath, FilePermissionFlags> FileMap;
279 typedef std::map<std::string, FilePermissionFlags> FileSystemMap;
280 typedef std::set<base::FilePath> FileSet;
281
282 // Maps URL schemes to whether permission has been granted or revoked:
283 // |true| means the scheme has been granted.
284 // |false| means the scheme has been revoked.
285 // If a scheme is not present in the map, then it has never been granted
286 // or revoked.
287 SchemeMap scheme_policy_;
288
289 // The set of files the child process is permited to upload to the web.
290 FileMap file_permissions_;
291
292 // The set of files the child process is permitted to load.
293 FileSet request_file_set_;
294
295 int enabled_bindings_;
296
297 bool can_read_raw_cookies_;
298
299 bool can_send_midi_sysex_;
300
301 GURL origin_lock_;
302
303 // The set of isolated filesystems the child process is permitted to access.
304 FileSystemMap filesystem_permissions_;
305
306 DISALLOW_COPY_AND_ASSIGN(SecurityState);
307 };
308
ChildProcessSecurityPolicyImpl()309 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() {
310 // We know about these schemes and believe them to be safe.
311 RegisterWebSafeScheme(kHttpScheme);
312 RegisterWebSafeScheme(kHttpsScheme);
313 RegisterWebSafeScheme(kFtpScheme);
314 RegisterWebSafeScheme(chrome::kDataScheme);
315 RegisterWebSafeScheme("feed");
316 RegisterWebSafeScheme(chrome::kBlobScheme);
317 RegisterWebSafeScheme(chrome::kFileSystemScheme);
318
319 // We know about the following pseudo schemes and treat them specially.
320 RegisterPseudoScheme(chrome::kAboutScheme);
321 RegisterPseudoScheme(kJavaScriptScheme);
322 RegisterPseudoScheme(kViewSourceScheme);
323 }
324
~ChildProcessSecurityPolicyImpl()325 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() {
326 web_safe_schemes_.clear();
327 pseudo_schemes_.clear();
328 STLDeleteContainerPairSecondPointers(security_state_.begin(),
329 security_state_.end());
330 security_state_.clear();
331 }
332
333 // static
GetInstance()334 ChildProcessSecurityPolicy* ChildProcessSecurityPolicy::GetInstance() {
335 return ChildProcessSecurityPolicyImpl::GetInstance();
336 }
337
GetInstance()338 ChildProcessSecurityPolicyImpl* ChildProcessSecurityPolicyImpl::GetInstance() {
339 return Singleton<ChildProcessSecurityPolicyImpl>::get();
340 }
341
Add(int child_id)342 void ChildProcessSecurityPolicyImpl::Add(int child_id) {
343 base::AutoLock lock(lock_);
344 AddChild(child_id);
345 }
346
AddWorker(int child_id,int main_render_process_id)347 void ChildProcessSecurityPolicyImpl::AddWorker(int child_id,
348 int main_render_process_id) {
349 base::AutoLock lock(lock_);
350 AddChild(child_id);
351 worker_map_[child_id] = main_render_process_id;
352 }
353
Remove(int child_id)354 void ChildProcessSecurityPolicyImpl::Remove(int child_id) {
355 base::AutoLock lock(lock_);
356 SecurityStateMap::iterator it = security_state_.find(child_id);
357 if (it == security_state_.end())
358 return; // May be called multiple times.
359
360 delete it->second;
361 security_state_.erase(it);
362 worker_map_.erase(child_id);
363 }
364
RegisterWebSafeScheme(const std::string & scheme)365 void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme(
366 const std::string& scheme) {
367 base::AutoLock lock(lock_);
368 DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) << "Add schemes at most once.";
369 DCHECK_EQ(0U, pseudo_schemes_.count(scheme))
370 << "Web-safe implies not pseudo.";
371
372 web_safe_schemes_.insert(scheme);
373 }
374
IsWebSafeScheme(const std::string & scheme)375 bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme(
376 const std::string& scheme) {
377 base::AutoLock lock(lock_);
378
379 return ContainsKey(web_safe_schemes_, scheme);
380 }
381
RegisterPseudoScheme(const std::string & scheme)382 void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme(
383 const std::string& scheme) {
384 base::AutoLock lock(lock_);
385 DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once.";
386 DCHECK_EQ(0U, web_safe_schemes_.count(scheme))
387 << "Pseudo implies not web-safe.";
388
389 pseudo_schemes_.insert(scheme);
390 }
391
IsPseudoScheme(const std::string & scheme)392 bool ChildProcessSecurityPolicyImpl::IsPseudoScheme(
393 const std::string& scheme) {
394 base::AutoLock lock(lock_);
395
396 return ContainsKey(pseudo_schemes_, scheme);
397 }
398
GrantRequestURL(int child_id,const GURL & url)399 void ChildProcessSecurityPolicyImpl::GrantRequestURL(
400 int child_id, const GURL& url) {
401
402 if (!url.is_valid())
403 return; // Can't grant the capability to request invalid URLs.
