15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <map> 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <set> 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string> 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/compiler_specific.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/gtest_prod_util.h" 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/singleton.h" 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/synchronization/lock.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "content/public/browser/child_process_security_policy.h" 18116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch#include "content/public/common/resource_type.h" 191320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci#include "storage/common/fileapi/file_system_types.h" 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class GURL; 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)namespace base { 242a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)class FilePath; 252a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 2703b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles)namespace storage { 28eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdochclass FileSystemURL; 29eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch} 30eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace content { 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class CONTENT_EXPORT ChildProcessSecurityPolicyImpl 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) { 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Object can only be created through GetInstance() so the constructor is 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // private. 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual ~ChildProcessSecurityPolicyImpl(); 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static ChildProcessSecurityPolicyImpl* GetInstance(); 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // ChildProcessSecurityPolicy implementation. 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; 452a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE; 467dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch virtual void GrantCreateReadWriteFile(int child_id, 47a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch const base::FilePath& file) OVERRIDE; 48effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch virtual void GrantCopyInto(int child_id, const base::FilePath& dir) OVERRIDE; 49effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch virtual void GrantDeleteFrom(int child_id, 50effb81e5f8246d0db0270817048dc992db66e9fbBen Murdoch const base::FilePath& dir) OVERRIDE; 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void GrantReadFileSystem( 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int child_id, 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 542a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual void GrantWriteFileSystem( 552a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) int child_id, 562a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 572a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual void GrantCreateFileForFileSystem( 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int child_id, 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 60f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) virtual void GrantCreateReadWriteFileSystem( 61f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int child_id, 62f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 63a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch virtual void GrantCopyIntoFileSystem( 64a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch int child_id, 65a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch const std::string& filesystem_id) OVERRIDE; 668bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) virtual void GrantDeleteFromFileSystem( 678bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) int child_id, 688bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; 702a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE; 7168043e1e95eeb07d5cae7aca370b26518b0867d6Torne (Richard Coles) virtual bool CanCreateReadWriteFile(int child_id, 7268043e1e95eeb07d5cae7aca370b26518b0867d6Torne (Richard Coles) const base::FilePath& file) OVERRIDE; 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual bool CanReadFileSystem(int child_id, 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual bool CanReadWriteFileSystem( 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int child_id, 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 78a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch virtual bool CanCopyIntoFileSystem(int child_id, 79a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch const std::string& filesystem_id) OVERRIDE; 808bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) virtual bool CanDeleteFromFileSystem( 818bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) int child_id, 828bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const std::string& filesystem_id) OVERRIDE; 835f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) virtual bool HasWebUIBindings(int child_id) OVERRIDE; 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Pseudo schemes are treated differently than other schemes because they 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // cannot be requested like normal URLs. There is no mechanism for revoking 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // pseudo schemes. 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void RegisterPseudoScheme(const std::string& scheme); 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns true iff |scheme| has been registered as pseudo scheme. 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool IsPseudoScheme(const std::string& scheme); 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Upon creation, child processes should register themselves by calling this 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // this method exactly once. 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void Add(int child_id); 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Upon creation, worker thread child processes should register themselves by 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // calling this this method exactly once. Workers that are not shared will 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // inherit permissions from their parent renderer process identified with 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |main_render_process_id|. 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void AddWorker(int worker_child_id, int main_render_process_id); 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Upon destruction, child processess should unregister themselves by caling 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // this method exactly once. 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void Remove(int child_id); 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Whenever the browser processes commands the child process to request a URL, 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // it should call this method to grant the child process the capability to 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // request the URL, along with permission to request all URLs of the same 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // scheme. 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void GrantRequestURL(int child_id, const GURL& url); 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Whenever the browser process drops a file icon on a tab, it should call 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // this method to grant the child process the capability to request this one 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // file:// URL, but not all urls of the file:// scheme. 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void GrantRequestSpecificFileURL(int child_id, const GURL& url); 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Revokes all permissions granted to the given file. 1192a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file); 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Grant the child process the ability to use Web UI Bindings. 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void GrantWebUIBindings(int child_id); 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Grant the child process the ability to read raw cookies. 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void GrantReadRawCookies(int child_id); 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Revoke read raw cookies permission. 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void RevokeReadRawCookies(int child_id); 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 130424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // Grants permission to send system exclusive message to any MIDI devices. 1315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) void GrantSendMidiSysExMessage(int child_id); 132424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Before servicing a child process's request for a URL, the browser should 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // call this method to determine whether the process has the capability to 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // request the URL. 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool CanRequestURL(int child_id, const GURL& url); 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1382a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Returns true if the process is permitted to load pages from 1392a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // the given origin in main frames or subframes. 1402a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Only might return false if --site-per-process flag is used. 1412a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool CanLoadPage(int child_id, 1422a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const GURL& url, 1435f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) ResourceType resource_type); 1442a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 145a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch // Explicit permissions checks for FileSystemURL specified files. 14603b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url); 14703b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url); 14803b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url); 14968043e1e95eeb07d5cae7aca370b26518b0867d6Torne (Richard Coles) bool CanCreateReadWriteFileSystemFile(int child_id, 15003b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) const storage::FileSystemURL& url); 1514e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) bool CanCopyIntoFileSystemFile(int child_id, 15203b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) const storage::FileSystemURL& url); 15303b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) bool CanDeleteFileSystemFile(int child_id, const storage::FileSystemURL& url); 154a3f7b4e666c476898878fa745f637129375cd889Ben Murdoch 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Returns true if the specified child_id has been granted ReadRawCookies. 