| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | |
| 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | |
| 7 | |
| 8 #pragma once | |
| 9 | |
| 10 #include <map> | |
| 11 #include <set> | |
| 12 #include <string> | |
| 13 | |
| 14 #include "base/basictypes.h" | |
| 15 #include "base/gtest_prod_util.h" | |
| 16 #include "base/memory/singleton.h" | |
| 17 #include "base/synchronization/lock.h" | |
| 18 #include "content/common/content_export.h" | |
| 19 | |
| 20 class FilePath; | |
| 21 class GURL; | |
| 22 | |
| 23 // The ChildProcessSecurityPolicy class is used to grant and revoke security | |
| 24 // capabilities for child processes. For example, it restricts whether a child | |
| 25 // process is permitted to load file:// URLs based on whether the process | |
| 26 // has ever been commanded to load file:// URLs by the browser. | |
| 27 // | |
| 28 // ChildProcessSecurityPolicy is a singleton that may be used on any thread. | |
| 29 // | |
| 30 class CONTENT_EXPORT ChildProcessSecurityPolicy { | |
| 31 public: | |
| 32 // Object can only be created through GetInstance() so the constructor is | |
| 33 // private. | |
| 34 ~ChildProcessSecurityPolicy(); | |
| 35 | |
| 36 // There is one global ChildProcessSecurityPolicy object for the entire | |
| 37 // browser process. The object returned by this method may be accessed on | |
| 38 // any thread. | |
| 39 static ChildProcessSecurityPolicy* GetInstance(); | |
| 40 | |
| 41 // Web-safe schemes can be requested by any child process. Once a web-safe | |
| 42 // scheme has been registered, any child process can request URLs with | |
| 43 // that scheme. There is no mechanism for revoking web-safe schemes. | |
| 44 void RegisterWebSafeScheme(const std::string& scheme); | |
| 45 | |
| 46 // Returns true iff |scheme| has been registered as a web-safe scheme. | |
| 47 bool IsWebSafeScheme(const std::string& scheme); | |
| 48 | |
| 49 // Pseudo schemes are treated differently than other schemes because they | |
| 50 // cannot be requested like normal URLs. There is no mechanism for revoking | |
| 51 // pseudo schemes. | |
| 52 void RegisterPseudoScheme(const std::string& scheme); | |
| 53 | |
| 54 // Returns true iff |scheme| has been registered as pseudo scheme. | |
| 55 bool IsPseudoScheme(const std::string& scheme); | |
| 56 | |
| 57 // Sets the list of disabled schemes. | |
| 58 // URLs using these schemes won't be loaded at all. The previous list of | |
| 59 // schemes is overwritten. An empty |schemes| disables this feature. | |
| 60 // Schemes listed as disabled take precedence over Web-safe schemes. | |
| 61 void RegisterDisabledSchemes(const std::set<std::string>& schemes); | |
| 62 | |
| 63 // Returns true iff |scheme| is listed as a disabled scheme. | |
| 64 bool IsDisabledScheme(const std::string& scheme); | |
| 65 | |
| 66 // Upon creation, child processes should register themselves by calling this | |
| 67 // this method exactly once. | |
| 68 void Add(int child_id); | |
| 69 | |
| 70 // Upon creation, worker thread child processes should register themselves by | |
| 71 // calling this this method exactly once. Workers that are not shared will | |
| 72 // inherit permissions from their parent renderer process identified with | |
| 73 // |main_render_process_id|. | |
| 74 void AddWorker(int worker_child_id, int main_render_process_id); | |
| 75 | |
| 76 // Upon destruction, child processess should unregister themselves by caling | |
| 77 // this method exactly once. | |
| 78 void Remove(int child_id); | |
| 79 | |
| 80 // Whenever the browser processes commands the child process to request a URL, | |
| 81 // it should call this method to grant the child process the capability to | |
| 82 // request the URL. | |
| 83 void GrantRequestURL(int child_id, const GURL& url); | |
| 84 | |
| 85 // Whenever the user picks a file from a <input type="file"> element, the | |
| 86 // browser should call this function to grant the child process the capability | |
| 87 // to upload the file to the web. | |
| 88 void GrantReadFile(int child_id, const FilePath& file); | |
| 89 | |
| 90 // Grants the child process permission to enumerate all the files in | |
| 91 // this directory and read those files. | |
| 92 void GrantReadDirectory(int child_id, const FilePath& directory); | |
| 93 | |
| 94 // Grants certain permissions to a file. |permissions| must be a bit-set of | |
| 95 // base::PlatformFileFlags. | |
| 96 void GrantPermissionsForFile(int child_id, | |
| 97 const FilePath& file, | |
| 98 int permissions); | |
| 99 | |
| 100 // Revokes all permissions granted to the given file. | |
| 101 void RevokeAllPermissionsForFile(int child_id, const FilePath& file); | |
| 102 | |
| 103 // Grants access permission to the given filesystem_id. | |
| 104 void GrantAccessFileSystem(int child_id, const std::string& filesystem_id); | |
| 105 | |
| 106 // Grants the child process the capability to access URLs of the provided | |
| 107 // scheme. | |
| 108 void GrantScheme(int child_id, const std::string& scheme); | |
| 109 | |
| 110 // Grant the child process the ability to use Web UI Bindings. | |