404
405 if (IsWebSafeScheme(url.scheme()))
406 return; // The scheme has already been whitelisted for every child process.
407
408 if (IsPseudoScheme(url.scheme())) {
409 // The view-source scheme is a special case of a pseudo-URL that eventually
410 // results in requesting its embedded URL.
411 if (url.SchemeIs(kViewSourceScheme)) {
412 // URLs with the view-source scheme typically look like:
413 // view-source:http://www.google.com/a
414 // In order to request these URLs, the child_id needs to be able to
415 // request the embedded URL.
416 GrantRequestURL(child_id, GURL(url.GetContent()));
417 }
418
419 return; // Can't grant the capability to request pseudo schemes.
420 }
421
422 {
423 base::AutoLock lock(lock_);
424 SecurityStateMap::iterator state = security_state_.find(child_id);
425 if (state == security_state_.end())
426 return;
427
428 // When the child process has been commanded to request this scheme,
429 // we grant it the capability to request all URLs of that scheme.
430 state->second->GrantScheme(url.scheme());
431 }
432 }
433
GrantRequestSpecificFileURL(int child_id,const GURL & url)434 void ChildProcessSecurityPolicyImpl::GrantRequestSpecificFileURL(
435 int child_id,
436 const GURL& url) {
437 if (!url.SchemeIs(chrome::kFileScheme))
438 return;
439
440 {
441 base::AutoLock lock(lock_);
442 SecurityStateMap::iterator state = security_state_.find(child_id);
443 if (state == security_state_.end())
444 return;
445
446 // When the child process has been commanded to request a file:// URL,
447 // then we grant it the capability for that URL only.
448 base::FilePath path;
449 if (net::FileURLToFilePath(url, &path))
450 state->second->GrantRequestOfSpecificFile(path);
451 }
452 }
453
GrantReadFile(int child_id,const base::FilePath & file)454 void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id,
455 const base::FilePath& file) {
456 GrantPermissionsForFile(child_id, file, READ_FILE_GRANT);
457 }
458
GrantCreateReadWriteFile(int child_id,const base::FilePath & file)459 void ChildProcessSecurityPolicyImpl::GrantCreateReadWriteFile(
460 int child_id, const base::FilePath& file) {
461 GrantPermissionsForFile(child_id, file, CREATE_READ_WRITE_FILE_GRANT);
462 }
463
GrantPermissionsForFile(int child_id,const base::FilePath & file,int permissions)464 void ChildProcessSecurityPolicyImpl::GrantPermissionsForFile(
465 int child_id, const base::FilePath& file, int permissions) {
466 base::AutoLock lock(lock_);
467
468 SecurityStateMap::iterator state = security_state_.find(child_id);
469 if (state == security_state_.end())
470 return;
471
472 state->second->GrantPermissionsForFile(file, permissions);
473 }
474
RevokeAllPermissionsForFile(int child_id,const base::FilePath & file)475 void ChildProcessSecurityPolicyImpl::RevokeAllPermissionsForFile(
476 int child_id, const base::FilePath& file) {
477 base::AutoLock lock(lock_);
478
479 SecurityStateMap::iterator state = security_state_.find(child_id);
480 if (state == security_state_.end())
481 return;
482
483 state->second->RevokeAllPermissionsForFile(file);
484 }
485
GrantReadFileSystem(int child_id,const std::string & filesystem_id)486 void ChildProcessSecurityPolicyImpl::GrantReadFileSystem(
487 int child_id, const std::string& filesystem_id) {
488 GrantPermissionsForFileSystem(child_id, filesystem_id, READ_FILE_GRANT);
489 }
490
GrantWriteFileSystem(int child_id,const std::string & filesystem_id)491 void ChildProcessSecurityPolicyImpl::GrantWriteFileSystem(
492 int child_id, const std::string& filesystem_id) {
493 GrantPermissionsForFileSystem(child_id, filesystem_id, WRITE_FILE_GRANT);
494 }
495
GrantCreateFileForFileSystem(int child_id,const std::string & filesystem_id)496 void ChildProcessSecurityPolicyImpl::GrantCreateFileForFileSystem(
