Cleanup file permission check code in FileAPIMessageFilter

- Move detailed permission check code into each MountPointProvider - Add common enum for fileapi permission policy (webkit/fileapi/file_permission_policy.{h,cc}) BUG=none, cleanup only TEST=content_browsertests:FileSystemLayoutTest.*,browser_tests:FileBrowser*) Review URL: https://codereview.chromium.org/11804005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@176014 0039d316-1c4b-4281-b951-d872f2087c98

Cleanup file permission check code in FileAPIMessageFilter
- Move detailed permission check code into each MountPointProvider - Add common enum for fileapi permission policy (webkit/fileapi/file_permission_policy.{h,cc}) BUG=none, cleanup only TEST=content_browsertests:FileSystemLayoutTest.*,browser_tests:FileBrowser*) Review URL: https://codereview.chromium.org/11804005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@176014 0039d316-1c4b-4281-b951-d872f2087c98
b40ffe72 · kinuko@chromium.org · 3157a9fd · b40ffe72 · b40ffe72 · b40ffe72
Commit b40ffe72 authored Jan 10, 2013 by kinuko@chromium.org
13 changed files
--- a/content/browser/fileapi/fileapi_message_filter.cc
+++ b/content/browser/fileapi/fileapi_message_filter.cc
@@ -27,6 +27,7 @@
 #include "webkit/blob/blob_storage_controller.h"
 #include "webkit/blob/shareable_file_reference.h"
 #include "webkit/fileapi/file_observers.h"
+#include "webkit/fileapi/file_permission_policy.h"
 #include "webkit/fileapi/file_system_context.h"
 #include "webkit/fileapi/file_system_types.h"
 #include "webkit/fileapi/file_system_util.h"
@@ -45,29 +46,8 @@ using webkit_blob::BlobData;
 using webkit_blob::BlobStorageController;
 namespace content {
-namespace {
-const int kReadFilePermissions = base::PLATFORM_FILE_OPEN |
-                                 base::PLATFORM_FILE_READ |
-                                 base::PLATFORM_FILE_EXCLUSIVE_READ |
-                                 base::PLATFORM_FILE_ASYNC;
-const int kWriteFilePermissions = base::PLATFORM_FILE_OPEN |
-                                  base::PLATFORM_FILE_WRITE |
-                                  base::PLATFORM_FILE_EXCLUSIVE_WRITE |
-                                  base::PLATFORM_FILE_ASYNC |
-                                  base::PLATFORM_FILE_WRITE_ATTRIBUTES;
-const int kCreateFilePermissions = base::PLATFORM_FILE_CREATE;
+namespace {
-const int kOpenFilePermissions = base::PLATFORM_FILE_CREATE |
-                                 base::PLATFORM_FILE_OPEN_ALWAYS |
-                                 base::PLATFORM_FILE_CREATE_ALWAYS |
-                                 base::PLATFORM_FILE_OPEN_TRUNCATED |
-                                 base::PLATFORM_FILE_WRITE |
-                                 base::PLATFORM_FILE_EXCLUSIVE_WRITE |
-                                 base::PLATFORM_FILE_DELETE_ON_CLOSE |
-                                 base::PLATFORM_FILE_WRITE_ATTRIBUTES;
 void RevokeFilePermission(int child_id, const FilePath& path) {
  ChildProcessSecurityPolicyImpl::GetInstance()->RevokeAllPermissionsForFile(
@@ -229,9 +209,11 @@ void FileAPIMessageFilter::OnMove(
  base::PlatformFileError error;
  FileSystemURL src_url(src_path);
  FileSystemURL dest_url(dest_path);
-  const int src_permissions = kReadFilePermissions | kWriteFilePermissions;
+  const int src_permissions =
+      fileapi::kReadFilePermissions | fileapi::kWriteFilePermissions;
  if (!HasPermissionsForFile(src_url, src_permissions, &error) ||
-      !HasPermissionsForFile(dest_url, kCreateFilePermissions, &error)) {
