1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 7 8 9 #include <map> 10 #include <set> 11 #include <string> 12 13 #include "base/compiler_specific.h" 14 #include "base/gtest_prod_util.h" 15 #include "base/memory/singleton.h" 16 #include "base/synchronization/lock.h" 17 #include "content/public/browser/child_process_security_policy.h" 18 #include "content/public/common/resource_type.h" 19 #include "storage/common/fileapi/file_system_types.h" 20 21 class GURL; 22 23 namespace base { 24 class FilePath; 25 } 26 27 namespace storage { 28 class FileSystemURL; 29 } 30 31 namespace content { 32 33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl NON_EXPORTED_BASE(public ChildProcessSecurityPolicy)34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) { 35 public: 36 // Object can only be created through GetInstance() so the constructor is 37 // private. 38 virtual ~ChildProcessSecurityPolicyImpl(); 39 40 static ChildProcessSecurityPolicyImpl* GetInstance(); 41 42 // ChildProcessSecurityPolicy implementation. 43 virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; 44 virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; 45 virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE; 46 virtual void GrantCreateReadWriteFile(int child_id, 47 const base::FilePath& file) OVERRIDE; 48 virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE; 49 virtual void GrantDeleteFrom(int child_id, 50 const base::FilePath& dir) OVERRIDE; 51 virtual void GrantReadFileSystem( 52 int child_id, 53 const std::string& filesystem_id) OVERRIDE; 54 virtual void GrantWriteFileSystem( 55 int child_id, 56 const std::string& filesystem_id) OVERRIDE; 57 virtual void GrantCreateFileForFileSystem( 58 int child_id, 59 const std::string& filesystem_id) OVERRIDE; 60 virtual void GrantCreateReadWriteFileSystem( 61 int child_id, 62 const std::string& filesystem_id) OVERRIDE; 63 virtual void GrantCopyIntoFileSystem( 64 int child_id, 65 const std::string& filesystem_id) OVERRIDE; 66 virtual void GrantDeleteFromFileSystem( 67 int child_id, 68 const std::string& filesystem_id) OVERRIDE; 69 virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; 70 virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE; 71 virtual bool CanCreateReadWriteFile(int child_id, 72 const base::FilePath& file) OVERRIDE; 73 virtual bool CanReadFileSystem(int child_id, 74 const std::string& filesystem_id) OVERRIDE; 75 virtual bool CanReadWriteFileSystem( 76 int child_id, 77 const std::string& filesystem_id) OVERRIDE; 78 virtual bool CanCopyIntoFileSystem(int child_id, 79 const std::string& filesystem_id) OVERRIDE; 80 virtual bool CanDeleteFromFileSystem( 81 int child_id, 82 const std::string& filesystem_id) OVERRIDE; 83 virtual bool HasWebUIBindings(int child_id) OVERRIDE; 84 85 // Pseudo schemes are treated differently than other schemes because they 86 // cannot be requested like normal URLs. There is no mechanism for revoking 87 // pseudo schemes. 88 void RegisterPseudoScheme(const std::string& scheme); 89 90 // Returns true iff |scheme| has been registered as pseudo scheme. 91 bool IsPseudoScheme(const std::string& scheme); 92 93 // Upon creation, child processes should register themselves by calling this 94 // this method exactly once. 95 void Add(int child_id); 96 97 // Upon creation, worker thread child processes should register themselves by 98 // calling this this method exactly once. Workers that are not shared will 99 // inherit permissions from their parent renderer process identified with 100 // |main_render_process_id|. 101 void AddWorker(int worker_child_id, int main_render_process_id); 102 103 // Upon destruction, child processess should unregister themselves by caling 104 // this method exactly once. 105 void Remove(int child_id); 106 107 // Whenever the browser processes commands the child process to request a URL, 108 // it should call this method to grant the child process the capability to 109 // request the URL, along with permission to request all URLs of the same 110 // scheme. 111 void GrantRequestURL(int child_id, const GURL& url); 112 113 // Whenever the browser process drops a file icon on a tab, it should call 114 // this method to grant the child process the capability to request this one 115 // file:// URL, but not all urls of the file:// scheme. 116 void GrantRequestSpecificFileURL(int child_id, const GURL& url); 117 118 // Revokes all permissions granted to the given file. 119 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file); 120 121 // Grant the child process the ability to use Web UI Bindings. 122 void GrantWebUIBindings(int child_id); 123 124 // Grant the child process the ability to read raw cookies. 125 void GrantReadRawCookies(int child_id); 126 127 // Revoke read raw cookies permission. 128 void RevokeReadRawCookies(int child_id); 129 130 // Grants permission to send system exclusive message to any MIDI devices. 131 void GrantSendMidiSysExMessage(int child_id); 132 133 // Before servicing a child process's request for a URL, the browser should 134 // call this method to determine whether the process has the capability to 135 // request the URL. 136 bool CanRequestURL(int child_id, const GURL& url); 137 138 // Returns true if the process is permitted to load pages from 139 // the given origin in main frames or subframes. 140 // Only might return false if --site-per-process flag is used. 141 bool CanLoadPage(int child_id, 142 const GURL& url, 143 ResourceType resource_type); 144 145 // Explicit permissions checks for FileSystemURL specified files. 