1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SERVICES_BROKER_PROCESS_H_ 6 #define SANDBOX_LINUX_SERVICES_BROKER_PROCESS_H_ 7 8 #include <memory> 9 #include <string> 10 #include <vector> 11 12 #include "base/callback_forward.h" 13 #include "base/macros.h" 14 #include "base/pickle.h" 15 #include "base/process/process.h" 16 #include "sandbox/linux/syscall_broker/broker_policy.h" 17 #include "sandbox/sandbox_export.h" 18 19 namespace sandbox { 20 21 namespace syscall_broker { 22 23 class BrokerClient; 24 class BrokerFilePermission; 25 26 // Create a new "broker" process to which we can send requests via an IPC 27 // channel by forking the current process. 28 // This is a low level IPC mechanism that is suitable to be called from a 29 // signal handler. 30 // A process would typically create a broker process before entering 31 // sandboxing. 32 // 1. BrokerProcess open_broker(read_whitelist, write_whitelist); 33 // 2. CHECK(open_broker.Init(NULL)); 34 // 3. Enable sandbox. 35 // 4. Use open_broker.Open() to open files. 36 class SANDBOX_EXPORT BrokerProcess { 37 public: 38 // |denied_errno| is the error code returned when methods such as Open() 39 // or Access() are invoked on a file which is not in the whitelist. EACCESS 40 // would be a typical value. 41 // |allowed_r_files| and |allowed_w_files| are white lists of files that can 42 // be opened later via the Open() API, respectively for reading and writing. 43 // A file available read-write should be listed in both. 44 // |fast_check_in_client| and |quiet_failures_for_tests| are reserved for 45 // unit tests, don't use it. 46 47 BrokerProcess( 48 int denied_errno, 49 const std::vector<syscall_broker::BrokerFilePermission>& permissions, 50 bool fast_check_in_client = true, 51 bool quiet_failures_for_tests = false); 52 53 ~BrokerProcess(); 54 // Will initialize the broker process. There should be no threads at this 55 // point, since we need to fork(). 56 // broker_process_init_callback will be called in the new broker process, 57 // after fork() returns. 58 bool Init(const base::Callback<bool(void)>& broker_process_init_callback); 59 60 // Can be used in place of access(). Will be async signal safe. 61 // X_OK will always return an error in practice since the broker process 62 // doesn't support execute permissions. 63 // It's similar to the access() system call and will return -errno on errors. 64 int Access(const char* pathname, int mode) const; 65 // Can be used in place of open(). Will be async signal safe. 66 // The implementation only supports certain white listed flags and will 67 // return -EPERM on other flags. 68 // It's similar to the open() system call and will return -errno on errors. 69 int Open(const char* pathname, int flags) const; 70 broker_pid()71 int broker_pid() const { return broker_pid_; } 72 73 private: 74 friend class BrokerProcessTestHelper; 75 76 // Close the IPC channel with the other party. This should only be used 77 // by tests an none of the class methods should be used afterwards. 78 void CloseChannel(); 79 80 bool initialized_; // Whether we've been through Init() yet. 81 const bool fast_check_in_client_; 82 const bool quiet_failures_for_tests_; 83 pid_t broker_pid_; // The PID of the broker (child). 84 syscall_broker::BrokerPolicy policy_; // The sandboxing policy. 85 std::unique_ptr<syscall_broker::BrokerClient> broker_client_; 86 87 DISALLOW_COPY_AND_ASSIGN(BrokerProcess); 88 }; 89 90 } // namespace syscall_broker 91 92 } // namespace sandbox 93 94 #endif // SANDBOX_LINUX_SERVICES_BROKER_PROCESS_H_ 95