+      !HasPermissionsForFile(
+          dest_url, fileapi::kCreateFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -250,8 +232,9 @@ void FileAPIMessageFilter::OnCopy(
  base::PlatformFileError error;
  FileSystemURL src_url(src_path);
  FileSystemURL dest_url(dest_path);
-  if (!HasPermissionsForFile(src_url, kReadFilePermissions, &error) ||
+  if (!HasPermissionsForFile(src_url, fileapi::kReadFilePermissions, &error) ||
-      !HasPermissionsForFile(dest_url, kCreateFilePermissions, &error)) {
+      !HasPermissionsForFile(
+          dest_url, fileapi::kCreateFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -269,7 +252,7 @@ void FileAPIMessageFilter::OnRemove(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  base::PlatformFileError error;
  FileSystemURL url(path);
-  if (!HasPermissionsForFile(url, kWriteFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kWriteFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -287,7 +270,7 @@ void FileAPIMessageFilter::OnReadMetadata(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  base::PlatformFileError error;
  FileSystemURL url(path);
-  if (!HasPermissionsForFile(url, kReadFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kReadFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -306,7 +289,7 @@ void FileAPIMessageFilter::OnCreate(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  base::PlatformFileError error;
  FileSystemURL url(path);
-  if (!HasPermissionsForFile(url, kCreateFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kCreateFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -330,7 +313,7 @@ void FileAPIMessageFilter::OnExists(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  base::PlatformFileError error;
  FileSystemURL url(path);
-  if (!HasPermissionsForFile(url, kReadFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kReadFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -354,7 +337,7 @@ void FileAPIMessageFilter::OnReadDirectory(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  base::PlatformFileError error;
  FileSystemURL url(path);
-  if (!HasPermissionsForFile(url, kReadFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kReadFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -381,7 +364,7 @@ void FileAPIMessageFilter::OnWrite(
  FileSystemURL url(path);
  base::PlatformFileError error;
-  if (!HasPermissionsForFile(url, kWriteFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kWriteFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -400,7 +383,7 @@ void FileAPIMessageFilter::OnTruncate(
    int64 length) {
  base::PlatformFileError error;
  FileSystemURL url(path);
-  if (!HasPermissionsForFile(url, kWriteFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kWriteFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -421,7 +404,7 @@ void FileAPIMessageFilter::OnTouchFile(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  FileSystemURL url(path);
  base::PlatformFileError error;
-  if (!HasPermissionsForFile(url, kCreateFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kCreateFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -456,7 +439,7 @@ void FileAPIMessageFilter::OnOpenFile(
  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
  base::PlatformFileError error;
  const int open_permissions = base::PLATFORM_FILE_OPEN |
-                               (file_flags & kOpenFilePermissions);
+                               (file_flags & fileapi::kOpenFilePermissions);
