diff options
Diffstat (limited to 'sandbox/linux/syscall_broker/broker_file_permission.h')
-rw-r--r-- | sandbox/linux/syscall_broker/broker_file_permission.h | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/sandbox/linux/syscall_broker/broker_file_permission.h b/sandbox/linux/syscall_broker/broker_file_permission.h deleted file mode 100644 index 03300d1d74..0000000000 --- a/sandbox/linux/syscall_broker/broker_file_permission.h +++ /dev/null @@ -1,119 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_FILE_PERMISSION_H_ -#define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_FILE_PERMISSION_H_ - -#include <string> - -#include "base/macros.h" -#include "sandbox/sandbox_export.h" - -namespace sandbox { - -namespace syscall_broker { - -// BrokerFilePermission defines a path for whitelisting. -// Pick the correct static factory method to create a permission. -// CheckOpen and CheckAccess are async signal safe. -// Constuction and Destruction are not async signal safe. -// |path| is the path to be whitelisted. -class SANDBOX_EXPORT BrokerFilePermission { - public: - ~BrokerFilePermission() {} - BrokerFilePermission(const BrokerFilePermission&) = default; - BrokerFilePermission& operator=(const BrokerFilePermission&) = default; - - static BrokerFilePermission ReadOnly(const std::string& path) { - return BrokerFilePermission(path, false, false, true, false, false); - } - - static BrokerFilePermission ReadOnlyRecursive(const std::string& path) { - return BrokerFilePermission(path, true, false, true, false, false); - } - - static BrokerFilePermission WriteOnly(const std::string& path) { - return BrokerFilePermission(path, false, false, false, true, false); - } - - static BrokerFilePermission ReadWrite(const std::string& path) { - return BrokerFilePermission(path, false, false, true, true, false); - } - - static BrokerFilePermission ReadWriteCreate(const std::string& path) { - return BrokerFilePermission(path, false, false, true, true, true); - } - - static BrokerFilePermission ReadWriteCreateUnlink(const std::string& path) { - return BrokerFilePermission(path, false, true, true, true, true); - } - - static BrokerFilePermission ReadWriteCreateUnlinkRecursive( - const std::string& path) { - return BrokerFilePermission(path, true, true, true, true, true); - } - - // Returns true if |requested_filename| is allowed to be opened - // by this permission. - // If |file_to_open| is not NULL it is set to point to either - // the |requested_filename| in the case of a recursive match, - // or a pointer the matched path in the whitelist if an absolute - // match. - // If not NULL |unlink_after_open| is set to point to true if the - // caller should unlink the path after openning. - // Async signal safe if |file_to_open| is NULL. - bool CheckOpen(const char* requested_filename, - int flags, - const char** file_to_open, - bool* unlink_after_open) const; - // Returns true if |requested_filename| is allowed to be accessed - // by this permission as per access(2). - // If |file_to_open| is not NULL it is set to point to either - // the |requested_filename| in the case of a recursive match, - // or a pointer to the matched path in the whitelist if an absolute - // match. - // |mode| is per mode argument of access(2). - // Async signal safe if |file_to_access| is NULL - bool CheckAccess(const char* requested_filename, - int mode, - const char** file_to_access) const; - - private: - friend class BrokerFilePermissionTester; - BrokerFilePermission(const std::string& path, - bool recursive, - bool unlink, - bool allow_read, - bool allow_write, - bool allow_create); - - // ValidatePath checks |path| and returns true if these conditions are met - // * Greater than 0 length - // * Is an absolute path - // * No trailing slash - // * No /../ path traversal - static bool ValidatePath(const char* path); - - // MatchPath returns true if |requested_filename| is covered by this instance - bool MatchPath(const char* requested_filename) const; - - // Used in by BrokerFilePermissionTester for tests. - static const char* GetErrorMessageForTests(); - - // These are not const as std::vector requires copy-assignment and this class - // is stored in vectors. All methods are marked const so - // the compiler will still enforce no changes outside of the constructor. - std::string path_; - bool recursive_; // Allow everything under this path. |path| must be a dir. - bool unlink_; // unlink after opening. - bool allow_read_; - bool allow_write_; - bool allow_create_; -}; - -} // namespace syscall_broker - -} // namespace sandbox - -#endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_FILE_PERMISSION_H_
\ No newline at end of file |