Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(555)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/syscall_broker/broker_policy.h

Issue 721553002: sandbox: Extend BrokerPolicy to support file creation (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Adding comments Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« sandbox/linux/syscall_broker/broker_host.cc ('K') | « sandbox/linux/syscall_broker/broker_host.cc ('k') | sandbox/linux/syscall_broker/broker_policy.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ 5 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ 6 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
7 7
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
11 #include "base/macros.h" 11 #include "base/macros.h"
12 #include "base/memory/scoped_ptr.h"
13
14 #include "sandbox/linux/syscall_broker/broker_file_permission.h"
12 15
13 namespace sandbox { 16 namespace sandbox {
14 namespace syscall_broker { 17 namespace syscall_broker {
15 18
16 // BrokerPolicy allows to define the security policy enforced by a 19 // BrokerPolicy allows to define the security policy enforced by a
17 // BrokerHost. The BrokerHost will evaluate requests sent over its 20 // BrokerHost. The BrokerHost will evaluate requests sent over its
18 // IPC channel according to the BrokerPolicy. 21 // IPC channel according to the BrokerPolicy.
19 // Some of the methods of this class can be used in an async-signal safe 22 // Some of the methods of this class can be used in an async-signal safe
20 // way. 23 // way.
21 class BrokerPolicy { 24 class BrokerPolicy {
22 public: 25 public:
23 // |denied_errno| is the error code returned when IPC requests for system 26 // |denied_errno| is the error code returned when IPC requests for system
24 // calls such as open() or access() are denied because a file is not in the 27 // calls such as open() or access() are denied because a file is not in the
25 // whitelist. EACCESS would be a typical value. 28 // whitelist. EACCESS would be a typical value.
26 // |allowed_r_files| and |allowed_w_files| are white lists of files that 29 // |permissions| is a list of BrokerPermission objects that define
27 // should be allowed for opening, respectively for reading and writing. 30 // what the broker will allow.
28 // A file available read-write should be listed in both.
29 BrokerPolicy(int denied_errno, 31 BrokerPolicy(int denied_errno,
30 const std::vector<std::string>& allowed_r_files, 32 const std::vector<BrokerFilePermission>& permissions);
31 const std::vector<std::string>& allowed_w_files_); 33
32 ~BrokerPolicy(); 34 ~BrokerPolicy();
33 35
34 // Check if calling access() should be allowed on |requested_filename| with 36 // Check if calling access() should be allowed on |requested_filename| with
35 // mode |requested_mode|. 37 // mode |requested_mode|.
36 // Note: access() being a system call to check permissions, this can get a bit 38 // Note: access() being a system call to check permissions, this can get a bit
37 // confusing. We're checking if calling access() should even be allowed with 39 // confusing. We're checking if calling access() should even be allowed with
38 // the same policy we would use for open(). 40 // If |file_to_open| is not NULL, a pointer to the path will be returned.
39 // If |file_to_access| is not NULL, we will return the matching pointer from 41 // In the case of a recursive match, this will be the requested_filename,
40 // the whitelist. For paranoia a caller should then use |file_to_access|. See 42 // otherwise it will return the matching pointer from the
43 // whitelist. For paranoia a caller should then use |file_to_access|. See
41 // GetFileNameIfAllowedToOpen() for more explanation. 44 // GetFileNameIfAllowedToOpen() for more explanation.
42 // return true if calling access() on this file should be allowed, false 45 // return true if calling access() on this file should be allowed, false
43 // otherwise. 46 // otherwise.
44 // Async signal safe if and only if |file_to_access| is NULL. 47 // Async signal safe if and only if |file_to_access| is NULL.
45 bool GetFileNameIfAllowedToAccess(const char* requested_filename, 48 bool GetFileNameIfAllowedToAccess(const char* requested_filename,
46 int requested_mode, 49 int requested_mode,
47 const char** file_to_access) const; 50 const char** file_to_access) const;
48 51
49 // Check if |requested_filename| can be opened with flags |requested_flags|. 52 // Check if |requested_filename| can be opened with flags |requested_flags|.
50 // If |file_to_open| is not NULL, we will return the matching pointer from the 53 // If |file_to_open| is not NULL, a pointer to the path will be returned.
54 // In the case of a recursive match, this will be the requested_filename,
55 // otherwise it will return the matching pointer from the
51 // whitelist. For paranoia, a caller should then use |file_to_open| rather 56 // whitelist. For paranoia, a caller should then use |file_to_open| rather
52 // than |requested_filename|, so that it never attempts to open an 57 // than |requested_filename|, so that it never attempts to open an
53 // attacker-controlled file name, even if an attacker managed to fool the 58 // attacker-controlled file name, even if an attacker managed to fool the
54 // string comparison mechanism. 59 // string comparison mechanism.
60 // |unlink_after_open| if not NULL will be set to point to true if the
61 // policy requests the caller unlink the path after openning.
55 // Return true if opening should be allowed, false otherwise. 62 // Return true if opening should be allowed, false otherwise.
56 // Async signal safe if and only if |file_to_open| is NULL. 63 // Async signal safe if and only if |file_to_open| is NULL.
57 bool GetFileNameIfAllowedToOpen(const char* requested_filename, 64 bool GetFileNameIfAllowedToOpen(const char* requested_filename,
58 int requested_flags, 65 int requested_flags,
59 const char** file_to_open) const; 66 const char** file_to_open,
67 bool* unlink_after_open) const;
60 int denied_errno() const { return denied_errno_; } 68 int denied_errno() const { return denied_errno_; }
61 69
62 private: 70 private:
63 const int denied_errno_; 71 const int denied_errno_;
64 const std::vector<std::string> allowed_r_files_; 72 const std::vector<BrokerFilePermission> permissions_;
65 const std::vector<std::string> allowed_w_files_; 73 const BrokerFilePermission* permissions_array_;
74 const size_t num_of_permissions_;
75
66 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy); 76 DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
67 }; 77 };
68 78
69 } // namespace syscall_broker 79 } // namespace syscall_broker
70 80
71 } // namespace sandbox 81 } // namespace sandbox
72 82
73 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ 83 #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
OLDNEW
« sandbox/linux/syscall_broker/broker_host.cc ('K') | « sandbox/linux/syscall_broker/broker_host.cc ('k') | sandbox/linux/syscall_broker/broker_policy.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698