Chromium Code Reviews Chromium Code Reviews
Issue 9360014:
Create a content public browser API around the ChildProcessSecurityPolicy class. The implementati... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
|
jam
2012/02/08 18:51:12
nit: update
ananta
2012/02/08 19:36:41
Done.
| |
| 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| 7 | 7 |
| 8 #pragma once | 8 #pragma once |
| 9 | 9 |
| 10 #include <map> | 10 #include <map> |
| 11 #include <set> | 11 #include <set> |
| 12 #include <string> | 12 #include <string> |
| 13 | 13 |
| 14 #include "base/basictypes.h" | 14 #include "base/basictypes.h" |
|
jam
2012/02/08 18:51:12
nit: this and content_export, not needed since the
ananta
2012/02/08 19:36:41
Done.
| |
| 15 #include "base/gtest_prod_util.h" | 15 #include "base/gtest_prod_util.h" |
| 16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 17 #include "base/synchronization/lock.h" | 17 #include "base/synchronization/lock.h" |
| 18 #include "content/public/browser/child_process_security_policy.h" | |
| 18 #include "content/common/content_export.h" | 19 #include "content/common/content_export.h" |
| 19 | 20 |
| 20 class FilePath; | 21 class FilePath; |
| 21 class GURL; | 22 class GURL; |
| 22 | 23 |
| 23 // The ChildProcessSecurityPolicy class is used to grant and revoke security | 24 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl |
| 24 // capabilities for child processes. For example, it restricts whether a child | 25 : public content::ChildProcessSecurityPolicy { |
| 25 // process is permitted to load file:// URLs based on whether the process | |
| 26 // has ever been commanded to load file:// URLs by the browser. | |
| 27 // | |
| 28 // ChildProcessSecurityPolicy is a singleton that may be used on any thread. | |
| 29 // | |
| 30 class CONTENT_EXPORT ChildProcessSecurityPolicy { | |
| 31 public: | 26 public: |
| 32 // Object can only be created through GetInstance() so the constructor is | 27 // Object can only be created through GetInstance() so the constructor is |
| 33 // private. | 28 // private. |
| 34 ~ChildProcessSecurityPolicy(); | 29 ~ChildProcessSecurityPolicyImpl(); |
|
jam
2012/02/08 18:51:12
nit: virtual by convention?
ananta
2012/02/08 19:36:41
Done.
| |
| 35 | 30 |
| 36 // There is one global ChildProcessSecurityPolicy object for the entire | 31 static ChildProcessSecurityPolicyImpl* GetInstance(); |
| 37 // browser process. The object returned by this method may be accessed on | |
| 38 // any thread. | |
| 39 static ChildProcessSecurityPolicy* GetInstance(); | |
| 40 | 32 |
| 41 // Web-safe schemes can be requested by any child process. Once a web-safe | 33 virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; |
|
jam
2012/02/08 18:51:12
nit: can you say "ChildProcessHost implementation:
ananta
2012/02/08 19:36:41
Done.
