libchrome/sandbox/linux/syscall_broker/broker_policy.h - nest-cam/4320010/libchrome - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_

 #include <stddef.h>

 #include <string>
 #include <vector>

 #include "base/macros.h"

 #include "sandbox/linux/syscall_broker/broker_file_permission.h"

 namespace sandbox {
 namespace syscall_broker {

 // BrokerPolicy allows to define the security policy enforced by a
 // BrokerHost. The BrokerHost will evaluate requests sent over its
 // IPC channel according to the BrokerPolicy.
 // Some of the methods of this class can be used in an async-signal safe
 // way.
 class BrokerPolicy {
  public:
   // |denied_errno| is the error code returned when IPC requests for system
   // calls such as open() or access() are denied because a file is not in the
   // whitelist. EACCESS would be a typical value.
   // |permissions| is a list of BrokerPermission objects that define
   // what the broker will allow.
   BrokerPolicy(int denied_errno,
                const std::vector<BrokerFilePermission>& permissions);

   ~BrokerPolicy();

   // Check if calling access() should be allowed on |requested_filename| with
   // mode |requested_mode|.
   // Note: access() being a system call to check permissions, this can get a bit
   // confusing. We're checking if calling access() should even be allowed with
   // If |file_to_open| is not NULL, a pointer to the path will be returned.
   // In the case of a recursive match, this will be the requested_filename,
   // otherwise it will return the matching pointer from the
   // whitelist. For paranoia a caller should then use |file_to_access|. See
   // GetFileNameIfAllowedToOpen() for more explanation.
   // return true if calling access() on this file should be allowed, false
   // otherwise.
   // Async signal safe if and only if |file_to_access| is NULL.
   bool GetFileNameIfAllowedToAccess(const char* requested_filename,
                                     int requested_mode,
                                     const char** file_to_access) const;

   // Check if |requested_filename| can be opened with flags |requested_flags|.
   // If |file_to_open| is not NULL, a pointer to the path will be returned.
   // In the case of a recursive match, this will be the requested_filename,
   // otherwise it will return the matching pointer from the
   // whitelist. For paranoia, a caller should then use |file_to_open| rather
   // than |requested_filename|, so that it never attempts to open an
   // attacker-controlled file name, even if an attacker managed to fool the
   // string comparison mechanism.
   // |unlink_after_open| if not NULL will be set to point to true if the
   // policy requests the caller unlink the path after opening.
   // Return true if opening should be allowed, false otherwise.
   // Async signal safe if and only if |file_to_open| is NULL.
   bool GetFileNameIfAllowedToOpen(const char* requested_filename,
                                   int requested_flags,
                                   const char** file_to_open,
                                   bool* unlink_after_open) const;
   int denied_errno() const { return denied_errno_; }

  private:
   const int denied_errno_;
   // The permissions_ vector is used as storage for the BrokerFilePermission
   // objects but is not referenced outside of the constructor as
   // vectors are unfriendly in async signal safe code.
   const std::vector<BrokerFilePermission> permissions_;
   // permissions_array_ is set up to point to the backing store of
   // permissions_ and is used in async signal safe methods.
   const BrokerFilePermission* permissions_array_;
   const size_t num_of_permissions_;

   DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
 };

 }  // namespace syscall_broker

 }  // namespace sandbox

 #endif  // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
	#define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_

	#include <stddef.h>

	#include <string>
	#include <vector>

	#include "base/macros.h"

	#include "sandbox/linux/syscall_broker/broker_file_permission.h"

	namespace sandbox {
	namespace syscall_broker {

	// BrokerPolicy allows to define the security policy enforced by a
	// BrokerHost. The BrokerHost will evaluate requests sent over its
	// IPC channel according to the BrokerPolicy.
	// Some of the methods of this class can be used in an async-signal safe
	// way.
	class BrokerPolicy {
	public:
	// \|denied_errno\| is the error code returned when IPC requests for system
	// calls such as open() or access() are denied because a file is not in the
	// whitelist. EACCESS would be a typical value.
	// \|permissions\| is a list of BrokerPermission objects that define
	// what the broker will allow.
	BrokerPolicy(int denied_errno,
	const std::vector<BrokerFilePermission>& permissions);

	~BrokerPolicy();

	// Check if calling access() should be allowed on \|requested_filename\| with
	// mode \|requested_mode\|.
	// Note: access() being a system call to check permissions, this can get a bit
	// confusing. We're checking if calling access() should even be allowed with
	// If \|file_to_open\| is not NULL, a pointer to the path will be returned.
	// In the case of a recursive match, this will be the requested_filename,
	// otherwise it will return the matching pointer from the
	// whitelist. For paranoia a caller should then use \|file_to_access\|. See
	// GetFileNameIfAllowedToOpen() for more explanation.
	// return true if calling access() on this file should be allowed, false
	// otherwise.
	// Async signal safe if and only if \|file_to_access\| is NULL.
	bool GetFileNameIfAllowedToAccess(const char* requested_filename,
	int requested_mode,
	const char** file_to_access) const;

	// Check if \|requested_filename\| can be opened with flags \|requested_flags\|.
	// If \|file_to_open\| is not NULL, a pointer to the path will be returned.
	// In the case of a recursive match, this will be the requested_filename,
	// otherwise it will return the matching pointer from the
	// whitelist. For paranoia, a caller should then use \|file_to_open\| rather
	// than \|requested_filename\|, so that it never attempts to open an
	// attacker-controlled file name, even if an attacker managed to fool the
	// string comparison mechanism.
	// \|unlink_after_open\| if not NULL will be set to point to true if the
	// policy requests the caller unlink the path after opening.
	// Return true if opening should be allowed, false otherwise.
	// Async signal safe if and only if \|file_to_open\| is NULL.
	bool GetFileNameIfAllowedToOpen(const char* requested_filename,
	int requested_flags,
	const char** file_to_open,
	bool* unlink_after_open) const;
	int denied_errno() const { return denied_errno_; }

	private:
	const int denied_errno_;
	// The permissions_ vector is used as storage for the BrokerFilePermission
	// objects but is not referenced outside of the constructor as
	// vectors are unfriendly in async signal safe code.
	const std::vector<BrokerFilePermission> permissions_;
	// permissions_array_ is set up to point to the backing store of
	// permissions_ and is used in async signal safe methods.
	const BrokerFilePermission* permissions_array_;
	const size_t num_of_permissions_;

	DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
	};

	} // namespace syscall_broker

	} // namespace sandbox

	#endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_