497 int child_id, const std::string& filesystem_id) {
498 GrantPermissionsForFileSystem(child_id, filesystem_id, CREATE_NEW_FILE_GRANT);
499 }
500
GrantCreateReadWriteFileSystem(int child_id,const std::string & filesystem_id)501 void ChildProcessSecurityPolicyImpl::GrantCreateReadWriteFileSystem(
502 int child_id, const std::string& filesystem_id) {
503 GrantPermissionsForFileSystem(
504 child_id, filesystem_id, CREATE_READ_WRITE_FILE_GRANT);
505 }
506
GrantCopyIntoFileSystem(int child_id,const std::string & filesystem_id)507 void ChildProcessSecurityPolicyImpl::GrantCopyIntoFileSystem(
508 int child_id, const std::string& filesystem_id) {
509 GrantPermissionsForFileSystem(child_id, filesystem_id, COPY_INTO_FILE_GRANT);
510 }
511
GrantDeleteFromFileSystem(int child_id,const std::string & filesystem_id)512 void ChildProcessSecurityPolicyImpl::GrantDeleteFromFileSystem(
513 int child_id, const std::string& filesystem_id) {
514 GrantPermissionsForFileSystem(child_id, filesystem_id, DELETE_FILE_GRANT);
515 }
516
GrantSendMIDISysExMessage(int child_id)517 void ChildProcessSecurityPolicyImpl::GrantSendMIDISysExMessage(int child_id) {
518 base::AutoLock lock(lock_);
519
520 SecurityStateMap::iterator state = security_state_.find(child_id);
521 if (state == security_state_.end())
522 return;
523
524 state->second->GrantPermissionForMIDISysEx();
525 }
526
GrantScheme(int child_id,const std::string & scheme)527 void ChildProcessSecurityPolicyImpl::GrantScheme(int child_id,
528 const std::string& scheme) {
529 base::AutoLock lock(lock_);
530
531 SecurityStateMap::iterator state = security_state_.find(child_id);
532 if (state == security_state_.end())
533 return;
534
535 state->second->GrantScheme(scheme);
536 }
537
GrantWebUIBindings(int child_id)538 void ChildProcessSecurityPolicyImpl::GrantWebUIBindings(int child_id) {
539 base::AutoLock lock(lock_);
540
541 SecurityStateMap::iterator state = security_state_.find(child_id);
542 if (state == security_state_.end())
543 return;
544
545 state->second->GrantBindings(BINDINGS_POLICY_WEB_UI);
546
547 // Web UI bindings need the ability to request chrome: URLs.
548 state->second->GrantScheme(chrome::kChromeUIScheme);
549
550 // Web UI pages can contain links to file:// URLs.
551 state->second->GrantScheme(chrome::kFileScheme);
552 }
553
GrantReadRawCookies(int child_id)554 void ChildProcessSecurityPolicyImpl::GrantReadRawCookies(int child_id) {
555 base::AutoLock lock(lock_);
556
557 SecurityStateMap::iterator state = security_state_.find(child_id);
558 if (state == security_state_.end())
559 return;
560
561 state->second->GrantReadRawCookies();
562 }
563
RevokeReadRawCookies(int child_id)564 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) {
565 base::AutoLock lock(lock_);
566
567 SecurityStateMap::iterator state = security_state_.find(child_id);
568 if (state == security_state_.end())
569 return;
570
571 state->second->RevokeReadRawCookies();
572 }
573
CanLoadPage(int child_id,const GURL & url,ResourceType::Type resource_type)574 bool ChildProcessSecurityPolicyImpl::CanLoadPage(
575 int child_id,
576 const GURL& url,
577 ResourceType::Type resource_type) {
578 // If --site-per-process flag is passed, we should enforce
579 // stronger security restrictions on page navigation.
580 if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess) &&
581 ResourceType::IsFrame(resource_type)) {
582 // TODO(nasko): Do the proper check for site-per-process, once
583 // out-of-process iframes is ready to go.
584 return true;
585 }
586 return true;
587 }
588
CanRequestURL(int child_id,const GURL & url)589 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
590 int child_id, const GURL& url) {
591 if (!url.is_valid())
592 return false; // Can't request invalid URLs.