| 111 void GrantWebUIBindings(int child_id); | |
| 112 | |
| 113 // Grant the child process the ability to read raw cookies. | |
| 114 void GrantReadRawCookies(int child_id); | |
| 115 | |
| 116 // Revoke read raw cookies permission. | |
| 117 void RevokeReadRawCookies(int child_id); | |
| 118 | |
| 119 // Before servicing a child process's request for a URL, the browser should | |
| 120 // call this method to determine whether the process has the capability to | |
| 121 // request the URL. | |
| 122 bool CanRequestURL(int child_id, const GURL& url); | |
| 123 | |
| 124 // Before servicing a child process's request to upload a file to the web, the | |
| 125 // browser should call this method to determine whether the process has the | |
| 126 // capability to upload the requested file. | |
| 127 bool CanReadFile(int child_id, const FilePath& file); | |
| 128 | |
| 129 // Before servicing a child process's request to enumerate a directory | |
| 130 // the browser should call this method to check for the capability. | |
| 131 bool CanReadDirectory(int child_id, const FilePath& directory); | |
| 132 | |
| 133 // Determines if certain permissions were granted for a file. |permissions| | |
| 134 // must be a bit-set of base::PlatformFileFlags. | |
| 135 bool HasPermissionsForFile(int child_id, | |
| 136 const FilePath& file, | |
| 137 int permissions); | |
| 138 | |
| 139 // Returns true if the specified child_id has been granted WebUIBindings. | |
| 140 // The browser should check this property before assuming the child process is | |
| 141 // allowed to use WebUIBindings. | |
| 142 bool HasWebUIBindings(int child_id); | |
| 143 | |
| 144 // Returns true if the specified child_id has been granted ReadRawCookies. | |
| 145 bool CanReadRawCookies(int child_id); | |
| 146 | |
| 147 // Returns true if the process is permitted to see and use the cookies for | |
| 148 // the given origin. | |
| 149 // Only might return false if the very experimental | |
| 150 // --enable-strict-site-isolation is used. | |
| 151 bool CanUseCookiesForOrigin(int child_id, const GURL& gurl); | |
| 152 | |
| 153 // Sets the process as only permitted to use and see the cookies for the | |
| 154 // given origin. | |
| 155 // Only used if the very experimental --enable-strict-site-isolation is used. | |
| 156 void LockToOrigin(int child_id, const GURL& gurl); | |
| 157 | |
| 158 private: | |
| 159 friend class ChildProcessSecurityPolicyInProcessBrowserTest; | |
| 160 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, | |
| 161 NoLeak); | |
| 162 | |
| 163 class SecurityState; | |
| 164 | |
| 165 typedef std::set<std::string> SchemeSet; | |
| 166 typedef std::map<int, SecurityState*> SecurityStateMap; | |
| 167 typedef std::map<int, int> WorkerToMainProcessMap; | |
| 168 | |
| 169 // Obtain an instance of ChildProcessSecurityPolicy via GetInstance(). | |
| 170 ChildProcessSecurityPolicy(); | |
| 171 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicy>; | |
| 172 | |
| 173 // Adds child process during registration. | |
| 174 void AddChild(int child_id); | |
| 175 | |
| 176 // Determines if certain permissions were granted for a file to given child | |
| 177 // process. |permissions| must be a bit-set of base::PlatformFileFlags. | |
| 178 bool ChildProcessHasPermissionsForFile(int child_id, | |
| 179 const FilePath& file, | |
| 180 int permissions); | |
| 181 | |
| 182 // You must acquire this lock before reading or writing any members of this | |
| 183 // class. You must not block while holding this lock. | |
| 184 base::Lock lock_; | |
| 185 | |
| 186 // These schemes are white-listed for all child processes. This set is | |
| 187 // protected by |lock_|. | |
| 188 SchemeSet web_safe_schemes_; | |
| 189 | |
| 190 // These schemes do not actually represent retrievable URLs. For example, | |
| 191 // the the URLs in the "about" scheme are aliases to other URLs. This set is | |
| 192 // protected by |lock_|. | |
| 193 SchemeSet pseudo_schemes_; | |
| 194 | |
| 195 // These schemes are disabled by policy, and child processes are always | |
| 196 // denied permission to request them. This overrides |web_safe_schemes_|. | |
| 197 // This set is protected by |lock_|. | |
| 198 SchemeSet disabled_schemes_; | |
| 199 | |
| 200 // This map holds a SecurityState for each child process. The key for the | |
| 201 // map is the ID of the ChildProcessHost. The SecurityState objects are | |
| 202 // owned by this object and are protected by |lock_|. References to them must | |
| 203 // not escape this class. | |
| 204 SecurityStateMap security_state_; | |
| 205 | |
| 206 // This maps keeps the record of which js worker thread child process | |
| 207 // corresponds to which main js thread child process. | |
| 208 WorkerToMainProcessMap worker_map_; | |
| 209 | |
| 210 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicy); | |
| 211 }; | |
| 212 | |
| 213 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9360014:
Create a content public browser API around the ChildProcessSecurityPolicy class. The implementati... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/