feat: implement File System API support (#41419)

This commit is contained in:
Shelley Vohr 2024-04-10 22:06:47 +02:00 committed by GitHub
parent 41ba963392
commit 344aba0838
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
23 changed files with 1562 additions and 9 deletions

View file

@ -129,3 +129,4 @@ build_run_reclient_cfg_generator_after_chrome.patch
fix_suppress_clang_-wimplicit-const-int-float-conversion_in.patch
fix_getcursorscreenpoint_wrongly_returns_0_0.patch
fix_add_support_for_skipping_first_2_no-op_refreshes_in_thumb_cap.patch
refactor_expose_file_system_access_blocklist.patch

View file

@ -0,0 +1,303 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Wed, 27 Mar 2024 10:47:48 +0100
Subject: refactor: expose file system access blocklist
This CL exposes the file system access blocklist publicly so that we can leverage
it in Electron and prevent drift from Chrome's blocklist. We should look for a way
to upstream this change to Chrome.
diff --git a/chrome/browser/file_system_access/chrome_file_system_access_permission_context.cc b/chrome/browser/file_system_access/chrome_file_system_access_permission_context.cc
index 9c644d678d6d811ae5679594c0574fc0d8607f62..792cd62da17239ca6933930880af23754e4ab3d3 100644
--- a/chrome/browser/file_system_access/chrome_file_system_access_permission_context.cc
+++ b/chrome/browser/file_system_access/chrome_file_system_access_permission_context.cc
@@ -38,7 +38,6 @@
#include "chrome/browser/profiles/profile_manager.h"
#include "chrome/browser/safe_browsing/download_protection/download_protection_util.h"
#include "chrome/browser/ui/file_system_access_dialogs.h"
-#include "chrome/common/chrome_paths.h"
#include "chrome/common/pdf_util.h"
#include "chrome/grit/generated_resources.h"
#include "components/content_settings/core/browser/host_content_settings_map.h"
@@ -222,121 +221,6 @@ bool MaybeIsLocalUNCPath(const base::FilePath& path) {
}
#endif
-// Sentinel used to indicate that no PathService key is specified for a path in
-// the struct below.
-constexpr const int kNoBasePathKey = -1;
-
-enum BlockType {
- kBlockAllChildren,
- kBlockNestedDirectories,
- kDontBlockChildren
-};
-
-const struct {
- // base::BasePathKey value (or one of the platform specific extensions to it)
- // for a path that should be blocked. Specify kNoBasePathKey if |path| should
- // be used instead.
- int base_path_key;
-
- // Explicit path to block instead of using |base_path_key|. Set to nullptr to
- // use |base_path_key| on its own. If both |base_path_key| and |path| are set,
- // |path| is treated relative to the path |base_path_key| resolves to.
- const base::FilePath::CharType* path;
-
- // If this is set to kDontBlockChildren, only the given path and its parents
- // are blocked. If this is set to kBlockAllChildren, all children of the given
- // path are blocked as well. Finally if this is set to kBlockNestedDirectories
- // access is allowed to individual files in the directory, but nested
- // directories are still blocked.
- // The BlockType of the nearest ancestor of a path to check is what ultimately
- // determines if a path is blocked or not. If a blocked path is a descendent
- // of another blocked path, then it may override the child-blocking policy of
- // its ancestor. For example, if /home blocks all children, but
- // /home/downloads does not, then /home/downloads/file.ext will *not* be
- // blocked.
- BlockType type;
-} kBlockedPaths[] = {
- // Don't allow users to share their entire home directory, entire desktop or
- // entire documents folder, but do allow sharing anything inside those
- // directories not otherwise blocked.
- {base::DIR_HOME, nullptr, kDontBlockChildren},
- {base::DIR_USER_DESKTOP, nullptr, kDontBlockChildren},
- {chrome::DIR_USER_DOCUMENTS, nullptr, kDontBlockChildren},
- // Similar restrictions for the downloads directory.
- {chrome::DIR_DEFAULT_DOWNLOADS, nullptr, kDontBlockChildren},
- {chrome::DIR_DEFAULT_DOWNLOADS_SAFE, nullptr, kDontBlockChildren},
- // The Chrome installation itself should not be modified by the web.
- {base::DIR_EXE, nullptr, kBlockAllChildren},
-#if !BUILDFLAG(IS_FUCHSIA)
- {base::DIR_MODULE, nullptr, kBlockAllChildren},
-#endif
- {base::DIR_ASSETS, nullptr, kBlockAllChildren},
- // And neither should the configuration of at least the currently running
- // Chrome instance (note that this does not take --user-data-dir command
- // line overrides into account).