593
594 if (IsWebSafeScheme(url.scheme()))
595 return true; // The scheme has been white-listed for every child process.
596
597 if (IsPseudoScheme(url.scheme())) {
598 // There are a number of special cases for pseudo schemes.
599
600 if (url.SchemeIs(kViewSourceScheme)) {
601 // A view-source URL is allowed if the child process is permitted to
602 // request the embedded URL. Careful to avoid pointless recursion.
603 GURL child_url(url.GetContent());
604 if (child_url.SchemeIs(kViewSourceScheme) &&
605 url.SchemeIs(kViewSourceScheme))
606 return false;
607
608 return CanRequestURL(child_id, child_url);
609 }
610
611 if (LowerCaseEqualsASCII(url.spec(), kAboutBlankURL))
612 return true; // Every child process can request <about:blank>.
613
614 // URLs like <about:memory> and <about:crash> shouldn't be requestable by
615 // any child process. Also, this case covers <javascript:...>, which should
616 // be handled internally by the process and not kicked up to the browser.
617 return false;
618 }
619
620 if (!GetContentClient()->browser()->IsHandledURL(url) &&
621 !net::URLRequest::IsHandledURL(url)) {
622 return true; // This URL request is destined for ShellExecute.
623 }
624
625 {
626 base::AutoLock lock(lock_);
627
628 SecurityStateMap::iterator state = security_state_.find(child_id);
629 if (state == security_state_.end())
630 return false;
631
632 // Otherwise, we consult the child process's security state to see if it is
633 // allowed to request the URL.
634 return state->second->CanRequestURL(url);
635 }
636 }
637
CanReadFile(int child_id,const base::FilePath & file)638 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id,
639 const base::FilePath& file) {
640 return HasPermissionsForFile(child_id, file, READ_FILE_GRANT);
641 }
642
CanCreateReadWriteFile(int child_id,const base::FilePath & file)643 bool ChildProcessSecurityPolicyImpl::CanCreateReadWriteFile(
644 int child_id,
645 const base::FilePath& file) {
646 return HasPermissionsForFile(child_id, file, CREATE_READ_WRITE_FILE_GRANT);
647 }
648
CanReadFileSystem(int child_id,const std::string & filesystem_id)649 bool ChildProcessSecurityPolicyImpl::CanReadFileSystem(
650 int child_id, const std::string& filesystem_id) {
651 return HasPermissionsForFileSystem(child_id, filesystem_id, READ_FILE_GRANT);
652 }
653
CanReadWriteFileSystem(int child_id,const std::string & filesystem_id)654 bool ChildProcessSecurityPolicyImpl::CanReadWriteFileSystem(
655 int child_id, const std::string& filesystem_id) {
656 return HasPermissionsForFileSystem(child_id, filesystem_id,
657 READ_FILE_GRANT | WRITE_FILE_GRANT);
658 }
659
CanCopyIntoFileSystem(int child_id,const std::string & filesystem_id)660 bool ChildProcessSecurityPolicyImpl::CanCopyIntoFileSystem(
661 int child_id, const std::string& filesystem_id) {
662 return HasPermissionsForFileSystem(child_id, filesystem_id,
663 COPY_INTO_FILE_GRANT);
664 }
665
CanDeleteFromFileSystem(int child_id,const std::string & filesystem_id)666 bool ChildProcessSecurityPolicyImpl::CanDeleteFromFileSystem(
667 int child_id, const std::string& filesystem_id) {
668 return HasPermissionsForFileSystem(child_id, filesystem_id,
669 DELETE_FILE_GRANT);
670 }
671
HasPermissionsForFile(int child_id,const base::FilePath & file,int permissions)672 bool ChildProcessSecurityPolicyImpl::HasPermissionsForFile(
673 int child_id, const base::FilePath& file, int permissions) {
674 base::AutoLock lock(lock_);
675 bool result = ChildProcessHasPermissionsForFile(child_id, file, permissions);
676 if (!result) {
677 // If this is a worker thread that has no access to a given file,
678 // let's check that its renderer process has access to that file instead.
