• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
7 
8 #include <stddef.h>
9 
10 #include <string>
11 #include <vector>
12 
13 #include "base/macros.h"
14 
15 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
16 
17 namespace sandbox {
18 namespace syscall_broker {
19 
20 // BrokerPolicy allows to define the security policy enforced by a
21 // BrokerHost. The BrokerHost will evaluate requests sent over its
22 // IPC channel according to the BrokerPolicy.
23 // Some of the methods of this class can be used in an async-signal safe
24 // way.
25 class BrokerPolicy {
26  public:
27   // |denied_errno| is the error code returned when IPC requests for system
28   // calls such as open() or access() are denied because a file is not in the
29   // whitelist. EACCESS would be a typical value.
30   // |permissions| is a list of BrokerPermission objects that define
31   // what the broker will allow.
32   BrokerPolicy(int denied_errno,
33                const std::vector<BrokerFilePermission>& permissions);
34 
35   ~BrokerPolicy();
36 
37   // Check if calling access() should be allowed on |requested_filename| with
38   // mode |requested_mode|.
39   // Note: access() being a system call to check permissions, this can get a bit
40   // confusing. We're checking if calling access() should even be allowed with
41   // If |file_to_open| is not NULL, a pointer to the path will be returned.
42   // In the case of a recursive match, this will be the requested_filename,
43   // otherwise it will return the matching pointer from the
44   // whitelist. For paranoia a caller should then use |file_to_access|. See
45   // GetFileNameIfAllowedToOpen() for more explanation.
46   // return true if calling access() on this file should be allowed, false
47   // otherwise.
48   // Async signal safe if and only if |file_to_access| is NULL.
49   bool GetFileNameIfAllowedToAccess(const char* requested_filename,
50                                     int requested_mode,
51                                     const char** file_to_access) const;
52 
53   // Check if |requested_filename| can be opened with flags |requested_flags|.
54   // If |file_to_open| is not NULL, a pointer to the path will be returned.
55   // In the case of a recursive match, this will be the requested_filename,
56   // otherwise it will return the matching pointer from the
57   // whitelist. For paranoia, a caller should then use |file_to_open| rather
58   // than |requested_filename|, so that it never attempts to open an
59   // attacker-controlled file name, even if an attacker managed to fool the
60   // string comparison mechanism.
61   // |unlink_after_open| if not NULL will be set to point to true if the
62   // policy requests the caller unlink the path after opening.
63   // Return true if opening should be allowed, false otherwise.
64   // Async signal safe if and only if |file_to_open| is NULL.
65   bool GetFileNameIfAllowedToOpen(const char* requested_filename,
66                                   int requested_flags,
67                                   const char** file_to_open,
68                                   bool* unlink_after_open) const;
denied_errno()69   int denied_errno() const { return denied_errno_; }
70 
71  private:
72   const int denied_errno_;
73   // The permissions_ vector is used as storage for the BrokerFilePermission
74   // objects but is not referenced outside of the constructor as
75   // vectors are unfriendly in async signal safe code.
76   const std::vector<BrokerFilePermission> permissions_;
77   // permissions_array_ is set up to point to the backing store of
78   // permissions_ and is used in async signal safe methods.
79   const BrokerFilePermission* permissions_array_;
80   const size_t num_of_permissions_;
81 
82   DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
83 };
84 
85 }  // namespace syscall_broker
86 
87 }  // namespace sandbox
88 
89 #endif  // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
90