| |
| 42 // scheme has been registered, any child process can request URLs with | 34 virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; |
| 43 // that scheme. There is no mechanism for revoking web-safe schemes. | 35 virtual void RegisterDisabledSchemes(const std::set<std::string>& schemes) |
| 44 void RegisterWebSafeScheme(const std::string& scheme); | 36 OVERRIDE; |
| 45 | 37 virtual void GrantPermissionsForFile(int child_id, |
| 46 // Returns true iff |scheme| has been registered as a web-safe scheme. | 38 const FilePath& file, |
| 47 bool IsWebSafeScheme(const std::string& scheme); | 39 int permissions) OVERRIDE; |
| 40 virtual void GrantReadFile(int child_id, const FilePath& file) OVERRIDE; | |
| 41 virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; | |
| 48 | 42 |
| 49 // Pseudo schemes are treated differently than other schemes because they | 43 // Pseudo schemes are treated differently than other schemes because they |
| 50 // cannot be requested like normal URLs. There is no mechanism for revoking | 44 // cannot be requested like normal URLs. There is no mechanism for revoking |
| 51 // pseudo schemes. | 45 // pseudo schemes. |
| 52 void RegisterPseudoScheme(const std::string& scheme); | 46 void RegisterPseudoScheme(const std::string& scheme); |
| 53 | 47 |
| 54 // Returns true iff |scheme| has been registered as pseudo scheme. | 48 // Returns true iff |scheme| has been registered as pseudo scheme. |
| 55 bool IsPseudoScheme(const std::string& scheme); | 49 bool IsPseudoScheme(const std::string& scheme); |
| 56 | 50 |
| 57 // Sets the list of disabled schemes. | |
| 58 // URLs using these schemes won't be loaded at all. The previous list of | |
| 59 // schemes is overwritten. An empty |schemes| disables this feature. | |
| 60 // Schemes listed as disabled take precedence over Web-safe schemes. | |
| 61 void RegisterDisabledSchemes(const std::set<std::string>& schemes); | |
| 62 | |
| 63 // Returns true iff |scheme| is listed as a disabled scheme. | 51 // Returns true iff |scheme| is listed as a disabled scheme. |
| 64 bool IsDisabledScheme(const std::string& scheme); | 52 bool IsDisabledScheme(const std::string& scheme); |
| 65 | 53 |
| 66 // Upon creation, child processes should register themselves by calling this | 54 // Upon creation, child processes should register themselves by calling this |
| 67 // this method exactly once. | 55 // this method exactly once. |
| 68 void Add(int child_id); | 56 void Add(int child_id); |
| 69 | 57 |
| 70 // Upon creation, worker thread child processes should register themselves by | 58 // Upon creation, worker thread child processes should register themselves by |
| 71 // calling this this method exactly once. Workers that are not shared will | 59 // calling this this method exactly once. Workers that are not shared will |
| 72 // inherit permissions from their parent renderer process identified with | 60 // inherit permissions from their parent renderer process identified with |
| 73 // |main_render_process_id|. | 61 // |main_render_process_id|. |
| 74 void AddWorker(int worker_child_id, int main_render_process_id); | 62 void AddWorker(int worker_child_id, int main_render_process_id); |
| 75 | 63 |
| 76 // Upon destruction, child processess should unregister themselves by caling | 64 // Upon destruction, child processess should unregister themselves by caling |
| 77 // this method exactly once. | 65 // this method exactly once. |
| 78 void Remove(int child_id); | 66 void Remove(int child_id); |
| 79 | 67 |
| 80 // Whenever the browser processes commands the child process to request a URL, | 68 // Whenever the browser processes commands the child process to request a URL, |
| 81 // it should call this method to grant the child process the capability to | 69 // it should call this method to grant the child process the capability to |
| 82 // request the URL. | 70 // request the URL. |
| 83 void GrantRequestURL(int child_id, const GURL& url); | 71 void GrantRequestURL(int child_id, const GURL& url); |
| 84 | 72 |
| 85 // Whenever the user picks a file from a <input type="file"> element, the | |
| 86 // browser should call this function to grant the child process the capability | |
| 87 // to upload the file to the web. | |
| 88 void GrantReadFile(int child_id, const FilePath& file); | |
| 89 | |
| 90 // Grants the child process permission to enumerate all the files in | 73 // Grants the child process permission to enumerate all the files in |
| 91 // this directory and read those files. | 74 // this directory and read those files. |
| 92 void GrantReadDirectory(int child_id, const FilePath& directory); | 75 void GrantReadDirectory(int child_id, const FilePath& directory); |
| 93 | 76 |
| 94 // Grants certain permissions to a file. |permissions| must be a bit-set of | |
| 95 // base::PlatformFileFlags. | |
| 96 void GrantPermissionsForFile(int child_id, | |
| 97 const FilePath& file, | |