679 WorkerToMainProcessMap::iterator iter = worker_map_.find(child_id);
680 if (iter != worker_map_.end() && iter->second != 0) {
681 result = ChildProcessHasPermissionsForFile(iter->second,
682 file,
683 permissions);
684 }
685 }
686 return result;
687 }
688
HasPermissionsForFileSystemFile(int child_id,const fileapi::FileSystemURL & url,int permissions)689 bool ChildProcessSecurityPolicyImpl::HasPermissionsForFileSystemFile(
690 int child_id, const fileapi::FileSystemURL& url, int permissions) {
691 if (!url.is_valid())
692 return false;
693
694 if (url.path().ReferencesParent())
695 return false;
696
697 // Any write access is disallowed on the root path.
698 if (fileapi::VirtualPath::IsRootPath(url.path()) &&
699 (permissions & ~READ_FILE_GRANT)) {
700 return false;
701 }
702
703 if (url.mount_type() == fileapi::kFileSystemTypeIsolated) {
704 // When Isolated filesystems is overlayed on top of another filesystem,
705 // its per-filesystem permission overrides the underlying filesystem
706 // permissions).
707 return HasPermissionsForFileSystem(
708 child_id, url.mount_filesystem_id(), permissions);
709 }
710
711 FileSystemPermissionPolicyMap::iterator found =
712 file_system_policy_map_.find(url.type());
713 if (found == file_system_policy_map_.end())
714 return false;
715
716 if ((found->second & fileapi::FILE_PERMISSION_READ_ONLY) &&
717 permissions & ~READ_FILE_GRANT) {
718 return false;
719 }
720
721 if (found->second & fileapi::FILE_PERMISSION_USE_FILE_PERMISSION)
722 return HasPermissionsForFile(child_id, url.path(), permissions);
723
724 if (found->second & fileapi::FILE_PERMISSION_SANDBOX)
725 return true;
726
727 return false;
728 }
729
CanReadFileSystemFile(int child_id,const fileapi::FileSystemURL & url)730 bool ChildProcessSecurityPolicyImpl::CanReadFileSystemFile(
731 int child_id,
732 const fileapi::FileSystemURL& url) {
733 return HasPermissionsForFileSystemFile(child_id, url, READ_FILE_GRANT);
734 }
735
CanWriteFileSystemFile(int child_id,const fileapi::FileSystemURL & url)736 bool ChildProcessSecurityPolicyImpl::CanWriteFileSystemFile(
737 int child_id,
738 const fileapi::FileSystemURL& url) {
739 return HasPermissionsForFileSystemFile(child_id, url, WRITE_FILE_GRANT);
740 }
741
CanCreateFileSystemFile(int child_id,const fileapi::FileSystemURL & url)742 bool ChildProcessSecurityPolicyImpl::CanCreateFileSystemFile(
743 int child_id,
744 const fileapi::FileSystemURL& url) {
745 return HasPermissionsForFileSystemFile(child_id, url, CREATE_NEW_FILE_GRANT);
746 }
747
CanCreateReadWriteFileSystemFile(int child_id,const fileapi::FileSystemURL & url)748 bool ChildProcessSecurityPolicyImpl::CanCreateReadWriteFileSystemFile(
749 int child_id,
750 const fileapi::FileSystemURL& url) {
751 return HasPermissionsForFileSystemFile(child_id, url,
752 CREATE_READ_WRITE_FILE_GRANT);
753 }
754
CanCopyIntoFileSystemFile(int child_id,const fileapi::FileSystemURL & url)755 bool ChildProcessSecurityPolicyImpl::CanCopyIntoFileSystemFile(
756 int child_id,
757 const fileapi::FileSystemURL& url) {
758 return HasPermissionsForFileSystemFile(child_id, url, COPY_INTO_FILE_GRANT);
759 }
760
CanDeleteFileSystemFile(int child_id,const fileapi::FileSystemURL & url)761 bool ChildProcessSecurityPolicyImpl::CanDeleteFileSystemFile(
762 int child_id,
763 const fileapi::FileSystemURL& url) {
764 return HasPermissionsForFileSystemFile(child_id, url, DELETE_FILE_GRANT);
765 }
766
HasWebUIBindings(int child_id)767 bool ChildProcessSecurityPolicyImpl::HasWebUIBindings(int child_id) {
768 base::AutoLock lock(lock_);
769
770 SecurityStateMap::iterator state = security_state_.find(child_id);
771 if (state == security_state_.end())
772 return false;
773
774 return state->second->has_web_ui_bindings();
775 }
776
CanReadRawCookies(int child_id)777 bool ChildProcessSecurityPolicyImpl::CanReadRawCookies(int child_id) {
778 base::AutoLock lock(lock_);
779
780 SecurityStateMap::iterator state = security_state_.find(child_id);
781 if (state == security_state_.end())
