ChildProcessSecurityPolicy: Deprecate bitmask-based permissions checks for files.

HasPermissionsForFile and HasPermissionsForFilesystemFile is currently used as general bitmask-based permissions querying functions for files. This change deprecates those functions and adds some additional explicit grants and grant-checking methods instead. The larger goal is to deprecate all usage of PlatformFile bitmasks in ChildProcessSecurityPolicy in favor of explicitly granted permissions. This is to improve security and allow for a permissions set different than PlatformFile. See https://chromiumcodereview.appspot.com/18129002. Original post by vandebo: https://groups.google.com/a/chromium.org/d/msg/chromium-dev/2cGLolxsOs4/Ga8eF7iEejkJ BUG=262142 Review URL: https://chromiumcodereview.appspot.com/19599006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@213262 0039d316-1c4b-4281-b951-d872f2087c98
author: tommycli@chromium.org <tommycli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-07-23 23:18:19 +0000
committer: tommycli@chromium.org <tommycli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-07-23 23:18:19 +0000
commit: 9f10431779fbe82df67ea79eddd99b1575c9c011 (patch)
tree: a2e8d31a3084f4f733f41508772cf91717b699c4 /content/browser/child_process_security_policy_unittest.cc
parent: 5a36dc13089e6cf21e7cae9763d08025e78e4cdb (diff)
download: chromium_src-9f10431779fbe82df67ea79eddd99b1575c9c011.zip
chromium_src-9f10431779fbe82df67ea79eddd99b1575c9c011.tar.gz
chromium_src-9f10431779fbe82df67ea79eddd99b1575c9c011.tar.bz2
1 files changed, 109 insertions, 13 deletions
diff --git a/content/browser/child_process_security_policy_unittest.cc b/content/browser/child_process_security_policy_unittest.cc
index 35a044a..b914eac 100644
--- a/content/browser/child_process_security_policy_unittest.cc
+++ b/content/browser/child_process_security_policy_unittest.cc
@@ -13,7 +13,10 @@
 #include "content/test/test_content_browser_client.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
+#include "webkit/browser/fileapi/file_permission_policy.h"
+#include "webkit/browser/fileapi/file_system_url.h"
 #include "webkit/browser/fileapi/isolated_context.h"
+#include "webkit/common/fileapi/file_system_types.h"
 
 namespace content {
 namespace {
@@ -91,6 +94,7 @@ class ChildProcessSecurityPolicyTest : public testing::Test {
   ContentBrowserClient* old_browser_client_;
 };
 
+
 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
@@ -362,28 +366,120 @@ TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) {
   fileapi::IsolatedContext::GetInstance()->RevokeFileSystem(copy_into_id);
 }
 
-TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) {
+TEST_F(ChildProcessSecurityPolicyTest, FilePermissionGrantingAndRevoking) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
+  p->RegisterFileSystemPermissionPolicy(
+      fileapi::kFileSystemTypeTest,
+      fileapi::FILE_PERMISSION_USE_FILE_PERMISSION);
+
   p->Add(kRendererID);
+  base::FilePath file(TEST_PATH("/dir/testfile"));
+  file = file.NormalizePathSeparators();
+  fileapi::FileSystemURL url = fileapi::FileSystemURL::CreateForTest(
+      GURL("http://foo/"), fileapi::kFileSystemTypeTest, file);
 
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/passwd"))));
-  p->GrantReadFile(kRendererID, base::FilePath(TEST_PATH("/etc/passwd")));
-  EXPECT_TRUE(p->CanReadFile(kRendererID,
-                             base::FilePath(TEST_PATH("/etc/passwd"))));
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/shadow"))));
+  // Test initially having no permissions.
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
+
+  // Testing every combination of permissions granting and revoking.
+  p->GrantReadFile(kRendererID, file);
+  EXPECT_TRUE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
+
+  p->GrantCreateReadWriteFile(kRendererID, file);
+  EXPECT_TRUE(p->CanReadFile(kRendererID, file));
+  EXPECT_TRUE(p->CanWriteFile(kRendererID, file));
+  EXPECT_TRUE(p->CanCreateFile(kRendererID, file));
+  EXPECT_TRUE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanCreateWriteFileSystemFile(kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
+
+  p->GrantCreateWriteFile(kRendererID, file);
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_TRUE(p->CanWriteFile(kRendererID, file));
+  EXPECT_TRUE(p->CanCreateFile(kRendererID, file));
+  EXPECT_TRUE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanCreateWriteFileSystemFile(kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
 
+  // Test revoke permissions on renderer ID removal.
+  p->GrantCreateReadWriteFile(kRendererID, file);
+  EXPECT_TRUE(p->CanReadFile(kRendererID, file));
+  EXPECT_TRUE(p->CanWriteFile(kRendererID, file));
+  EXPECT_TRUE(p->CanCreateFile(kRendererID, file));
+  EXPECT_TRUE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_TRUE(p->CanCreateWriteFileSystemFile(kRendererID, url));
   p->Remove(kRendererID);
-  p->Add(kRendererID);
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
 
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/passwd"))));
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/shadow"))));
+  // Test having no permissions upon re-adding same renderer ID.
+  p->Add(kRendererID);
+  EXPECT_FALSE(p->CanReadFile(kRendererID, file));
+  EXPECT_FALSE(p->CanWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateFile(kRendererID, file));
+  EXPECT_FALSE(p->CanCreateWriteFile(kRendererID, file));
+  EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
+  EXPECT_FALSE(p->CanCreateWriteFileSystemFile(kRendererID, url));
 
+  // Cleanup.
   p->Remove(kRendererID);
 }
author	tommycli@chromium.org <tommycli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-07-23 23:18:19 +0000
committer	tommycli@chromium.org <tommycli@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-07-23 23:18:19 +0000
commit	9f10431779fbe82df67ea79eddd99b1575c9c011 (patch)
tree	a2e8d31a3084f4f733f41508772cf91717b699c4 /content/browser/child_process_security_policy_unittest.cc
parent	5a36dc13089e6cf21e7cae9763d08025e78e4cdb (diff)
download	chromium_src-9f10431779fbe82df67ea79eddd99b1575c9c011.zip chromium_src-9f10431779fbe82df67ea79eddd99b1575c9c011.tar.gz chromium_src-9f10431779fbe82df67ea79eddd99b1575c9c011.tar.bz2