// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ #include #include #include #include "base/compiler_specific.h" #include "base/gtest_prod_util.h" #include "base/memory/singleton.h" #include "base/synchronization/lock.h" #include "content/public/browser/child_process_security_policy.h" class FilePath; class GURL; class CONTENT_EXPORT ChildProcessSecurityPolicyImpl : NON_EXPORTED_BASE(public content::ChildProcessSecurityPolicy) { public: // Object can only be created through GetInstance() so the constructor is // private. virtual ~ChildProcessSecurityPolicyImpl(); static ChildProcessSecurityPolicyImpl* GetInstance(); // ChildProcessSecurityPolicy implementation. virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; virtual void RegisterDisabledSchemes(const std::set& schemes) OVERRIDE; virtual void GrantPermissionsForFile(int child_id, const FilePath& file, int permissions) OVERRIDE; virtual void GrantReadFile(int child_id, const FilePath& file) OVERRIDE; virtual void GrantReadFileSystem( int child_id, const std::string& filesystem_id) OVERRIDE; virtual void GrantReadWriteFileSystem( int child_id, const std::string& filesystem_id) OVERRIDE; virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; virtual bool CanReadFile(int child_id, const FilePath& file) OVERRIDE; virtual bool CanReadFileSystem(int child_id, const std::string& filesystem_id) OVERRIDE; virtual bool CanReadWriteFileSystem( int child_id, const std::string& filesystem_id) OVERRIDE; // Pseudo schemes are treated differently than other schemes because they // cannot be requested like normal URLs. There is no mechanism for revoking // pseudo schemes. void RegisterPseudoScheme(const std::string& scheme); // Returns true iff |scheme| has been registered as pseudo scheme. bool IsPseudoScheme(const std::string& scheme); // Returns true iff |scheme| is listed as a disabled scheme. bool IsDisabledScheme(const std::string& scheme); // Upon creation, child processes should register themselves by calling this // this method exactly once. void Add(int child_id); // Upon creation, worker thread child processes should register themselves by // calling this this method exactly once. Workers that are not shared will // inherit permissions from their parent renderer process identified with // |main_render_process_id|. void AddWorker(int worker_child_id, int main_render_process_id); // Upon destruction, child processess should unregister themselves by caling // this method exactly once. void Remove(int child_id); // Whenever the browser processes commands the child process to request a URL, // it should call this method to grant the child process the capability to // request the URL, along with permission to request all URLs of the same // scheme. void GrantRequestURL(int child_id, const GURL& url); // Whenever the browser process drops a file icon on a tab, it should call // this method to grant the child process the capability to request this one // file:// URL, but not all urls of the file:// scheme. void GrantRequestSpecificFileURL(int child_id, const GURL& url); // Grants the child process permission to enumerate all the files in // this directory and read those files. void GrantReadDirectory(int child_id, const FilePath& directory); // Revokes all permissions granted to the given file. void RevokeAllPermissionsForFile(int child_id, const FilePath& file); // Grant the child process the ability to use Web UI Bindings. void GrantWebUIBindings(int child_id); // Grant the child process the ability to read raw cookies. void GrantReadRawCookies(int child_id); // Revoke read raw cookies permission. void RevokeReadRawCookies(int child_id); // Before servicing a child process's request for a URL, the browser should // call this method to determine whether the process has the capability to // request the URL. bool CanRequestURL(int child_id, const GURL& url); // Before servicing a child process's request to enumerate a directory // the browser should call this method to check for the capability. bool CanReadDirectory(int child_id, const FilePath& directory); // Determines if certain permissions were granted for a file. |permissions| // must be a bit-set of base::PlatformFileFlags. bool HasPermissionsForFile(int child_id, const FilePath& file, int permissions); // Returns true if the specified child_id has been granted WebUIBindings. // The browser should check this property before assuming the child process is // allowed to use WebUIBindings. bool HasWebUIBindings(int child_id); // Returns true if the specified child_id has been granted ReadRawCookies. bool CanReadRawCookies(int child_id); // Returns true if the process is permitted to see and use the cookies for // the given origin. // Only might return false if the very experimental // --enable-strict-site-isolation is used. bool CanUseCookiesForOrigin(int child_id, const GURL& gurl); // Sets the process as only permitted to use and see the cookies for the // given origin. // Only used if the very experimental --enable-strict-site-isolation is used. void LockToOrigin(int child_id, const GURL& gurl); // Grants access permission to the given isolated file system // identified by |filesystem_id|. See comments for // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. void GrantPermissionsForFileSystem( int child_id, const std::string& filesystem_id, int permission); // Determines if certain permissions were granted for a file fystem. // |permissions| must be a bit-set of base::PlatformFileFlags. bool HasPermissionsForFileSystem( int child_id, const std::string& filesystem_id, int permission); private: friend class ChildProcessSecurityPolicyInProcessBrowserTest; FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, NoLeak); class SecurityState; typedef std::set SchemeSet; typedef std::map SecurityStateMap; typedef std::map WorkerToMainProcessMap; // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). ChildProcessSecurityPolicyImpl(); friend struct DefaultSingletonTraits; // Adds child process during registration. void AddChild(int child_id); // Determines if certain permissions were granted for a file to given child // process. |permissions| must be a bit-set of base::PlatformFileFlags. bool ChildProcessHasPermissionsForFile(int child_id, const FilePath& file, int permissions); // You must acquire this lock before reading or writing any members of this // class. You must not block while holding this lock. base::Lock lock_; // These schemes are white-listed for all child processes. This set is // protected by |lock_|. SchemeSet web_safe_schemes_; // These schemes do not actually represent retrievable URLs. For example, // the the URLs in the "about" scheme are aliases to other URLs. This set is // protected by |lock_|. SchemeSet pseudo_schemes_; // These schemes are disabled by policy, and child processes are always // denied permission to request them. This overrides |web_safe_schemes_|. // This set is protected by |lock_|. SchemeSet disabled_schemes_; // This map holds a SecurityState for each child process. The key for the // map is the ID of the ChildProcessHost. The SecurityState objects are // owned by this object and are protected by |lock_|. References to them must // not escape this class. SecurityStateMap security_state_; // This maps keeps the record of which js worker thread child process // corresponds to which main js thread child process. WorkerToMainProcessMap worker_map_; DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); }; #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_