Chromium Code Reviews Chromium Code Reviews
Issue 19599006:
ChildProcessSecurityPolicy: Deprecate bitmask-based permissions checks for files. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <set> | 5 #include <set> |
| 6 #include <string> | 6 #include <string> |
| 7 | 7 |
| 8 #include "base/basictypes.h" | 8 #include "base/basictypes.h" |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/platform_file.h" | 10 #include "base/platform_file.h" |
| 11 #include "content/browser/child_process_security_policy_impl.h" | 11 #include "content/browser/child_process_security_policy_impl.h" |
| 12 #include "content/public/common/url_constants.h" | 12 #include "content/public/common/url_constants.h" |
| 13 #include "content/test/test_content_browser_client.h" | 13 #include "content/test/test_content_browser_client.h" |
| 14 #include "testing/gtest/include/gtest/gtest.h" | 14 #include "testing/gtest/include/gtest/gtest.h" |
| 15 #include "url/gurl.h" | 15 #include "url/gurl.h" |
| 16 #include "webkit/browser/fileapi/file_permission_policy.h" | |
| 17 #include "webkit/browser/fileapi/file_system_url.h" | |
| 18 #include "webkit/common/fileapi/file_system_types.h" | |
| 16 | 19 |
| 17 namespace content { | 20 namespace content { |
| 18 namespace { | 21 namespace { |
| 19 | 22 |
| 20 const int kRendererID = 42; | 23 const int kRendererID = 42; |
| 21 const int kWorkerRendererID = kRendererID + 1; | 24 const int kWorkerRendererID = kRendererID + 1; |
| 22 | 25 |
| 23 #if defined(FILE_PATH_USES_DRIVE_LETTERS) | 26 #if defined(FILE_PATH_USES_DRIVE_LETTERS) |
| 24 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x) | 27 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x) |
| 25 #else | 28 #else |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 83 const base::FilePath& file, | 86 const base::FilePath& file, |
| 84 int permissions) { | 87 int permissions) { |
| 85 p->GrantPermissionsForFile(child_id, file, permissions); | 88 p->GrantPermissionsForFile(child_id, file, permissions); |
| 86 } | 89 } |
| 87 | 90 |
| 88 private: | 91 private: |
| 89 ChildProcessSecurityPolicyTestBrowserClient test_browser_client_; | 92 ChildProcessSecurityPolicyTestBrowserClient test_browser_client_; |
| 90 ContentBrowserClient* old_browser_client_; | 93 ContentBrowserClient* old_browser_client_; |
| 91 }; | 94 }; |
| 92 | 95 |
| 96 struct PermissionsSet { | |
| 97 PermissionsSet(bool can_read, bool can_write, bool can_create, | |
|
vandebo (ex-Chrome)
2013/07/18 15:16:59
A list of bools is almost always a bad plan. How
tommycli
2013/07/18 15:56:47
Done.
