sandbox/linux/syscall_broker/broker_policy.h - platform/external/chromium_org - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
 #define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_

 #include <string>
 #include <vector>

 #include "base/macros.h"

 namespace sandbox {
 namespace syscall_broker {

 // BrokerPolicy allows to define the security policy enforced by a
 // BrokerHost. The BrokerHost will evaluate requests sent over its
 // IPC channel according to the BrokerPolicy.
 // Some of the methods of this class can be used in an async-signal safe
 // way.
 class BrokerPolicy {
  public:
   // |denied_errno| is the error code returned when IPC requests for system
   // calls such as open() or access() are denied because a file is not in the
   // whitelist. EACCESS would be a typical value.
   // |allowed_r_files| and |allowed_w_files| are white lists of files that
   // should be allowed for opening, respectively for reading and writing.
   // A file available read-write should be listed in both.
   BrokerPolicy(int denied_errno,
                const std::vector<std::string>& allowed_r_files,
                const std::vector<std::string>& allowed_w_files_);
   ~BrokerPolicy();

   // Check if calling access() should be allowed on |requested_filename| with
   // mode |requested_mode|.
   // Note: access() being a system call to check permissions, this can get a bit
   // confusing. We're checking if calling access() should even be allowed with
   // the same policy we would use for open().
   // If |file_to_access| is not NULL, we will return the matching pointer from
   // the whitelist. For paranoia a caller should then use |file_to_access|. See
   // GetFileNameIfAllowedToOpen() for more explanation.
   // return true if calling access() on this file should be allowed, false
   // otherwise.
   // Async signal safe if and only if |file_to_access| is NULL.
   bool GetFileNameIfAllowedToAccess(const char* requested_filename,
                                     int requested_mode,
                                     const char** file_to_access) const;

   // Check if |requested_filename| can be opened with flags |requested_flags|.
   // If |file_to_open| is not NULL, we will return the matching pointer from the
   // whitelist. For paranoia, a caller should then use |file_to_open| rather
   // than |requested_filename|, so that it never attempts to open an
   // attacker-controlled file name, even if an attacker managed to fool the
   // string comparison mechanism.
   // Return true if opening should be allowed, false otherwise.
   // Async signal safe if and only if |file_to_open| is NULL.
   bool GetFileNameIfAllowedToOpen(const char* requested_filename,
                                   int requested_flags,
                                   const char** file_to_open) const;
   int denied_errno() const { return denied_errno_; }

  private:
   const int denied_errno_;
   const std::vector<std::string> allowed_r_files_;
   const std::vector<std::string> allowed_w_files_;
   DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
 };

 }  // namespace syscall_broker

 }  // namespace sandbox

 #endif  // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
	#define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_

	#include <string>
	#include <vector>

	#include "base/macros.h"

	namespace sandbox {
	namespace syscall_broker {

	// BrokerPolicy allows to define the security policy enforced by a
	// BrokerHost. The BrokerHost will evaluate requests sent over its
	// IPC channel according to the BrokerPolicy.
	// Some of the methods of this class can be used in an async-signal safe
	// way.
	class BrokerPolicy {
	public:
	// \|denied_errno\| is the error code returned when IPC requests for system
	// calls such as open() or access() are denied because a file is not in the
	// whitelist. EACCESS would be a typical value.
	// \|allowed_r_files\| and \|allowed_w_files\| are white lists of files that
	// should be allowed for opening, respectively for reading and writing.
	// A file available read-write should be listed in both.
	BrokerPolicy(int denied_errno,
	const std::vector<std::string>& allowed_r_files,
	const std::vector<std::string>& allowed_w_files_);
	~BrokerPolicy();

	// Check if calling access() should be allowed on \|requested_filename\| with
	// mode \|requested_mode\|.
	// Note: access() being a system call to check permissions, this can get a bit
	// confusing. We're checking if calling access() should even be allowed with
	// the same policy we would use for open().
	// If \|file_to_access\| is not NULL, we will return the matching pointer from
	// the whitelist. For paranoia a caller should then use \|file_to_access\|. See
	// GetFileNameIfAllowedToOpen() for more explanation.
	// return true if calling access() on this file should be allowed, false
	// otherwise.
	// Async signal safe if and only if \|file_to_access\| is NULL.
	bool GetFileNameIfAllowedToAccess(const char* requested_filename,
	int requested_mode,
	const char** file_to_access) const;

	// Check if \|requested_filename\| can be opened with flags \|requested_flags\|.
	// If \|file_to_open\| is not NULL, we will return the matching pointer from the
	// whitelist. For paranoia, a caller should then use \|file_to_open\| rather
	// than \|requested_filename\|, so that it never attempts to open an
	// attacker-controlled file name, even if an attacker managed to fool the
	// string comparison mechanism.
	// Return true if opening should be allowed, false otherwise.
	// Async signal safe if and only if \|file_to_open\| is NULL.
	bool GetFileNameIfAllowedToOpen(const char* requested_filename,
	int requested_flags,
	const char** file_to_open) const;
	int denied_errno() const { return denied_errno_; }

	private:
	const int denied_errno_;
	const std::vector<std::string> allowed_r_files_;
	const std::vector<std::string> allowed_w_files_;
	DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
	};

	} // namespace syscall_broker

	} // namespace sandbox

	#endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_