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool CanReadRawCookies(int child_id); 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1582a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Returns true if the process is permitted to read and modify the cookies for 1592a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // the given origin. Does not affect cookies attached to or set by network 1602a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // requests. 1612a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Only might return false if the very experimental 1622a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // --enable-strict-site-isolation or --site-per-process flags are used. 1632a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl); 1642a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 1652a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Returns true if the process is permitted to attach cookies to (or have 1662a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // cookies set by) network requests. 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Only might return false if the very experimental 1682a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // --enable-strict-site-isolation or --site-per-process flags are used. 1692a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool CanSendCookiesForOrigin(int child_id, const GURL& gurl); 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Sets the process as only permitted to use and see the cookies for the 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // given origin. 1732a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // Only used if the very experimental --enable-strict-site-isolation or 1742a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) // --site-per-process flags are used. 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void LockToOrigin(int child_id, const GURL& gurl); 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 177eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch // Register FileSystem type and permission policy which should be used 178eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch // for the type. The |policy| must be a bitwise-or'd value of 17903b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) // storage::FilePermissionPolicy. 18003b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) void RegisterFileSystemPermissionPolicy(storage::FileSystemType type, 18103b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) int policy); 182eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 183424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) // Returns true if sending system exclusive messages is allowed. 1845d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) bool CanSendMidiSysExMessage(int child_id); 185424c4d7b64af9d0d8fd9624f381f469654d5e3d2Torne (Richard Coles) 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) private: 1875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) friend class ChildProcessSecurityPolicyInProcessBrowserTest; 1887dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch friend class ChildProcessSecurityPolicyTest; 1895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, 1905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NoLeak); 191d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions); 1925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) class SecurityState; 1945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef std::set<std::string> SchemeSet; 1965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef std::map<int, SecurityState*> SecurityStateMap; 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef std::map<int, int> WorkerToMainProcessMap; 19803b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) typedef std::map<storage::FileSystemType, int> FileSystemPermissionPolicyMap; 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). 2015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ChildProcessSecurityPolicyImpl(); 2025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; 2035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Adds child process during registration. 2055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void AddChild(int child_id); 2065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Determines if certain permissions were granted for a file to given child 208f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // process. |permissions| is an internally defined bit-set. 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool ChildProcessHasPermissionsForFile(int child_id, 2102a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const base::FilePath& file, 2115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int permissions); 2125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 213f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // Grant a particular permission set for a file. |permissions| is an 214f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // internally defined bit-set. 2157dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch void GrantPermissionsForFile(int child_id, 2167dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch const base::FilePath& file, 2177dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch int permissions); 2187dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch 2197dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch // Grants access permission to the given isolated file system 2207dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch // identified by |filesystem_id|. See comments for 2217dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details. 2227dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch void GrantPermissionsForFileSystem( 2237dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch int child_id, 2247dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch const std::string& filesystem_id, 2257dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch int permission); 2267dbb3d5cf0c15f500944d211057644d6a2f37371Ben Murdoch 227d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) // Determines if certain permissions were granted for a file. |permissions| 228f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // is an internally defined bit-set. If |child_id| is a worker process, 229f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // this returns true if either the worker process or its parent renderer 230f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // has permissions for the file. 231d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) bool HasPermissionsForFile(int child_id, 232d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) const base::FilePath& file, 233d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) int permissions); 234d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) 235d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) // Determines if certain permissions were granted for a file in FileSystem 236f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // API. |permissions| is an internally defined bit-set. 237d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) bool HasPermissionsForFileSystemFile(int child_id, 23803b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) const storage::FileSystemURL& url, 239d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) int permissions); 240d0247b1b59f9c528cb6df88b4f2b9afaf80d181eTorne (Richard Coles) 241f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // Determines if certain permissions were granted for a file system. 242f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) // |permissions| is an internally defined bit-set. 243f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) bool HasPermissionsForFileSystem( 244f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int child_id, 245f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) const std::string& filesystem_id, 246f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) int permission); 247f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 2485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // You must acquire this lock before reading or writing any members of this 2495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // class. You must not block while holding this lock. 2505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::Lock lock_; 2515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // These schemes are white-listed for all child processes. This set is 2535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // protected by |lock_|. 2545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SchemeSet web_safe_schemes_; 2555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // These schemes do not actually represent retrievable URLs. For example, 2575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the the URLs in the "about" scheme are aliases to other URLs. This set is 2585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // protected by |lock_|. 2595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SchemeSet pseudo_schemes_; 2605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This map holds a SecurityState for each child process. The key for the 2625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // map is the ID of the ChildProcessHost. The SecurityState objects are 2635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // owned by this object and are protected by |lock_|. References to them must 2645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // not escape this class. 2655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SecurityStateMap security_state_; 2665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This maps keeps the record of which js worker thread child process 2685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // corresponds to which main js thread child process. 2695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) WorkerToMainProcessMap worker_map_; 2705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 271eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch FileSystemPermissionPolicyMap file_system_policy_map_; 272eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 2735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); 2745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 2755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace content 2775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ 279