1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
13 #include "base/compiler_specific.h"
14 #include "base/gtest_prod_util.h"
15 #include "base/memory/singleton.h"
16 #include "base/synchronization/lock.h"
17 #include "content/public/browser/child_process_security_policy.h"
18 #include "webkit/common/fileapi/file_system_types.h"
19 #include "webkit/common/resource_type.h"
33 class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
34 : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
36 // Object can only be created through GetInstance() so the constructor is
38 virtual ~ChildProcessSecurityPolicyImpl();
40 static ChildProcessSecurityPolicyImpl* GetInstance();
42 // ChildProcessSecurityPolicy implementation.
43 virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE;
44 virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE;
45 virtual void GrantReadFile(int child_id, const base::FilePath& file) OVERRIDE;
46 virtual void GrantCreateReadWriteFile(int child_id,
47 const base::FilePath& file) OVERRIDE;
48 virtual void GrantReadFileSystem(
50 const std::string& filesystem_id) OVERRIDE;
51 virtual void GrantWriteFileSystem(
53 const std::string& filesystem_id) OVERRIDE;
54 virtual void GrantCreateFileForFileSystem(
56 const std::string& filesystem_id) OVERRIDE;
57 virtual void GrantCopyIntoFileSystem(
59 const std::string& filesystem_id) OVERRIDE;
60 virtual void GrantDeleteFromFileSystem(
62 const std::string& filesystem_id) OVERRIDE;
63 virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE;
64 virtual bool CanReadFile(int child_id, const base::FilePath& file) OVERRIDE;
65 virtual bool CanCreateReadWriteFile(int child_id,
66 const base::FilePath& file) OVERRIDE;
67 virtual bool CanReadFileSystem(int child_id,
68 const std::string& filesystem_id) OVERRIDE;
69 virtual bool CanReadWriteFileSystem(
71 const std::string& filesystem_id) OVERRIDE;
72 virtual bool CanCopyIntoFileSystem(int child_id,
73 const std::string& filesystem_id) OVERRIDE;
74 virtual bool CanDeleteFromFileSystem(
76 const std::string& filesystem_id) OVERRIDE;
78 void GrantCreateReadWriteFileSystem(
80 const std::string& filesystem_id);
82 // Pseudo schemes are treated differently than other schemes because they
83 // cannot be requested like normal URLs. There is no mechanism for revoking
85 void RegisterPseudoScheme(const std::string& scheme);
87 // Returns true iff |scheme| has been registered as pseudo scheme.
88 bool IsPseudoScheme(const std::string& scheme);
90 // Upon creation, child processes should register themselves by calling this
91 // this method exactly once.
92 void Add(int child_id);
94 // Upon creation, worker thread child processes should register themselves by
95 // calling this this method exactly once. Workers that are not shared will
96 // inherit permissions from their parent renderer process identified with
97 // |main_render_process_id|.
98 void AddWorker(int worker_child_id, int main_render_process_id);
100 // Upon destruction, child processess should unregister themselves by caling
101 // this method exactly once.
102 void Remove(int child_id);
104 // Whenever the browser processes commands the child process to request a URL,
105 // it should call this method to grant the child process the capability to
106 // request the URL, along with permission to request all URLs of the same
108 void GrantRequestURL(int child_id, const GURL& url);
110 // Whenever the browser process drops a file icon on a tab, it should call
111 // this method to grant the child process the capability to request this one
112 // file:// URL, but not all urls of the file:// scheme.
113 void GrantRequestSpecificFileURL(int child_id, const GURL& url);
115 // Revokes all permissions granted to the given file.
116 void RevokeAllPermissionsForFile(int child_id, const base::FilePath& file);
118 // Grant the child process the ability to use Web UI Bindings.
119 void GrantWebUIBindings(int child_id);
121 // Grant the child process the ability to read raw cookies.
122 void GrantReadRawCookies(int child_id);
124 // Revoke read raw cookies permission.
125 void RevokeReadRawCookies(int child_id);
127 // Grants permission to send system exclusive message to any MIDI devices.
128 void GrantSendMIDISysExMessage(int child_id);
130 // Before servicing a child process's request for a URL, the browser should
131 // call this method to determine whether the process has the capability to
133 bool CanRequestURL(int child_id, const GURL& url);
135 // Returns true if the process is permitted to load pages from
136 // the given origin in main frames or subframes.
137 // Only might return false if --site-per-process flag is used.
138 bool CanLoadPage(int child_id,
140 ResourceType::Type resource_type);
142 // Explicit permissions checks for FileSystemURL specified files.
143 bool CanReadFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
144 bool CanWriteFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
145 bool CanCreateFileSystemFile(int child_id, const fileapi::FileSystemURL& url);
146 bool CanCreateReadWriteFileSystemFile(int child_id,
147 const fileapi::FileSystemURL& url);
148 bool CanCopyIntoFileSystemFile(int child_id,
149 const fileapi::FileSystemURL& url);
150 bool CanDeleteFileSystemFile(int child_id,
151 const fileapi::FileSystemURL& url);
153 // Returns true if the specified child_id has been granted WebUIBindings.