| |
| 98 bool can_create_read_write) | |
| 99 : can_read(can_read), | |
| 100 can_write(can_write), | |
| 101 can_create(can_create), | |
| 102 can_create_read_write(can_create_read_write) { | |
| 103 } | |
| 104 | |
| 105 bool operator==(const PermissionsSet& o) const { | |
| 106 return can_read == o.can_read && | |
| 107 can_write == o.can_write && | |
| 108 can_create == o.can_create && | |
| 109 can_create_read_write == o.can_create_read_write; | |
| 110 } | |
| 111 | |
| 112 bool can_read; | |
| 113 bool can_write; | |
| 114 bool can_create; | |
| 115 bool can_create_read_write; | |
| 116 }; | |
| 117 | |
| 118 PermissionsSet GetAllPermissions(ChildProcessSecurityPolicyImpl* p, | |
| 119 int child_id, const base::FilePath& file) { | |
| 120 return PermissionsSet( | |
| 121 p->CanReadFile(child_id, file), | |
| 122 p->CanWriteFile(child_id, file), | |
| 123 p->CanCreateFile(child_id, file), | |
| 124 p->CanCreateReadWriteFile(child_id, file)); | |
| 125 } | |
| 126 | |
| 127 PermissionsSet GetAllPermissionsForURL( | |
| 128 ChildProcessSecurityPolicyImpl* p, | |
| 129 int child_id, | |
| 130 const fileapi::FileSystemURL& url) { | |
| 131 return PermissionsSet( | |
| 132 p->CanReadFileSystemFile(child_id, url), | |
| 133 p->CanWriteFileSystemFile(child_id, url), | |
| 134 p->CanCreateFileSystemFile(child_id, url), | |
| 135 p->CanCreateReadWriteFileSystemFile(child_id, url)); | |
| 136 } | |
| 137 | |
| 93 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) { | 138 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) { |
| 94 ChildProcessSecurityPolicyImpl* p = | 139 ChildProcessSecurityPolicyImpl* p = |
| 95 ChildProcessSecurityPolicyImpl::GetInstance(); | 140 ChildProcessSecurityPolicyImpl::GetInstance(); |
| 96 | 141 |
| 97 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpScheme)); | 142 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpScheme)); |
| 98 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpsScheme)); | 143 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpsScheme)); |
| 99 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kFtpScheme)); | 144 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kFtpScheme)); |
| 100 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kDataScheme)); | 145 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kDataScheme)); |
| 101 EXPECT_TRUE(p->IsWebSafeScheme("feed")); | 146 EXPECT_TRUE(p->IsWebSafeScheme("feed")); |
| 102 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kBlobScheme)); | 147 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kBlobScheme)); |
| (...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 271 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); | 316 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); |
| 272 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url)); | 317 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url)); |
| 273 | 318 |
| 274 p->GrantRequestURL(kRendererID, icon_url); | 319 p->GrantRequestURL(kRendererID, icon_url); |
| 275 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); | 320 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); |
| 276 EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url)); | 321 EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url)); |
| 277 | 322 |
| 278 p->Remove(kRendererID); | 323 p->Remove(kRendererID); |
| 279 } | 324 } |
| 280 | 325 |
| 281 TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) { | 326 TEST_F(ChildProcessSecurityPolicyTest, PermissionGrantingAndRevoking) { |
| 282 ChildProcessSecurityPolicyImpl* p = | 327 ChildProcessSecurityPolicyImpl* p = |
| 283 ChildProcessSecurityPolicyImpl::GetInstance(); | 328 ChildProcessSecurityPolicyImpl::GetInstance(); |
| 284 | 329 |
| 330 p->RegisterFileSystemPermissionPolicy( | |
| 331 fileapi::kFileSystemTypeTest, | |
| 332 fileapi::FILE_PERMISSION_USE_FILE_PERMISSION); | |
| 333 | |
| 285 p->Add(kRendererID); | 334 p->Add(kRendererID); |
| 335 base::FilePath file(TEST_PATH("/dir/testfile")); | |
| 336 fileapi::FileSystemURL url = fileapi::FileSystemURL::CreateForTest( | |
| 337 GURL("http://foo/"), fileapi::kFileSystemTypeTest, file); | |
| 286 | 338 |
| 287 EXPECT_FALSE(p->CanReadFile(kRendererID, | 339 PermissionsSet all_denied(false, false, false, false); |
| 288 base::FilePath(TEST_PATH("/etc/passwd")))); | |
| 289 p->GrantReadFile(kRendererID, base::FilePath(TEST_PATH("/etc/passwd"))); | |
| 290 EXPECT_TRUE(p->CanReadFile(kRendererID, | |
