// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/storage_partition_impl_map.h" #include <unordered_set> #include <utility> #include "base/barrier_closure.h" #include "base/command_line.h" #include "base/containers/contains.h" #include "base/containers/map_util.h" #include "base/files/file_enumerator.h" #include "base/files/file_path.h" #include "base/files/file_util.h" #include "base/functional/bind.h" #include "base/functional/callback.h" #include "base/functional/callback_helpers.h" #include "base/location.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "base/task/single_thread_task_runner.h" #include "base/task/thread_pool.h" #include "build/build_config.h" #include "content/browser/background_fetch/background_fetch_context.h" #include "content/browser/blob_storage/chrome_blob_storage_context.h" #include "content/browser/code_cache/generated_code_cache_context.h" #include "content/browser/cookie_store/cookie_store_manager.h" #include "content/browser/file_system/browser_file_system_helper.h" #include "content/browser/loader/subresource_proxying_url_loader_service.h" #include "content/browser/resource_context_impl.h" #include "content/browser/storage_partition_impl.h" #include "content/browser/webui/url_data_manager_backend.h" #include "content/public/browser/browser_context.h" #include "content/public/browser/browser_task_traits.h" #include "content/public/browser/browser_thread.h" #include "content/public/browser/content_browser_client.h" #include "content/public/browser/storage_partition.h" #include "content/public/common/content_client.h" #include "content/public/common/content_features.h" #include "content/public/common/content_switches.h" #include "content/public/common/url_constants.h" #include "crypto/sha2.h" #include "services/network/public/cpp/features.h" #include "storage/browser/blob/blob_storage_context.h" #include "storage/browser/database/database_tracker.h" #include "third_party/blink/public/common/storage_key/storage_key.h" namespace content { namespace { // These constants are used to create the directory structure under the profile // where renderers with a non-default storage partition keep their persistent // state. This will contain a set of directories that partially mirror the // directory structure of BrowserContext::GetPath(). // // The kStoragePartitionDirname contains an extensions directory which is // further partitioned by extension id, followed by another level of directories // for the "default" extension storage partition and one directory for each // persistent partition used by a webview tag. Example: // // Storage/ext/ABCDEF/def // Storage/ext/ABCDEF/hash(partition name) // // The code in GetStoragePartitionPath() constructs these path names. // // TODO(nasko): Move extension related path code out of content. const base::FilePath::CharType kStoragePartitionDirname[] = …); const base::FilePath::CharType kExtensionsDirname[] = …); const base::FilePath::CharType kDefaultPartitionDirname[] = …); const base::FilePath::CharType kTrashDirname[] = …); // Because partition names are user specified, they can be arbitrarily long // which makes them unsuitable for paths names. We use a truncation of a // SHA256 hash to perform a deterministic shortening of the string. The // kPartitionNameHashBytes constant controls the length of the truncation. // We use 6 bytes, which gives us 99.999% reliability against collisions over // 1 million partition domains. // // Analysis: // We assume that all partition names within one partition domain are // controlled by the the same entity. Thus there is no chance for adverserial // attack and all we care about is accidental collision. To get 5 9s over // 1 million domains, we need the probability of a collision in any one domain // to be // // p < nroot(1000000, .99999) ~= 10^-11 // // We use the following birthday attack approximation to calculate the max // number of unique names for this probability: // // n(p,H) = sqrt(2*H * ln(1/(1-p))) // // For a 6-byte hash, H = 2^(6*8). n(10^-11, H) ~= 75 // // An average partition domain is likely to have less than 10 unique // partition names which is far lower than 75. // // Note, that for 4 9s of reliability, the limit is 237 partition names per // partition domain. const int kPartitionNameHashBytes = …; // Needed for selecting all files in ObliterateOneDirectory() below. #if BUILDFLAG(IS_POSIX) const int kAllFileTypes = …; #else const int kAllFileTypes = base::FileEnumerator::FILES | base::FileEnumerator::DIRECTORIES; #endif base::FilePath GetStoragePartitionDomainPath( const std::string& partition_domain) { … } // Helper function for doing a depth-first deletion of the data on disk. // Examines paths directly in |current_dir| (no recursion) and tries to // delete from disk anything that is in, or isn't a parent of something in // |paths_to_keep|. Paths that need further expansion are added to // |paths_to_consider|. void ObliterateOneDirectory(const base::FilePath& current_dir, const std::vector<base::FilePath>& paths_to_keep, std::vector<base::FilePath>* paths_to_consider) { … } // Synchronously attempts to delete |unnormalized_root|, preserving only // entries in |paths_to_keep|. If there are no entries in |paths_to_keep| on // disk, then it completely removes |unnormalized_root|. All paths must be // absolute paths. void BlockingObliteratePath( const base::FilePath& unnormalized_browser_context_root, const base::FilePath& unnormalized_root, const std::vector<base::FilePath>& paths_to_keep, const scoped_refptr<base::TaskRunner>& closure_runner, base::OnceClosure on_gc_required) { … } // Ensures each path in |active_paths| is a direct child of storage_root. void NormalizeActivePaths(const base::FilePath& storage_root, std::unordered_set<base::FilePath>* active_paths) { … } // Deletes all entries inside the |storage_root| that are not in the // |active_paths|. Deletion is done in 2 steps: // // (1) Moving all garbage collected paths into a trash directory. // (2) Asynchronously deleting the trash directory. // // The deletion is asynchronous because after (1) completes, calling code can // safely continue to use the paths that had just been garbage collected // without fear of race conditions. // // This code also ignores failed moves rather than attempting a smarter retry. // Moves shouldn't fail here unless there is some out-of-band error (eg., // FS corruption). Retry logic is dangerous in the general case because // there is not necessarily a guaranteed case where the logic may succeed. // // This function is still named BlockingGarbageCollect() because it does // execute a few filesystem operations synchronously. void BlockingGarbageCollect( const base::FilePath& storage_root, const scoped_refptr<base::TaskRunner>& file_access_runner, std::unordered_set<base::FilePath> active_paths) { … } } // namespace // static base::FilePath StoragePartitionImplMap::GetStoragePartitionPath( const std::string& partition_domain, const std::string& partition_name) { … } StoragePartitionImplMap::StoragePartitionImplMap( BrowserContext* browser_context) : … { … } StoragePartitionImplMap::~StoragePartitionImplMap() { … } StoragePartitionImpl* StoragePartitionImplMap::Get( const StoragePartitionConfig& partition_config, bool can_create) { … } void StoragePartitionImplMap::AsyncObliterate( const std::string& partition_domain, base::OnceClosure on_gc_required, base::OnceClosure done_callback) { … } void StoragePartitionImplMap::GarbageCollect( std::unordered_set<base::FilePath> active_paths, base::OnceClosure done) { … } void StoragePartitionImplMap::ForEach( base::FunctionRef<void(StoragePartition*)> fn) { … } void StoragePartitionImplMap::PostCreateInitialization( StoragePartitionImpl* partition, bool in_memory) { … } } // namespace content
Codebase Browser
chromium