1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SERVICES_BROKER_PROCESS_H_
6 #define SANDBOX_LINUX_SERVICES_BROKER_PROCESS_H_
11 #include "base/basictypes.h"
12 #include "base/pickle.h"
13 #include "base/process/process.h"
17 // Create a new "broker" process to which we can send requests via an IPC
19 // This is a low level IPC mechanism that is suitable to be called from a
21 // A process would typically create a broker process before entering
23 // 1. BrokerProcess open_broker(read_whitelist, write_whitelist);
24 // 2. CHECK(open_broker.Init(NULL));
26 // 4. Use open_broker.Open() to open files.
29 // |denied_errno| is the error code returned when methods such as Open()
30 // or Access() are invoked on a file which is not in the whitelist. EACCESS
31 // would be a typical value.
32 // |allowed_r_files| and |allowed_w_files| are white lists of files that can
33 // be opened later via the Open() API, respectively for reading and writing.
34 // A file available read-write should be listed in both.
35 // |fast_check_in_client| and |quiet_failures_for_tests| are reserved for
36 // unit tests, don't use it.
37 explicit BrokerProcess(int denied_errno,
38 const std::vector<std::string>& allowed_r_files,
39 const std::vector<std::string>& allowed_w_files,
40 bool fast_check_in_client = true,
41 bool quiet_failures_for_tests = false);
43 // Will initialize the broker process. There should be no threads at this
44 // point, since we need to fork().
45 // sandbox_callback is a function that should be called to enable the
46 // sandbox in the broker.
47 bool Init(bool (*sandbox_callback)(void));
49 // Can be used in place of access(). Will be async signal safe.
50 // X_OK will always return an error in practice since the broker process
51 // doesn't support execute permissions.
52 // It's similar to the access() system call and will return -errno on errors.
53 int Access(const char* pathname, int mode) const;
54 // Can be used in place of open(). Will be async signal safe.
55 // The implementation only supports certain white listed flags and will
56 // return -EPERM on other flags.
57 // It's similar to the open() system call and will return -errno on errors.
58 int Open(const char* pathname, int flags) const;
60 int broker_pid() const { return broker_pid_; }
68 int PathAndFlagsSyscall(enum IPCCommands command_type,
69 const char* pathname, int flags) const;
70 bool HandleRequest() const;
71 bool HandleRemoteCommand(IPCCommands command_type, int reply_ipc,
72 const Pickle& read_pickle, PickleIterator iter) const;
74 void AccessFileForIPC(const std::string& requested_filename,
75 int mode, Pickle* write_pickle) const;
76 void OpenFileForIPC(const std::string& requested_filename,
77 int flags, Pickle* write_pickle,
78 std::vector<int>* opened_files) const;
79 bool GetFileNameIfAllowedToAccess(const char*, int, const char**) const;
80 bool GetFileNameIfAllowedToOpen(const char*, int, const char**) const;
81 const int denied_errno_;
82 bool initialized_; // Whether we've been through Init() yet.
83 bool is_child_; // Whether we're the child (broker process).
84 bool fast_check_in_client_; // Whether to forward a request that we know
85 // will be denied to the broker.
86 bool quiet_failures_for_tests_; // Disable certain error message when
87 // testing for failures.
88 pid_t broker_pid_; // The PID of the broker (child).
89 const std::vector<std::string> allowed_r_files_; // Files allowed for read.
90 const std::vector<std::string> allowed_w_files_; // Files allowed for write.
91 int ipc_socketpair_; // Our communication channel to parent or child.
92 DISALLOW_IMPLICIT_CONSTRUCTORS(BrokerProcess);
95 } // namespace sandbox
97 #endif // SANDBOX_LINUX_SERVICES_BROKER_PROCESS_H_