- {chrome::DIR_USER_DATA, nullptr, kBlockAllChildren},
- // ~/.ssh is pretty sensitive on all platforms, so block access to that.
- {base::DIR_HOME, FILE_PATH_LITERAL(".ssh"), kBlockAllChildren},
- // And limit access to ~/.gnupg as well.
- {base::DIR_HOME, FILE_PATH_LITERAL(".gnupg"), kBlockAllChildren},
-#if BUILDFLAG(IS_WIN)
- // Some Windows specific directories to block, basically all apps, the
- // operating system itself, as well as configuration data for apps.
- {base::DIR_PROGRAM_FILES, nullptr, kBlockAllChildren},
- {base::DIR_PROGRAM_FILESX86, nullptr, kBlockAllChildren},
- {base::DIR_PROGRAM_FILES6432, nullptr, kBlockAllChildren},
- {base::DIR_WINDOWS, nullptr, kBlockAllChildren},
- {base::DIR_ROAMING_APP_DATA, nullptr, kBlockAllChildren},
- {base::DIR_LOCAL_APP_DATA, nullptr, kBlockAllChildren},
- {base::DIR_COMMON_APP_DATA, nullptr, kBlockAllChildren},
- // Opening a file from an MTP device, such as a smartphone or a camera, is
- // implemented by Windows as opening a file in the temporary internet files
- // directory. To support that, allow opening files in that directory, but
- // not whole directories.
- {base::DIR_IE_INTERNET_CACHE, nullptr, kBlockNestedDirectories},
-#endif
-#if BUILDFLAG(IS_MAC)
- // Similar Mac specific blocks.
- {base::DIR_APP_DATA, nullptr, kBlockAllChildren},
- {base::DIR_HOME, FILE_PATH_LITERAL("Library"), kBlockAllChildren},
- // Allow access to other cloud files, such as Google Drive.
- {base::DIR_HOME, FILE_PATH_LITERAL("Library/CloudStorage"),
- kDontBlockChildren},
- // Allow the site to interact with data from its corresponding natively
- // installed (sandboxed) application. It would be nice to limit a site to
- // access only _its_ corresponding natively installed application,
- // but unfortunately there's no straightforward way to do that. See
- // https://crbug.com/984641#c22.
- {base::DIR_HOME, FILE_PATH_LITERAL("Library/Containers"),
- kDontBlockChildren},
- // Allow access to iCloud files...
- {base::DIR_HOME, FILE_PATH_LITERAL("Library/Mobile Documents"),
- kDontBlockChildren},
- // ... which may also appear at this directory.
- {base::DIR_HOME,
- FILE_PATH_LITERAL("Library/Mobile Documents/com~apple~CloudDocs"),
- kDontBlockChildren},
-#endif
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
- // On Linux also block access to devices via /dev.
- {kNoBasePathKey, FILE_PATH_LITERAL("/dev"), kBlockAllChildren},
- // And security sensitive data in /proc and /sys.
- {kNoBasePathKey, FILE_PATH_LITERAL("/proc"), kBlockAllChildren},
- {kNoBasePathKey, FILE_PATH_LITERAL("/sys"), kBlockAllChildren},
- // And system files in /boot and /etc.
- {kNoBasePathKey, FILE_PATH_LITERAL("/boot"), kBlockAllChildren},
- {kNoBasePathKey, FILE_PATH_LITERAL("/etc"), kBlockAllChildren},
- // And block all of ~/.config, matching the similar restrictions on mac
- // and windows.
- {base::DIR_HOME, FILE_PATH_LITERAL(".config"), kBlockAllChildren},
- // Block ~/.dbus as well, just in case, although there probably isn't much a
- // website can do with access to that directory and its contents.
- {base::DIR_HOME, FILE_PATH_LITERAL(".dbus"), kBlockAllChildren},
-#endif
- // TODO(https://crbug.com/984641): Refine this list, for example add
- // XDG_CONFIG_HOME when it is not set ~/.config?