  FileSystemURL url(path);
  if (!HasPermissionsForFile(url, open_permissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
@@ -528,7 +511,7 @@ void FileAPIMessageFilter::OnSyncGetPlatformPath(
  // which means roughly same as the renderer is allowed to get the platform
  // path to the file).
  base::PlatformFileError error;
-  if (!HasPermissionsForFile(url, kReadFilePermissions, &error))
+  if (!HasPermissionsForFile(url, fileapi::kReadFilePermissions, &error))
    return;
  // This is called only by pepper plugin as of writing to get the
@@ -567,7 +550,7 @@ void FileAPIMessageFilter::OnCreateSnapshotFile(
  // called when the renderer is about to create a new File object
  // (for reading the file).
  base::PlatformFileError error;
-  if (!HasPermissionsForFile(url, kReadFilePermissions, &error)) {
+  if (!HasPermissionsForFile(url, fileapi::kReadFilePermissions, &error)) {
    Send(new FileSystemMsg_DidFail(request_id, error));
    return;
  }
@@ -832,47 +815,31 @@ bool FileAPIMessageFilter::HasPermissionsForFile(
  ChildProcessSecurityPolicyImpl* policy =
      ChildProcessSecurityPolicyImpl::GetInstance();
-  // Special handling for filesystems whose mount type is isolated.
+  switch (mount_point_provider->GetPermissionPolicy(url, permissions)) {
-  // (See ChildProcessSecurityPolicy::GrantReadFileSystem for more
+    case fileapi::FILE_PERMISSION_ALWAYS_DENY:
-  // details about access permission for isolated filesystem.)
-  if (url.mount_type() == fileapi::kFileSystemTypeIsolated) {
-    // The root directory of the dragged filesystem is read-only.
-    if (url.type() == fileapi::kFileSystemTypeDragged && url.path().empty()) {
-      if (permissions != kReadFilePermissions) {
      *error = base::PLATFORM_FILE_ERROR_SECURITY;
      return false;
-      }
+    case fileapi::FILE_PERMISSION_ALWAYS_ALLOW:
+      CHECK(mount_point_provider == context_->sandbox_provider());
      return true;
+    case fileapi::FILE_PERMISSION_USE_FILE_PERMISSION: {
+      const bool success = policy->HasPermissionsForFile(
+          process_id_, url.path(), permissions);
+      if (!success)
+        *error = base::PLATFORM_FILE_ERROR_SECURITY;
+      return success;
    }
+    case fileapi::FILE_PERMISSION_USE_FILESYSTEM_PERMISSION: {
-    // Access permission to the file system overrides the file permission
+      const bool success = policy->HasPermissionsForFileSystem(
-    // (if and only if they accessed via an isolated file system).
-    bool success = policy->HasPermissionsForFileSystem(
          process_id_, url.filesystem_id(), permissions);
      if (!success)
        *error = base::PLATFORM_FILE_ERROR_SECURITY;
      return success;
    }
-  if (fileapi::SandboxMountPointProvider::CanHandleType(url.type())) {
-    // Sandboxed file system permissions should be implicitly granted.
-    // (And the application should not be given direct permission to the actual
-    // data directory in the sandboxed area.)
-    CHECK(mount_point_provider == context_->sandbox_provider());
-    return true;
  }
+  NOTREACHED();
-  file_path = mount_point_provider->GetPathForPermissionsCheck(url.path());
-  if (file_path.empty()) {
  *error = base::PLATFORM_FILE_ERROR_SECURITY;
  return false;
-  }
-  bool success = policy->HasPermissionsForFile(
-      process_id_, file_path, permissions);
-  if (!success)
-    *error = base::PLATFORM_FILE_ERROR_SECURITY;
-  return success;
 }
 FileSystemOperation* FileAPIMessageFilter::GetNewOperation(

