// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_ #include <stddef.h> #include <string> #include <vector> #include "base/macros.h" #include "sandbox/linux/syscall_broker/broker_file_permission.h" namespace sandbox { namespace syscall_broker { // BrokerPolicy allows to define the security policy enforced by a // BrokerHost. The BrokerHost will evaluate requests sent over its // IPC channel according to the BrokerPolicy. // Some of the methods of this class can be used in an async-signal safe // way. class BrokerPolicy { public: // |denied_errno| is the error code returned when IPC requests for system // calls such as open() or access() are denied because a file is not in the // whitelist. EACCESS would be a typical value. // |permissions| is a list of BrokerPermission objects that define // what the broker will allow. BrokerPolicy(int denied_errno, const std::vector<BrokerFilePermission>& permissions); ~BrokerPolicy(); // Check if calling access() should be allowed on |requested_filename| with // mode |requested_mode|. // Note: access() being a system call to check permissions, this can get a bit // confusing. We're checking if calling access() should even be allowed with // If |file_to_open| is not NULL, a pointer to the path will be returned. // In the case of a recursive match, this will be the requested_filename, // otherwise it will return the matching pointer from the // whitelist. For paranoia a caller should then use |file_to_access|. See // GetFileNameIfAllowedToOpen() for more explanation. // return true if calling access() on this file should be allowed, false // otherwise. // Async signal safe if and only if |file_to_access| is NULL. bool GetFileNameIfAllowedToAccess(const char* requested_filename, int requested_mode, const char** file_to_access) const; // Check if |requested_filename| can be opened with flags |requested_flags|. // If |file_to_open| is not NULL, a pointer to the path will be returned. // In the case of a recursive match, this will be the requested_filename, // otherwise it will return the matching pointer from the // whitelist. For paranoia, a caller should then use |file_to_open| rather // than |requested_filename|, so that it never attempts to open an // attacker-controlled file name, even if an attacker managed to fool the // string comparison mechanism. // |unlink_after_open| if not NULL will be set to point to true if the // policy requests the caller unlink the path after opening. // Return true if opening should be allowed, false otherwise. // Async signal safe if and only if |file_to_open| is NULL. bool GetFileNameIfAllowedToOpen(const char* requested_filename, int requested_flags, const char** file_to_open, bool* unlink_after_open) const; int denied_errno() const { return denied_errno_; } private: const int denied_errno_; // The permissions_ vector is used as storage for the BrokerFilePermission // objects but is not referenced outside of the constructor as // vectors are unfriendly in async signal safe code. const std::vector<BrokerFilePermission> permissions_; // permissions_array_ is set up to point to the backing store of // permissions_ and is used in async signal safe methods. const BrokerFilePermission* permissions_array_; const size_t num_of_permissions_; DISALLOW_COPY_AND_ASSIGN(BrokerPolicy); }; } // namespace syscall_broker } // namespace sandbox #endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_