sandbox: Extend BrokerPolicy to support file creation

sandbox/linux/syscall_broker/broker_file_permission.h

Index: sandbox/linux/syscall_broker/broker_file_permission.h
diff --git a/sandbox/linux/syscall_broker/broker_file_permission.h b/sandbox/linux/syscall_broker/broker_file_permission.h
new file mode 100644
index 0000000000000000000000000000000000000000..3e937de5f572a323eb60b6b0c890f238341c48ee
--- /dev/null
+++ b/sandbox/linux/syscall_broker/broker_file_permission.h
@@ -0,0 +1,121 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_FILE_PERMISSION_H_
+#define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_FILE_PERMISSION_H_
+
+#include <string>
+
+#include "base/macros.h"
+#include "sandbox/sandbox_export.h"
+
+namespace sandbox {
+
+namespace syscall_broker {
+
+// BrokerFilePermission defines a path for whitelisting.
+// Pick the correct static factory method to create a permission.
+// CheckOpen and CheckAccess are async signal safe.
+// Constuction and Destruction are not async signal safe.
+// |path| is the path to be whitelisted.
+class SANDBOX_EXPORT BrokerFilePermission {
+ public:
+  ~BrokerFilePermission() {}
+  BrokerFilePermission(const BrokerFilePermission&) = default;
+  BrokerFilePermission& operator=(const BrokerFilePermission&) = default;
+
+  static BrokerFilePermission ReadOnly(const std::string& path) {
+    return BrokerFilePermission(path, false, false, true, false, false);
+  }
+
+  static BrokerFilePermission ReadOnlyRecursive(const std::string& path) {
+    return BrokerFilePermission(path, true, false, true, false, false);
+  }
+
+  static BrokerFilePermission WriteOnly(const std::string& path) {
+    return BrokerFilePermission(path, false, false, false, true, false);
+  }
+
+  static BrokerFilePermission ReadWrite(const std::string& path) {
+    return BrokerFilePermission(path, false, false, true, true, false);
+  }
+
+  static BrokerFilePermission ReadWriteCreate(const std::string& path) {
+    return BrokerFilePermission(path, false, false, true, true, true);
+  }
+
+  static BrokerFilePermission ReadWriteCreateUnlink(const std::string& path) {
+    return BrokerFilePermission(path, false, true, true, true, true);
+  }
+
+  static BrokerFilePermission ReadWriteCreateUnlinkRecursive(
+      const std::string& path) {
+    return BrokerFilePermission(path, true, true, true, true, true);
+  }
+
+  // Returns true if |requested_filename| is allowed to be opened
+  // by this permission.
+  // If |file_to_open| is not NULL it is set to point to either
+  // the |requested_filename| in the case of a recursive match,
+  // or a pointer the matched path in the whitelist if an absolute
+  // match.
+  // If not NULL |unlink_after_open| is set to point to true if the
+  // caller should unlink the path after openning.
+  // Async signal safe if |file_to_open| is NULL.
+  bool CheckOpen(const char* requested_filename,
+                 int flags,
+                 const char** file_to_open,
+                 bool* unlink_after_open) const;
+  // Returns true if |requested_filename| is allowed to be accessed
+  // by this permission as per access(2).
+  // If |file_to_open| is not NULL it is set to point to either
+  // the |requested_filename| in the case of a recursive match,
+  // or a pointer to the matched path in the whitelist if an absolute
+  // match.
+  // |mode| is per mode argument of access(2).
+  // Async signal safe if |file_to_access| is NULL
+  bool CheckAccess(const char* requested_filename,
+                   int mode,
+                   const char** file_to_access) const;
+
+ private:
+  friend class BrokerFilePermissionTester;
+  BrokerFilePermission(const std::string& path,
+                       bool recursive,
+                       bool unlink,
+                       bool allow_read,
+                       bool allow_write,
+                       bool allow_create);
+
+  // ValidatePath checks |path| and returns true if these conditions are met
+  // * Greater than 0 length
+  // * Is an absolute path
+  // * No trailing slash
+  // * No /../ path traversal
+  static bool ValidatePath(const char* path);
+
+  // MatchPath returns true if |requested_filename| is covered by this instance
+  bool MatchPath(const char* requested_filename) const;
+
+  // Used in by BrokerFilePermissionTester for tests.
+  static const char* GetErrorMessageForTests() {
+    return "Invalid BrokerFilePermission";

[jln (very slow on Chromium), 2014/11/26 19:49:06]

Please do (in the .cc) file:
 {
static char kInvalidBrokerFileString[] = "...";
return kInvalidBrokerFileString;
}

Keeping this in headers could lead do string duplication.

[leecam, 2014/11/26 20:55:47]

Done.

+  }
+
+  // These are not const as std::vector requires copy-assignment and this class
+  // is stored in vectors. All methods are marked const so
+  // the compiler will still enforce no changes outside of the constructor.
+  std::string path_;
+  bool recursive_;  // Allow everything under this path. |path| must be a dir.
+  bool unlink_;     // unlink after opening.
+  bool allow_read_;
+  bool allow_write_;
+  bool allow_create_;
+};
+
+}  // namespace syscall_broker
+
+}  // namespace sandbox
+
+#endif  //  SANDBOX_LINUX_SYSCALL_BROKER_BROKER_FILE_PERMISSION_H_