SFI NaCl: Batch-open resource files

components/nacl/loader/nacl_ipc_adapter.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/nacl/loader/nacl_ipc_adapter.h"
 
 #include <limits.h>
 #include <string.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/shared_memory.h"
 #include "base/task_runner_util.h"
+#include "base/tuple.h"
 #include "build/build_config.h"
 #include "ipc/ipc_channel.h"
 #include "ipc/ipc_platform_file.h"
 #include "native_client/src/public/nacl_desc.h"
 #include "native_client/src/trusted/desc/nacl_desc_base.h"
 #include "native_client/src/trusted/desc/nacl_desc_custom.h"
 #include "native_client/src/trusted/desc/nacl_desc_imc_shm.h"
 #include "native_client/src/trusted/desc/nacl_desc_io.h"
 #include "native_client/src/trusted/desc/nacl_desc_quota.h"
 #include "native_client/src/trusted/desc/nacl_desc_quota_interface.h"
@@ skipping 469 matching lines @@
       // descriptor received, we send the file token to the browser in
       // exchange for a new file descriptor and file path information.
       // That file descriptor can be used to construct a NaClDesc with
       // identity-based validation caching.
       //
       // We do not use file descriptors from the renderer with validation
       // caching; a compromised renderer should not be able to run
       // arbitrary code in a plugin process.
       DCHECK(!resolve_file_token_cb_.is_null());
 
-      // resolve_file_token_cb_ must be invoked from the main thread.
+      // resolve_file_token_cb_ must be invoked from the I/O thread.
       resolve_file_token_cb_.Run(
           token_lo,
           token_hi,
-          base::Bind(&NaClIPCAdapter::OnFileTokenResolved,
+          base::Bind(&NaClIPCAdapter::SaveOpenResourceMessage,
                      this,
                      msg));
 
       // In this case, we don't release the message to NaCl untrusted code
       // immediately. We defer it until we get an async message back from the
       // browser process.
       return true;
     }
   }
   return RewriteMessage(msg, type);
@@ skipping 97 matching lines @@
   // The file descriptor is at index 0. There's only ever one file
   // descriptor provided for this message type, so this will be correct.
   new_msg->WriteInt(0);
 
   // Write empty file tokens.
   new_msg->WriteUInt64(0);  // token_lo
   new_msg->WriteUInt64(0);  // token_hi
   return new_msg.Pass();
 }
 
-void NaClIPCAdapter::OnFileTokenResolved(const IPC::Message& orig_msg,
-                                         IPC::PlatformFileForTransit ipc_fd,
-                                         base::FilePath file_path) {
+void NaClIPCAdapter::SaveOpenResourceMessage(
+    const IPC::Message& orig_msg,
+    IPC::PlatformFileForTransit ipc_fd,
+    base::FilePath file_path) {
   // The path where an invalid ipc_fd is returned isn't currently
   // covered by any tests.
   if (ipc_fd == IPC::InvalidPlatformFileForTransit()) {
     // The file token didn't resolve successfully, so we give the
     // original FD to the client without making a validated NaClDesc.
     // However, we must rewrite the message to clear the file tokens.
     PickleIterator iter = IPC::SyncMessage::GetDataIterator(&orig_msg);
     ppapi::proxy::SerializedHandle sh;
 
     // We know that this can be read safely; see the original read in
@@ skipping 140 matching lines @@
 
 void NaClIPCAdapter::CloseChannelOnIOThread() {
   io_thread_data_.channel_->Close();
 }
 
 void NaClIPCAdapter::SendMessageOnIOThread(scoped_ptr<IPC::Message> message) {
   int id = IPC::SyncMessage::GetMessageId(*message.get());
   DCHECK(io_thread_data_.pending_sync_msgs_.find(id) ==
          io_thread_data_.pending_sync_msgs_.end());
 
+  // Handle PpapiHostMsg_OpenResource locally without sending an IPC to the
+  // renderer when possible.
+  PpapiHostMsg_OpenResource::Schema::SendParam send_params;
+  if (!open_resource_cb_.is_null() &&
+      message->type() == PpapiHostMsg_OpenResource::ID &&
+      PpapiHostMsg_OpenResource::ReadSendParam(message.get(), &send_params)) {
+    const std::string key = get<0>(send_params);
+    // Both open_resource_cb_ and SaveOpenResourceMessage must be invoked
+    // from the I/O thread.
+    if (open_resource_cb_.Run(
+            *message.get(), key,
+            base::Bind(&NaClIPCAdapter::SaveOpenResourceMessage, this))) {
+      // The callback sent a reply to the untrusted side.
+      return;
+    }
+  }
+
   if (message->is_sync())
     io_thread_data_.pending_sync_msgs_[id] = message->type();
   io_thread_data_.channel_->Send(message.release());
 }
 
 void NaClIPCAdapter::SaveMessage(const IPC::Message& msg,
                                  RewrittenMessage* rewritten_msg) {
   lock_.AssertAcquired();
   // There is some padding in this structure (the "padding" member is 16
   // bits but this then gets padded to 32 bits). We want to be sure not to
   // leak data to the untrusted plugin, so zero everything out first.
   NaClMessageHeader header;
   memset(&header, 0, sizeof(NaClMessageHeader));
 
   header.payload_size = static_cast<uint32>(msg.payload_size());
   header.routing = msg.routing_id();
   header.type = msg.type();
   header.flags = msg.flags();
   header.num_fds = static_cast<uint16>(rewritten_msg->desc_count());
 
   rewritten_msg->SetData(header, msg.payload(), msg.payload_size());
   locked_data_.to_be_received_.push(rewritten_msg);
 }
 
 int TranslatePepperFileReadWriteOpenFlagsForTesting(int32_t pp_open_flags) {
   return TranslatePepperFileReadWriteOpenFlags(pp_open_flags);
 }