146 bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url); 147 bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url); 148 bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url); 149 bool CanCreateReadWriteFileSystemFile(int child_id, 150 const storage::FileSystemURL& url); 151 bool CanCopyIntoFileSystemFile(int child_id, 152 const storage::FileSystemURL& url); 153 bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url); 154 155 // Returns true if the specified child_id has been granted ReadRawCookies. 156 bool CanReadRawCookies(int child_id); 157 158 // Returns true if the process is permitted to read and modify the cookies for 159 // the given origin. Does not affect cookies attached to or set by network 160 // requests. 161 // Only might return false if the very experimental 162 // --enable-strict-site-isolation or --site-per-process flags are used. 163 bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl); 164 165 // Returns true if the process is permitted to attach cookies to (or have 166 // cookies set by) network requests. 167 // Only might return false if the very experimental 168 // --enable-strict-site-isolation or --site-per-process flags are used. 169 bool CanSendCookiesForOrigin(int child_id, const GURL& gurl); 170 171 // Sets the process as only permitted to use and see the cookies for the 172 // given origin. 173 // Only used if the very experimental --enable-strict-site-isolation or 174 // --site-per-process flags are used. 175 void LockToOrigin(int child_id, const GURL& gurl); 176 177 // Register FileSystem type and permission policy which should be used 178 // for the type. The |policy| must be a bitwise-or'd value of 179 // storage::FilePermissionPolicy. 180 void RegisterFileSystemPermissionPolicy(storage::FileSystemType type, 181 int policy); 182 183 // Returns true if sending system exclusive messages is allowed. 184 bool CanSendMidiSysExMessage(int child_id); 185 186 private: 187 friend class ChildProcessSecurityPolicyInProcessBrowserTest; 188 friend class ChildProcessSecurityPolicyTest; 189 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, 190 NoLeak); 191 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions); 192 193 class SecurityState; 194 195 typedef std::set<std::string> SchemeSet; 196 typedef std::map<int, SecurityState*> SecurityStateMap; 197 typedef std::map<int, int> WorkerToMainProcessMap; 198 typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap; 199 200 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). 201 ChildProcessSecurityPolicyImpl(); 202 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; 203 204 // Adds child process during registration. 205 void AddChild(int child_id); 206 207 // Determines if certain permissions were granted for a file to given child 208 // process. |permissions| is an internally defined bit-set. 209 bool ChildProcessHasPermissionsForFile(int child_id, 210 const base::FilePath& file, 211 int permissions); 212 213 // Grant a particular permission set for a file. |permissions| is an 214 // internally defined bit-set. 215 void GrantPermissionsForFile(int child_id, 216 const base::FilePath& file, 217 int permissions); 218 219 // Grants access permission to the given isolated file system 220 // identified by |filesystem_id|. See comments for 221 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. 222 void GrantPermissionsForFileSystem( 223 int child_id, 224 const std::string& filesystem_id, 225 int permission); 226 227 // Determines if certain permissions were granted for a file. |permissions| 228 // is an internally defined bit-set. If |child_id| is a worker process, 229 // this returns true if either the worker process or its parent renderer 230 // has permissions for the file. 231 bool HasPermissionsForFile(int child_id, 232 const base::FilePath& file, 233 int permissions); 234 235 // Determines if certain permissions were granted for a file in FileSystem 236 // API. |permissions| is an internally defined bit-set. 237 bool HasPermissionsForFileSystemFile(int child_id, 238 const storage::FileSystemURL& url, 239 int permissions); 240 241 // Determines if certain permissions were granted for a file system. 242 // |permissions| is an internally defined bit-set. 243 bool HasPermissionsForFileSystem( 244 int child_id, 245 const std::string& filesystem_id, 246 int permission); 247 248 // You must acquire this lock before reading or writing any members of this 249 // class. You must not block while holding this lock. 250 base::Lock lock_; 251 252 // These schemes are white-listed for all child processes. This set is 253 // protected by |lock_|. 254 SchemeSet web_safe_schemes_; 255 256 // These schemes do not actually represent retrievable URLs. For example, 257 // the the URLs in the "about" scheme are aliases to other URLs. This set is 258 // protected by |lock_|. 259 SchemeSet pseudo_schemes_; 260 261 // This map holds a SecurityState for each child process. The key for the 262 // map is the ID of the ChildProcessHost. The SecurityState objects are 263 // owned by this object and are protected by |lock_|. References to them must 264 // not escape this class. 265 SecurityStateMap security_state_; 266 267 // This maps keeps the record of which js worker thread child process 268 // corresponds to which main js thread child process. 269 WorkerToMainProcessMap worker_map_; 270 271 FileSystemPermissionPolicyMap file_system_policy_map_; 272 273 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); 274 }; 275 276 } // namespace content 277 278 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 279