--- a/webkit/chromeos/fileapi/cros_mount_point_provider.cc
+++ b/webkit/chromeos/fileapi/cros_mount_point_provider.cc
@@ -235,9 +235,14 @@ fileapi::FileSystemFileUtil* CrosMountPointProvider::GetFileUtil(
  return local_file_util_.get();
 }
-FilePath CrosMountPointProvider::GetPathForPermissionsCheck(
+fileapi::FilePermissionPolicy CrosMountPointProvider::GetPermissionPolicy(
-    const FilePath& virtual_path) const {
+    const fileapi::FileSystemURL& url, int permissions) const {
-  return virtual_path;
+  if (url.mount_type() == fileapi::kFileSystemTypeIsolated) {
+    // Permissions in isolated filesystems should be examined with
+    // FileSystem permission.
+    return fileapi::FILE_PERMISSION_USE_FILESYSTEM_PERMISSION;
+  }
+  return fileapi::FILE_PERMISSION_USE_FILE_PERMISSION;
 }
 fileapi::FileSystemOperation* CrosMountPointProvider::CreateFileSystemOperation(

--- a/webkit/chromeos/fileapi/cros_mount_point_provider.h
+++ b/webkit/chromeos/fileapi/cros_mount_point_provider.h
@@ -57,8 +57,9 @@ class WEBKIT_STORAGE_EXPORT CrosMountPointProvider
  virtual bool IsRestrictedFileName(const FilePath& filename) const OVERRIDE;
  virtual fileapi::FileSystemFileUtil* GetFileUtil(
      fileapi::FileSystemType type) OVERRIDE;
-  virtual FilePath GetPathForPermissionsCheck(const FilePath& virtual_path)
+  virtual fileapi::FilePermissionPolicy GetPermissionPolicy(
-      const OVERRIDE;
+      const fileapi::FileSystemURL& url,
+      int permissions) const OVERRIDE;
  virtual fileapi::FileSystemOperation* CreateFileSystemOperation(
      const fileapi::FileSystemURL& url,
      fileapi::FileSystemContext* context,

--- a/webkit/fileapi/file_permission_policy.cc
+++ b/webkit/fileapi/file_permission_policy.cc
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "webkit/fileapi/file_permission_policy.h"
+#include "base/platform_file.h"
+namespace fileapi {
+const int kReadFilePermissions = base::PLATFORM_FILE_OPEN |
+                                 base::PLATFORM_FILE_READ |
+                                 base::PLATFORM_FILE_EXCLUSIVE_READ |
+                                 base::PLATFORM_FILE_ASYNC;
+const int kWriteFilePermissions = base::PLATFORM_FILE_OPEN |
+                                  base::PLATFORM_FILE_WRITE |
+                                  base::PLATFORM_FILE_EXCLUSIVE_WRITE |
+                                  base::PLATFORM_FILE_ASYNC |
+                                  base::PLATFORM_FILE_WRITE_ATTRIBUTES;
+const int kCreateFilePermissions = base::PLATFORM_FILE_CREATE;
+const int kOpenFilePermissions = base::PLATFORM_FILE_CREATE |
+                                 base::PLATFORM_FILE_OPEN_ALWAYS |
+                                 base::PLATFORM_FILE_CREATE_ALWAYS |
+                                 base::PLATFORM_FILE_OPEN_TRUNCATED |
+                                 base::PLATFORM_FILE_WRITE |
+                                 base::PLATFORM_FILE_EXCLUSIVE_WRITE |
+                                 base::PLATFORM_FILE_DELETE_ON_CLOSE |
+                                 base::PLATFORM_FILE_WRITE_ATTRIBUTES;
+}  // namespace fileapi
--- a/webkit/fileapi/file_permission_policy.h
+++ b/webkit/fileapi/file_permission_policy.h
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef WEBKIT_FILEAPI_FILE_PERMISSION_POLICY_H_
+#define WEBKIT_FILEAPI_FILE_PERMISSION_POLICY_H_
+#include "webkit/storage/webkit_storage_export.h"
+namespace fileapi {
+WEBKIT_STORAGE_EXPORT extern const int kReadFilePermissions;
+WEBKIT_STORAGE_EXPORT extern const int kWriteFilePermissions;
+WEBKIT_STORAGE_EXPORT extern const int kCreateFilePermissions;
+WEBKIT_STORAGE_EXPORT extern const int kOpenFilePermissions;
+enum FilePermissionPolicy {
+  // Any access should be always denied.
+  FILE_PERMISSION_ALWAYS_DENY,
+  // Any access should be always allowed. (This should be used only for
+  // access to sandbox directories.)
+  FILE_PERMISSION_ALWAYS_ALLOW,
+  // Access should be examined by per-file permission policy.
+  FILE_PERMISSION_USE_FILE_PERMISSION,
+  // Access should be examined by per-filesystem permission policy.
+  FILE_PERMISSION_USE_FILESYSTEM_PERMISSION,
+};
+}  // namespace fileapi
+#endif  // WEBKIT_FILEAPI_FILE_PERMISSION_POLICY_H_
--- a/webkit/fileapi/file_system_mount_point_provider.h
+++ b/webkit/fileapi/file_system_mount_point_provider.h
@@ -11,6 +11,7 @@
 #include "base/callback_forward.h"
 #include "base/file_path.h"
 #include "base/platform_file.h"
+#include "webkit/fileapi/file_permission_policy.h"
 #include "webkit/fileapi/file_system_types.h"
 #include "webkit/storage/webkit_storage_export.h"
@@ -68,10 +69,10 @@ class WEBKIT_STORAGE_EXPORT FileSystemMountPointProvider {
  // Returns the specialized FileSystemFileUtil for this mount point.
  virtual FileSystemFileUtil* GetFileUtil(FileSystemType type) = 0;
-  // Returns file path we should use to check access permissions for
+  // Returns file permission policy we should apply for the given |url|.
-  // |virtual_path|.
+  virtual FilePermissionPolicy GetPermissionPolicy(
-  virtual FilePath GetPathForPermissionsCheck(const FilePath& virtual_path)
+      const FileSystemURL& url,
-      const = 0;
+      int permissions) const = 0;
  // Returns a new instance of the specialized FileSystemOperation for this
  // mount point based on the given triplet of |origin_url|, |file_system_type|

