1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ 6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ 7 8 #include <stddef.h> 9 10 #include <string> 11 #include <vector> 12 13 #include "base/macros.h" 14 15 #include "sandbox/linux/syscall_broker/broker_file_permission.h" 16 17 namespace sandbox { 18 namespace syscall_broker { 19 20 // BrokerPolicy allows to define the security policy enforced by a 21 // BrokerHost. The BrokerHost will evaluate requests sent over its 22 // IPC channel according to the BrokerPolicy. 23 // Some of the methods of this class can be used in an async-signal safe 24 // way. 25 class BrokerPolicy { 26 public: 27 // |denied_errno| is the error code returned when IPC requests for system 28 // calls such as open() or access() are denied because a file is not in the 29 // whitelist. EACCESS would be a typical value. 30 // |permissions| is a list of BrokerPermission objects that define 31 // what the broker will allow. 32 BrokerPolicy(int denied_errno, 33 const std::vector<BrokerFilePermission>& permissions); 34 35 ~BrokerPolicy(); 36 37 // Check if calling access() should be allowed on |requested_filename| with 38 // mode |requested_mode|. 39 // Note: access() being a system call to check permissions, this can get a bit 40 // confusing. We're checking if calling access() should even be allowed with 41 // If |file_to_open| is not NULL, a pointer to the path will be returned. 42 // In the case of a recursive match, this will be the requested_filename, 43 // otherwise it will return the matching pointer from the 44 // whitelist. For paranoia a caller should then use |file_to_access|. See 45 // GetFileNameIfAllowedToOpen() for more explanation. 46 // return true if calling access() on this file should be allowed, false 47 // otherwise. 48 // Async signal safe if and only if |file_to_access| is NULL. 49 bool GetFileNameIfAllowedToAccess(const char* requested_filename, 50 int requested_mode, 51 const char** file_to_access) const; 52 53 // Check if |requested_filename| can be opened with flags |requested_flags|. 54 // If |file_to_open| is not NULL, a pointer to the path will be returned. 55 // In the case of a recursive match, this will be the requested_filename, 56 // otherwise it will return the matching pointer from the 57 // whitelist. For paranoia, a caller should then use |file_to_open| rather 58 // than |requested_filename|, so that it never attempts to open an 59 // attacker-controlled file name, even if an attacker managed to fool the 60 // string comparison mechanism. 61 // |unlink_after_open| if not NULL will be set to point to true if the 62 // policy requests the caller unlink the path after opening. 63 // Return true if opening should be allowed, false otherwise. 64 // Async signal safe if and only if |file_to_open| is NULL. 65 bool GetFileNameIfAllowedToOpen(const char* requested_filename, 66 int requested_flags, 67 const char** file_to_open, 68 bool* unlink_after_open) const; denied_errno()69 int denied_errno() const { return denied_errno_; } 70 71 private: 72 const int denied_errno_; 73 // The permissions_ vector is used as storage for the BrokerFilePermission 74 // objects but is not referenced outside of the constructor as 75 // vectors are unfriendly in async signal safe code. 76 const std::vector<BrokerFilePermission> permissions_; 77 // permissions_array_ is set up to point to the backing store of 78 // permissions_ and is used in async signal safe methods. 79 const BrokerFilePermission* permissions_array_; 80 const size_t num_of_permissions_; 81 82 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy); 83 }; 84 85 } // namespace syscall_broker 86 87 } // namespace sandbox 88 89 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ 90