-};
-
// Describes a rule for blocking a directory, which can be constructed
// dynamically (based on state) or statically (from kBlockedPaths).
struct BlockPathRule {
diff --git a/chrome/browser/file_system_access/chrome_file_system_access_permission_context.h b/chrome/browser/file_system_access/chrome_file_system_access_permission_context.h
index 8bc8257b603a88e56f77dcf7d72aa9dad45880db..484f98c68b0dc860a6482e923df2379133c57749 100644
--- a/chrome/browser/file_system_access/chrome_file_system_access_permission_context.h
+++ b/chrome/browser/file_system_access/chrome_file_system_access_permission_context.h
@@ -17,12 +17,13 @@
#include "base/time/default_clock.h"
#include "chrome/browser/file_system_access/file_system_access_features.h"
#include "chrome/browser/file_system_access/file_system_access_permission_request_manager.h"
-#include "components/enterprise/buildflags/buildflags.h"
+#include "chrome/common/chrome_paths.h"
#include "components/permissions/features.h"
#include "components/permissions/object_permission_context_base.h"
#include "content/public/browser/file_system_access_permission_context.h"
#include "third_party/blink/public/mojom/file_system_access/file_system_access_manager.mojom-forward.h"
+
#if !BUILDFLAG(IS_ANDROID)
#include "chrome/browser/permissions/one_time_permissions_tracker.h"
#include "chrome/browser/permissions/one_time_permissions_tracker_observer.h"
@@ -30,7 +31,8 @@
#include "chrome/browser/web_applications/web_app_install_manager_observer.h"
#endif
-#if BUILDFLAG(ENTERPRISE_CLOUD_CONTENT_ANALYSIS)
+#if 0
+#include "components/enterprise/buildflags/buildflags.h"
#include "chrome/browser/enterprise/connectors/analysis/content_analysis_delegate.h"
#include "components/enterprise/common/files_scan_data.h"
#endif
@@ -331,6 +333,121 @@ class ChromeFileSystemAccessPermissionContext
// chrome://settings/content/filesystem UI.
static constexpr char kPermissionPathKey[] = "path";
+ // Sentinel used to indicate that no PathService key is specified for a path in
+ // the struct below.
+ static constexpr int kNoBasePathKey = -1;
+
+ enum BlockType {
+ kBlockAllChildren,
+ kBlockNestedDirectories,
+ kDontBlockChildren
+ };
+
+ static constexpr struct {
+ // base::BasePathKey value (or one of the platform specific extensions to it)
+ // for a path that should be blocked. Specify kNoBasePathKey if |path| should
+ // be used instead.
+ int base_path_key;
+
+ // Explicit path to block instead of using |base_path_key|. Set to nullptr to
+ // use |base_path_key| on its own. If both |base_path_key| and |path| are set,
+ // |path| is treated relative to the path |base_path_key| resolves to.
+ const base::FilePath::CharType* path;
+
+ // If this is set to kDontBlockChildren, only the given path and its parents
+ // are blocked. If this is set to kBlockAllChildren, all children of the given
+ // path are blocked as well. Finally if this is set to kBlockNestedDirectories
+ // access is allowed to individual files in the directory, but nested
+ // directories are still blocked.
+ // The BlockType of the nearest ancestor of a path to check is what ultimately
+ // determines if a path is blocked or not. If a blocked path is a descendent
+ // of another blocked path, then it may override the child-blocking policy of
+ // its ancestor. For example, if /home blocks all children, but
+ // /home/downloads does not, then /home/downloads/file.ext will *not* be
+ // blocked.
+ BlockType type;
+ } kBlockedPaths[] = {
+ // Don't allow users to share their entire home directory, entire desktop or
+ // entire documents folder, but do allow sharing anything inside those
+ // directories not otherwise blocked.
+ {base::DIR_HOME, nullptr, kDontBlockChildren},
+ {base::DIR_USER_DESKTOP, nullptr, kDontBlockChildren},
+ {chrome::DIR_USER_DOCUMENTS, nullptr, kDontBlockChildren},
+ // Similar restrictions for the downloads directory.
+ {chrome::DIR_DEFAULT_DOWNLOADS, nullptr, kDontBlockChildren},
+ {chrome::DIR_DEFAULT_DOWNLOADS_SAFE, nullptr, kDontBlockChildren},
+ // The Chrome installation itself should not be modified by the web.
+ {base::DIR_EXE, nullptr, kBlockAllChildren},
+ #if !BUILDFLAG(IS_FUCHSIA)
+ {base::DIR_MODULE, nullptr, kBlockAllChildren},
+ #endif
+ {base::DIR_ASSETS, nullptr, kBlockAllChildren},
+ // And neither should the configuration of at least the currently running
+ // Chrome instance (note that this does not take --user-data-dir command
+ // line overrides into account).
+ {chrome::DIR_USER_DATA, nullptr, kBlockAllChildren},
+ // ~/.ssh is pretty sensitive on all platforms, so block access to that.