--- a/webkit/fileapi/isolated_mount_point_provider.cc
+++ b/webkit/fileapi/isolated_mount_point_provider.cc
@@ -100,10 +100,16 @@ FileSystemFileUtil* IsolatedMountPointProvider::GetFileUtil(
  return NULL;
 }
-FilePath IsolatedMountPointProvider::GetPathForPermissionsCheck(
+FilePermissionPolicy IsolatedMountPointProvider::GetPermissionPolicy(
-    const FilePath& virtual_path) const {
+    const FileSystemURL& url, int permissions) const {
-  // For isolated filesystems we only check per-filesystem permissions.
+  if (url.type() == kFileSystemTypeDragged && url.path().empty()) {
-  return FilePath();
+    // The root directory of the dragged filesystem must be always read-only.
+    if (permissions != kReadFilePermissions)
+      return FILE_PERMISSION_ALWAYS_DENY;
+  }
+  // Access to isolated file systems should be checked using per-filesystem
+  // access permission.
+  return FILE_PERMISSION_USE_FILESYSTEM_PERMISSION;
 }
 FileSystemOperation* IsolatedMountPointProvider::CreateFileSystemOperation(

--- a/webkit/fileapi/isolated_mount_point_provider.h
+++ b/webkit/fileapi/isolated_mount_point_provider.h
@@ -38,8 +38,9 @@ class IsolatedMountPointProvider : public FileSystemMountPointProvider {
  virtual bool IsAccessAllowed(const FileSystemURL& url) OVERRIDE;
  virtual bool IsRestrictedFileName(const FilePath& filename) const OVERRIDE;
  virtual FileSystemFileUtil* GetFileUtil(FileSystemType type) OVERRIDE;
-  virtual FilePath GetPathForPermissionsCheck(const FilePath& virtual_path)
+  virtual FilePermissionPolicy GetPermissionPolicy(
-      const OVERRIDE;
+      const FileSystemURL& url,
+      int permissions) const OVERRIDE;
  virtual FileSystemOperation* CreateFileSystemOperation(
      const FileSystemURL& url,
      FileSystemContext* context,