| 291 base::FilePath(TEST_PATH("/etc/passwd")))); | |
| 292 EXPECT_FALSE(p->CanReadFile(kRendererID, | |
| 293 base::FilePath(TEST_PATH("/etc/shadow")))); | |
| 294 | 340 |
| 341 // Test initially having no permissions. | |
| 342 EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file)); | |
| 343 EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 344 | |
| 345 // Testing every combination of permissions granting and revoking. | |
| 346 PermissionsSet read_only(true, false, false, false); | |
| 347 p->GrantReadFile(kRendererID, file); | |
| 348 EXPECT_EQ(read_only, GetAllPermissions(p, kRendererID, file)); | |
| 349 EXPECT_EQ(read_only, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 350 p->RevokeAllPermissionsForFile(kRendererID, file); | |
| 351 EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file)); | |
| 352 EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 353 | |
| 354 PermissionsSet create_read_write(true, true, true, true); | |
| 355 p->GrantCreateReadWriteFile(kRendererID, file); | |
| 356 EXPECT_EQ(create_read_write, GetAllPermissions(p, kRendererID, file)); | |
| 357 EXPECT_EQ(create_read_write, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 358 p->RevokeAllPermissionsForFile(kRendererID, file); | |
| 359 EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file)); | |
| 360 EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 361 | |
| 362 PermissionsSet create_write(false, true, true, false); | |
| 363 p->GrantCreateWriteFile(kRendererID, file); | |
| 364 EXPECT_EQ(create_write, GetAllPermissions(p, kRendererID, file)); | |
| 365 EXPECT_EQ(create_write, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 366 p->RevokeAllPermissionsForFile(kRendererID, file); | |
| 367 EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file)); | |
| 368 EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 369 | |
| 370 // Test revoke permissions on renderer ID removal. | |
| 371 p->GrantCreateReadWriteFile(kRendererID, file); | |
| 372 EXPECT_EQ(create_read_write, GetAllPermissions(p, kRendererID, file)); | |
| 373 EXPECT_EQ(create_read_write, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 295 p->Remove(kRendererID); | 374 p->Remove(kRendererID); |
| 375 EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file)); | |
| 376 EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 377 | |
| 378 // Test having no permissions upon re-adding same renderer ID. | |
| 296 p->Add(kRendererID); | 379 p->Add(kRendererID); |
| 380 EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file)); | |
| 381 EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url)); | |
| 297 | 382 |
| 298 EXPECT_FALSE(p->CanReadFile(kRendererID, | 383 // Cleanup. |
| 299 base::FilePath(TEST_PATH("/etc/passwd")))); | |
| 300 EXPECT_FALSE(p->CanReadFile(kRendererID, | |
| 301 base::FilePath(TEST_PATH("/etc/shadow")))); | |
| 302 | |
| 303 p->Remove(kRendererID); | 384 p->Remove(kRendererID); |
| 304 } | 385 } |
| 305 | 386 |
| 306 TEST_F(ChildProcessSecurityPolicyTest, CanReadDirectories) { | 387 TEST_F(ChildProcessSecurityPolicyTest, CanReadDirectories) { |
| 307 ChildProcessSecurityPolicyImpl* p = | 388 ChildProcessSecurityPolicyImpl* p = |
| 308 ChildProcessSecurityPolicyImpl::GetInstance(); | 389 ChildProcessSecurityPolicyImpl::GetInstance(); |
| 309 | 390 |
| 310 p->Add(kRendererID); | 391 p->Add(kRendererID); |
| 311 | 392 |
| 312 EXPECT_FALSE(p->CanReadDirectory(kRendererID, | 393 EXPECT_FALSE(p->CanReadDirectory(kRendererID, |
| (...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 528 // queried on the IO thread. The ChildProcessSecurityPolicy needs to be | 609 // queried on the IO thread. The ChildProcessSecurityPolicy needs to be |
| 529 // prepared to answer policy questions about renderers who no longer exist. | 610 // prepared to answer policy questions about renderers who no longer exist. |
| 530 | 611 |
| 531 // In this case, we default to secure behavior. | 612 // In this case, we default to secure behavior. |
| 532 EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); | 613 EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); |
| 533 EXPECT_FALSE(p->CanReadFile(kRendererID, file)); | 614 EXPECT_FALSE(p->CanReadFile(kRendererID, file)); |
| 534 EXPECT_FALSE(p->HasWebUIBindings(kRendererID)); | 615 EXPECT_FALSE(p->HasWebUIBindings(kRendererID)); |
| 535 } | 616 } |
| 536 | 617 |
| 537 } // namespace content | 618 } // namespace content |
| OLD | NEW |