782 return false;
783
784 return state->second->can_read_raw_cookies();
785 }
786
AddChild(int child_id)787 void ChildProcessSecurityPolicyImpl::AddChild(int child_id) {
788 if (security_state_.count(child_id) != 0) {
789 NOTREACHED() << "Add child process at most once.";
790 return;
791 }
792
793 security_state_[child_id] = new SecurityState();
794 }
795
ChildProcessHasPermissionsForFile(int child_id,const base::FilePath & file,int permissions)796 bool ChildProcessSecurityPolicyImpl::ChildProcessHasPermissionsForFile(
797 int child_id, const base::FilePath& file, int permissions) {
798 SecurityStateMap::iterator state = security_state_.find(child_id);
799 if (state == security_state_.end())
800 return false;
801 return state->second->HasPermissionsForFile(file, permissions);
802 }
803
CanAccessCookiesForOrigin(int child_id,const GURL & gurl)804 bool ChildProcessSecurityPolicyImpl::CanAccessCookiesForOrigin(
805 int child_id, const GURL& gurl) {
806 base::AutoLock lock(lock_);
807 SecurityStateMap::iterator state = security_state_.find(child_id);
808 if (state == security_state_.end())
809 return false;
810 return state->second->CanAccessCookiesForOrigin(gurl);
811 }
812
CanSendCookiesForOrigin(int child_id,const GURL & gurl)813 bool ChildProcessSecurityPolicyImpl::CanSendCookiesForOrigin(int child_id,
814 const GURL& gurl) {
815 for (PluginProcessHostIterator iter; !iter.Done(); ++iter) {
816 if (iter.GetData().id == child_id) {
817 if (iter.GetData().process_type == PROCESS_TYPE_PLUGIN) {
818 // NPAPI plugin processes are unsandboxed and so are trusted. Plugins
819 // can make request to any origin.
820 return true;
821 }
822 break;
823 }
824 }
825
826 base::AutoLock lock(lock_);
827 SecurityStateMap::iterator state = security_state_.find(child_id);
828 if (state == security_state_.end())
829 return false;
830 return state->second->CanSendCookiesForOrigin(gurl);
831 }
832
LockToOrigin(int child_id,const GURL & gurl)833 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id,
834 const GURL& gurl) {
835 // "gurl" can be currently empty in some cases, such as file://blah.
836 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl);
837 base::AutoLock lock(lock_);
838 SecurityStateMap::iterator state = security_state_.find(child_id);
839 DCHECK(state != security_state_.end());
840 state->second->LockToOrigin(gurl);
841 }
842
GrantPermissionsForFileSystem(int child_id,const std::string & filesystem_id,int permission)843 void ChildProcessSecurityPolicyImpl::GrantPermissionsForFileSystem(
844 int child_id,
845 const std::string& filesystem_id,
846 int permission) {
847 base::AutoLock lock(lock_);
848
849 SecurityStateMap::iterator state = security_state_.find(child_id);
850 if (state == security_state_.end())
851 return;
852 state->second->GrantPermissionsForFileSystem(filesystem_id, permission);
853 }
854
HasPermissionsForFileSystem(int child_id,const std::string & filesystem_id,int permission)855 bool ChildProcessSecurityPolicyImpl::HasPermissionsForFileSystem(
856 int child_id,
857 const std::string& filesystem_id,
858 int permission) {
859 base::AutoLock lock(lock_);
860
861 SecurityStateMap::iterator state = security_state_.find(child_id);
862 if (state == security_state_.end())
863 return false;
864 return state->second->HasPermissionsForFileSystem(filesystem_id, permission);
865 }
866
RegisterFileSystemPermissionPolicy(fileapi::FileSystemType type,int policy)867 void ChildProcessSecurityPolicyImpl::RegisterFileSystemPermissionPolicy(
868 fileapi::FileSystemType type,
869 int policy) {
870 base::AutoLock lock(lock_);
871 file_system_policy_map_[type] = policy;
872 }
873
CanSendMIDISysExMessage(int child_id)874 bool ChildProcessSecurityPolicyImpl::CanSendMIDISysExMessage(int child_id) {
875 base::AutoLock lock(lock_);
876
877 SecurityStateMap::iterator state = security_state_.find(child_id);
878 if (state == security_state_.end())
879 return false;
880
881 return state->second->can_send_midi_sysex();
882 }
883
884 } // namespace content
885