1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
#define SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
#include <stddef.h>
#include <string>
#include <vector>
#include "base/macros.h"
#include "sandbox/linux/syscall_broker/broker_file_permission.h"
namespace sandbox {
namespace syscall_broker {
// BrokerPolicy allows to define the security policy enforced by a
// BrokerHost. The BrokerHost will evaluate requests sent over its
// IPC channel according to the BrokerPolicy.
// Some of the methods of this class can be used in an async-signal safe
// way.
class BrokerPolicy {
public:
// |denied_errno| is the error code returned when IPC requests for system
// calls such as open() or access() are denied because a file is not in the
// whitelist. EACCESS would be a typical value.
// |permissions| is a list of BrokerPermission objects that define
// what the broker will allow.
BrokerPolicy(int denied_errno,
const std::vector<BrokerFilePermission>& permissions);
~BrokerPolicy();
// Check if calling access() should be allowed on |requested_filename| with
// mode |requested_mode|.
// Note: access() being a system call to check permissions, this can get a bit
// confusing. We're checking if calling access() should even be allowed with
// If |file_to_open| is not NULL, a pointer to the path will be returned.
// In the case of a recursive match, this will be the requested_filename,
// otherwise it will return the matching pointer from the
// whitelist. For paranoia a caller should then use |file_to_access|. See
// GetFileNameIfAllowedToOpen() for more explanation.
// return true if calling access() on this file should be allowed, false
// otherwise.
// Async signal safe if and only if |file_to_access| is NULL.
bool GetFileNameIfAllowedToAccess(const char* requested_filename,
int requested_mode,
const char** file_to_access) const;
// Check if |requested_filename| can be opened with flags |requested_flags|.
// If |file_to_open| is not NULL, a pointer to the path will be returned.
// In the case of a recursive match, this will be the requested_filename,
// otherwise it will return the matching pointer from the
// whitelist. For paranoia, a caller should then use |file_to_open| rather
// than |requested_filename|, so that it never attempts to open an
// attacker-controlled file name, even if an attacker managed to fool the
// string comparison mechanism.
// |unlink_after_open| if not NULL will be set to point to true if the
// policy requests the caller unlink the path after opening.
// Return true if opening should be allowed, false otherwise.
// Async signal safe if and only if |file_to_open| is NULL.
bool GetFileNameIfAllowedToOpen(const char* requested_filename,
int requested_flags,
const char** file_to_open,
bool* unlink_after_open) const;
int denied_errno() const { return denied_errno_; }
private:
const int denied_errno_;
// The permissions_ vector is used as storage for the BrokerFilePermission
// objects but is not referenced outside of the constructor as
// vectors are unfriendly in async signal safe code.
const std::vector<BrokerFilePermission> permissions_;
// permissions_array_ is set up to point to the backing store of
// permissions_ and is used in async signal safe methods.
const BrokerFilePermission* permissions_array_;
const size_t num_of_permissions_;
DISALLOW_COPY_AND_ASSIGN(BrokerPolicy);
};
} // namespace syscall_broker
} // namespace sandbox
#endif // SANDBOX_LINUX_SYSCALL_BROKER_BROKER_POLICY_H_
|