+ {base::DIR_HOME, FILE_PATH_LITERAL(".ssh"), kBlockAllChildren},
+ // And limit access to ~/.gnupg as well.
+ {base::DIR_HOME, FILE_PATH_LITERAL(".gnupg"), kBlockAllChildren},
+ #if BUILDFLAG(IS_WIN)
+ // Some Windows specific directories to block, basically all apps, the
+ // operating system itself, as well as configuration data for apps.
+ {base::DIR_PROGRAM_FILES, nullptr, kBlockAllChildren},
+ {base::DIR_PROGRAM_FILESX86, nullptr, kBlockAllChildren},
+ {base::DIR_PROGRAM_FILES6432, nullptr, kBlockAllChildren},
+ {base::DIR_WINDOWS, nullptr, kBlockAllChildren},
+ {base::DIR_ROAMING_APP_DATA, nullptr, kBlockAllChildren},
+ {base::DIR_LOCAL_APP_DATA, nullptr, kBlockAllChildren},
+ {base::DIR_COMMON_APP_DATA, nullptr, kBlockAllChildren},
+ // Opening a file from an MTP device, such as a smartphone or a camera, is
+ // implemented by Windows as opening a file in the temporary internet files
+ // directory. To support that, allow opening files in that directory, but
+ // not whole directories.
+ {base::DIR_IE_INTERNET_CACHE, nullptr, kBlockNestedDirectories},
+ #endif
+ #if BUILDFLAG(IS_MAC)
+ // Similar Mac specific blocks.
+ {base::DIR_APP_DATA, nullptr, kBlockAllChildren},
+ {base::DIR_HOME, FILE_PATH_LITERAL("Library"), kBlockAllChildren},
+ // Allow access to other cloud files, such as Google Drive.
+ {base::DIR_HOME, FILE_PATH_LITERAL("Library/CloudStorage"),
+ kDontBlockChildren},
+ // Allow the site to interact with data from its corresponding natively
+ // installed (sandboxed) application. It would be nice to limit a site to
+ // access only _its_ corresponding natively installed application,
+ // but unfortunately there's no straightforward way to do that. See
+ // https://crbug.com/984641#c22.
+ {base::DIR_HOME, FILE_PATH_LITERAL("Library/Containers"),
+ kDontBlockChildren},
+ // Allow access to iCloud files...
+ {base::DIR_HOME, FILE_PATH_LITERAL("Library/Mobile Documents"),
+ kDontBlockChildren},
+ // ... which may also appear at this directory.
+ {base::DIR_HOME,
+ FILE_PATH_LITERAL("Library/Mobile Documents/com~apple~CloudDocs"),
+ kDontBlockChildren},
+ #endif
+ #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+ // On Linux also block access to devices via /dev.
+ {kNoBasePathKey, FILE_PATH_LITERAL("/dev"), kBlockAllChildren},
+ // And security sensitive data in /proc and /sys.
+ {kNoBasePathKey, FILE_PATH_LITERAL("/proc"), kBlockAllChildren},
+ {kNoBasePathKey, FILE_PATH_LITERAL("/sys"), kBlockAllChildren},
+ // And system files in /boot and /etc.
+ {kNoBasePathKey, FILE_PATH_LITERAL("/boot"), kBlockAllChildren},
+ {kNoBasePathKey, FILE_PATH_LITERAL("/etc"), kBlockAllChildren},
+ // And block all of ~/.config, matching the similar restrictions on mac
+ // and windows.
+ {base::DIR_HOME, FILE_PATH_LITERAL(".config"), kBlockAllChildren},
+ // Block ~/.dbus as well, just in case, although there probably isn't much a
+ // website can do with access to that directory and its contents.
+ {base::DIR_HOME, FILE_PATH_LITERAL(".dbus"), kBlockAllChildren},
+ #endif
+ // TODO(https://crbug.com/984641): Refine this list, for example add
+ // XDG_CONFIG_HOME when it is not set ~/.config?
+ };
+
protected:
SEQUENCE_CHECKER(sequence_checker_);
@@ -350,7 +467,7 @@ class ChromeFileSystemAccessPermissionContext
void PermissionGrantDestroyed(PermissionGrantImpl* grant);
-#if BUILDFLAG(ENTERPRISE_CLOUD_CONTENT_ANALYSIS)
+#if 0
void OnContentAnalysisComplete(
std::vector<PathInfo> entries,
EntriesAllowedByEnterprisePolicyCallback callback,