| 98 int permissions); | |
| 99 | |
| 100 // Revokes all permissions granted to the given file. | 77 // Revokes all permissions granted to the given file. |
| 101 void RevokeAllPermissionsForFile(int child_id, const FilePath& file); | 78 void RevokeAllPermissionsForFile(int child_id, const FilePath& file); |
| 102 | 79 |
| 103 // Grants access permission to the given filesystem_id. | 80 // Grants access permission to the given filesystem_id. |
| 104 void GrantAccessFileSystem(int child_id, const std::string& filesystem_id); | 81 void GrantAccessFileSystem(int child_id, const std::string& filesystem_id); |
| 105 | 82 |
| 106 // Grants the child process the capability to access URLs of the provided | |
| 107 // scheme. | |
| 108 void GrantScheme(int child_id, const std::string& scheme); | |
| 109 | |
| 110 // Grant the child process the ability to use Web UI Bindings. | 83 // Grant the child process the ability to use Web UI Bindings. |
| 111 void GrantWebUIBindings(int child_id); | 84 void GrantWebUIBindings(int child_id); |
| 112 | 85 |
| 113 // Grant the child process the ability to read raw cookies. | 86 // Grant the child process the ability to read raw cookies. |
| 114 void GrantReadRawCookies(int child_id); | 87 void GrantReadRawCookies(int child_id); |
| 115 | 88 |
| 116 // Revoke read raw cookies permission. | 89 // Revoke read raw cookies permission. |
| 117 void RevokeReadRawCookies(int child_id); | 90 void RevokeReadRawCookies(int child_id); |
| 118 | 91 |
| 119 // Before servicing a child process's request for a URL, the browser should | 92 // Before servicing a child process's request for a URL, the browser should |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 159 friend class ChildProcessSecurityPolicyInProcessBrowserTest; | 132 friend class ChildProcessSecurityPolicyInProcessBrowserTest; |
| 160 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, | 133 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, |
| 161 NoLeak); | 134 NoLeak); |
| 162 | 135 |
| 163 class SecurityState; | 136 class SecurityState; |
| 164 | 137 |
| 165 typedef std::set<std::string> SchemeSet; | 138 typedef std::set<std::string> SchemeSet; |
| 166 typedef std::map<int, SecurityState*> SecurityStateMap; | 139 typedef std::map<int, SecurityState*> SecurityStateMap; |
| 167 typedef std::map<int, int> WorkerToMainProcessMap; | 140 typedef std::map<int, int> WorkerToMainProcessMap; |
| 168 | 141 |
| 169 // Obtain an instance of ChildProcessSecurityPolicy via GetInstance(). | 142 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). |
| 170 ChildProcessSecurityPolicy(); | 143 ChildProcessSecurityPolicyImpl(); |
| 171 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicy>; | 144 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; |
| 172 | 145 |
| 173 // Adds child process during registration. | 146 // Adds child process during registration. |
| 174 void AddChild(int child_id); | 147 void AddChild(int child_id); |
| 175 | 148 |
| 176 // Determines if certain permissions were granted for a file to given child | 149 // Determines if certain permissions were granted for a file to given child |
| 177 // process. |permissions| must be a bit-set of base::PlatformFileFlags. | 150 // process. |permissions| must be a bit-set of base::PlatformFileFlags. |
| 178 bool ChildProcessHasPermissionsForFile(int child_id, | 151 bool ChildProcessHasPermissionsForFile(int child_id, |
| 179 const FilePath& file, | 152 const FilePath& file, |
| 180 int permissions); | 153 int permissions); |
| 181 | 154 |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 200 // This map holds a SecurityState for each child process. The key for the | 173 // This map holds a SecurityState for each child process. The key for the |
| 201 // map is the ID of the ChildProcessHost. The SecurityState objects are | 174 // map is the ID of the ChildProcessHost. The SecurityState objects are |
| 202 // owned by this object and are protected by |lock_|. References to them must | 175 // owned by this object and are protected by |lock_|. References to them must |
| 203 // not escape this class. | 176 // not escape this class. |
| 204 SecurityStateMap security_state_; | 177 SecurityStateMap security_state_; |
| 205 | 178 |
| 206 // This maps keeps the record of which js worker thread child process | 179 // This maps keeps the record of which js worker thread child process |
| 207 // corresponds to which main js thread child process. | 180 // corresponds to which main js thread child process. |
| 208 WorkerToMainProcessMap worker_map_; | 181 WorkerToMainProcessMap worker_map_; |
| 209 | 182 |
| 210 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicy); | 183 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); |
| 211 }; | 184 }; |
| 212 | 185 |
| 213 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | 186 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| OLD | NEW |