154 // The browser should check this property before assuming the child process is
155 // allowed to use WebUIBindings.
156 bool HasWebUIBindings(int child_id);
158 // Returns true if the specified child_id has been granted ReadRawCookies.
159 bool CanReadRawCookies(int child_id);
161 // Returns true if the process is permitted to read and modify the cookies for
162 // the given origin. Does not affect cookies attached to or set by network
164 // Only might return false if the very experimental
165 // --enable-strict-site-isolation or --site-per-process flags are used.
166 bool CanAccessCookiesForOrigin(int child_id, const GURL& gurl);
168 // Returns true if the process is permitted to attach cookies to (or have
169 // cookies set by) network requests.
170 // Only might return false if the very experimental
171 // --enable-strict-site-isolation or --site-per-process flags are used.
172 bool CanSendCookiesForOrigin(int child_id, const GURL& gurl);
174 // Sets the process as only permitted to use and see the cookies for the
176 // Only used if the very experimental --enable-strict-site-isolation or
177 // --site-per-process flags are used.
178 void LockToOrigin(int child_id, const GURL& gurl);
180 // Determines if certain permissions were granted for a file fystem.
181 // |permissions| must be a bitwise-or'd value of base::PlatformFileFlags.
182 bool HasPermissionsForFileSystem(
184 const std::string& filesystem_id,
187 // Register FileSystem type and permission policy which should be used
188 // for the type. The |policy| must be a bitwise-or'd value of
189 // fileapi::FilePermissionPolicy.
190 void RegisterFileSystemPermissionPolicy(
191 fileapi::FileSystemType type,
194 // Returns true if sending system exclusive messages is allowed.
195 bool CanSendMIDISysExMessage(int child_id);
198 friend class ChildProcessSecurityPolicyInProcessBrowserTest;
199 friend class ChildProcessSecurityPolicyTest;
200 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest,
202 FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyTest, FilePermissions);
206 typedef std::set<std::string> SchemeSet;
207 typedef std::map<int, SecurityState*> SecurityStateMap;
208 typedef std::map<int, int> WorkerToMainProcessMap;
209 typedef std::map<fileapi::FileSystemType, int> FileSystemPermissionPolicyMap;
211 // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance().
212 ChildProcessSecurityPolicyImpl();
213 friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>;
215 // Adds child process during registration.
216 void AddChild(int child_id);
218 // Determines if certain permissions were granted for a file to given child
219 // process. |permissions| must be a bitwise-or'd value of
220 // base::PlatformFileFlags.
221 bool ChildProcessHasPermissionsForFile(int child_id,
222 const base::FilePath& file,
225 // Grant a particular permission set for a file. |permissions| is a bit-set
226 // of base::PlatformFileFlags.
227 void GrantPermissionsForFile(int child_id,
228 const base::FilePath& file,
231 // Grants access permission to the given isolated file system
232 // identified by |filesystem_id|. See comments for
233 // ChildProcessSecurityPolicy::GrantReadFileSystem() for more details.
234 void GrantPermissionsForFileSystem(
236 const std::string& filesystem_id,
239 // Deprecated: Use CanReadFile, etc. methods instead.
240 // Determines if certain permissions were granted for a file. |permissions|
241 // must be a bitwise-or'd value of base::PlatformFileFlags.
242 bool HasPermissionsForFile(int child_id,
243 const base::FilePath& file,
246 // Deprecated: Use CanReadFileSystemFile, etc. methods instead.
247 // Determines if certain permissions were granted for a file in FileSystem
248 // API. |permissions| must be a bitwise-or'd value of base::PlatformFileFlags.
249 bool HasPermissionsForFileSystemFile(int child_id,
250 const fileapi::FileSystemURL& url,
253 // You must acquire this lock before reading or writing any members of this
254 // class. You must not block while holding this lock.
257 // These schemes are white-listed for all child processes. This set is
258 // protected by |lock_|.
259 SchemeSet web_safe_schemes_;
261 // These schemes do not actually represent retrievable URLs. For example,
262 // the the URLs in the "about" scheme are aliases to other URLs. This set is
263 // protected by |lock_|.
264 SchemeSet pseudo_schemes_;
266 // This map holds a SecurityState for each child process. The key for the
267 // map is the ID of the ChildProcessHost. The SecurityState objects are
268 // owned by this object and are protected by |lock_|. References to them must
269 // not escape this class.
270 SecurityStateMap security_state_;
272 // This maps keeps the record of which js worker thread child process
273 // corresponds to which main js thread child process.
274 WorkerToMainProcessMap worker_map_;
276 FileSystemPermissionPolicyMap file_system_policy_map_;
278 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
281 } // namespace content
283 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_