--- a/webkit/fileapi/sandbox_mount_point_provider.cc
+++ b/webkit/fileapi/sandbox_mount_point_provider.cc
@@ -255,11 +255,13 @@ FileSystemFileUtil* SandboxMountPointProvider::GetFileUtil(
  return sandbox_file_util_.get();
 }
-FilePath SandboxMountPointProvider::GetPathForPermissionsCheck(
+FilePermissionPolicy SandboxMountPointProvider::GetPermissionPolicy(
-    const FilePath& virtual_path) const {
+    const FileSystemURL& url, int permissions) const {
-  // Sandbox provider shouldn't directly grant permissions for its
+  // Access to the sandbox directory (and only to the directory) should be
-  // data directory.
+  // always allowed.
-  return FilePath();
+  CHECK(CanHandleType(url.type()));
+  CHECK(!url.path().ReferencesParent());
+  return FILE_PERMISSION_ALWAYS_ALLOW;
 }
 FileSystemOperation* SandboxMountPointProvider::CreateFileSystemOperation(

--- a/webkit/fileapi/sandbox_mount_point_provider.h
+++ b/webkit/fileapi/sandbox_mount_point_provider.h
@@ -83,8 +83,9 @@ class WEBKIT_STORAGE_EXPORT SandboxMountPointProvider
  virtual bool IsAccessAllowed(const FileSystemURL& url) OVERRIDE;
  virtual bool IsRestrictedFileName(const FilePath& filename) const OVERRIDE;
  virtual FileSystemFileUtil* GetFileUtil(FileSystemType type) OVERRIDE;
-  virtual FilePath GetPathForPermissionsCheck(const FilePath& virtual_path)
+  virtual FilePermissionPolicy GetPermissionPolicy(
-      const OVERRIDE;
+      const FileSystemURL& url,
+      int permissions) const OVERRIDE;
  virtual FileSystemOperation* CreateFileSystemOperation(
      const FileSystemURL& url,
      FileSystemContext* context,

--- a/webkit/fileapi/test_mount_point_provider.cc
+++ b/webkit/fileapi/test_mount_point_provider.cc
@@ -114,9 +114,9 @@ FileSystemFileUtil* TestMountPointProvider::GetFileUtil(FileSystemType type) {
  return local_file_util_.get();
 }
-FilePath TestMountPointProvider::GetPathForPermissionsCheck(
+FilePermissionPolicy TestMountPointProvider::GetPermissionPolicy(
-    const FilePath& virtual_path) const {
+    const FileSystemURL& url, int permissions) const {
-  return base_path_.Append(virtual_path);
+  return FILE_PERMISSION_ALWAYS_DENY;
 }
 FileSystemOperation* TestMountPointProvider::CreateFileSystemOperation(

--- a/webkit/fileapi/test_mount_point_provider.h
+++ b/webkit/fileapi/test_mount_point_provider.h
@@ -44,8 +44,9 @@ class WEBKIT_STORAGE_EXPORT_PRIVATE TestMountPointProvider
  virtual bool IsAccessAllowed(const FileSystemURL& url) OVERRIDE;
  virtual bool IsRestrictedFileName(const FilePath& filename) const OVERRIDE;
  virtual FileSystemFileUtil* GetFileUtil(FileSystemType type) OVERRIDE;
-  virtual FilePath GetPathForPermissionsCheck(const FilePath& virtual_path)
+  virtual FilePermissionPolicy GetPermissionPolicy(
-      const OVERRIDE;
+      const FileSystemURL& url,
+      int permissions) const OVERRIDE;
  virtual FileSystemOperation* CreateFileSystemOperation(
      const FileSystemURL& url,
      FileSystemContext* context,

--- a/webkit/fileapi/webkit_fileapi.gypi
+++ b/webkit/fileapi/webkit_fileapi.gypi
@@ -6,6 +6,8 @@
  'variables': {
    'webkit_fileapi_sources': [
      '../fileapi/file_observers.h',
+      '../fileapi/file_permission_policy.cc',
+      '../fileapi/file_permission_policy.h',
      '../fileapi/file_stream_writer.h',
      '../fileapi/file_system_callback_dispatcher.cc',
      '../fileapi/file_system_callback_dispatcher.h',