NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_file_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/nacl_host/nacl_file_host.h"
 
 #include "base/bind.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
 #include "base/path_service.h"
 #include "base/platform_file.h"
 #include "base/threading/sequenced_worker_pool.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/browser/extensions/extension_info_map.h"
+#include "chrome/browser/nacl_host/nacl_browser.h"
 #include "chrome/browser/renderer_host/chrome_render_message_filter.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/extensions/extension.h"
 #include "chrome/common/extensions/extension_file_util.h"
 #include "chrome/common/extensions/manifest_handlers/shared_module_info.h"
 #include "chrome/common/render_messages.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/site_instance.h"
 #include "ipc/ipc_platform_file.h"
@@ skipping 98 matching lines @@
   if (target_desc == IPC::InvalidPlatformFileForTransit()) {
     NotifyRendererOfError(chrome_render_message_filter, reply_msg);
     return;
   }
 
   ChromeViewHostMsg_NaClCreateTemporaryFile::WriteReplyParams(
       reply_msg, target_desc);
   chrome_render_message_filter->Send(reply_msg);
 }
 
+void DoOpenNaClExecutableRegister(

[Mark Seaborn, 2013/05/16 23:01:47]

Not sure I understand the name, since it suggests "executable register" is a
noun phrase.  "RegisterNaClExecutableFile"?

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+    scoped_refptr<ChromeRenderMessageFilter> chrome_render_message_filter,
+    base::PlatformFile file,
+    base::FilePath file_path,
+    IPC::Message* reply_msg) {
+  // IO thread owns the NaClBrowser singleton.
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
+  uint64_t nonce = nacl_browser->PutFilePath(file_path);
+
+  IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess(
+      file,
+      chrome_render_message_filter->peer_handle(),
+      true /* close_source */);
+
+  ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams(
+      reply_msg, file_desc, nonce);
+  chrome_render_message_filter->Send(reply_msg);
+}
+
 // Convert the file URL into a file path in the extension directory.
 // This function is security sensitive.  Be sure to check with a security
 // person before you modify it.
 bool GetExtensionFilePath(
     scoped_refptr<ExtensionInfoMap> extension_info_map,
     const GURL& file_url,
     base::FilePath* file_path) {
   // Check that the URL is recognized by the extension system.
   const extensions::Extension* extension =
       extension_info_map->extensions().GetExtensionOrAppByURL(
@@ skipping 46 matching lines @@
     const GURL& file_url,
     IPC::Message* reply_msg) {
   DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
 
   base::FilePath file_path;
   if (!GetExtensionFilePath(extension_info_map, file_url, &file_path)) {
     NotifyRendererOfError(chrome_render_message_filter, reply_msg);
     return;
   }
 
-  // Get a file descriptor. On Windows, we need 'GENERIC_EXECUTE' in order to
-  // memory map the executable.
-  // IMPORTANT: This file descriptor must not have write access - that could
-  // allow a sandbox escape.
-  base::PlatformFileError error_code;
-  base::PlatformFile file = base::CreatePlatformFile(
-      file_path,
-      base::PLATFORM_FILE_OPEN |
-          base::PLATFORM_FILE_READ |
-          base::PLATFORM_FILE_EXECUTE,  // Windows only flag.
-      NULL,
-      &error_code);
-  if (error_code != base::PLATFORM_FILE_OK) {
+  base::PlatformFile file;
+  nacl::OpenNaClExecutableImpl(file_path, &file);
+  if (file != base::kInvalidPlatformFileValue) {
+    BrowserThread::PostTask(
+        BrowserThread::IO, FROM_HERE,
+        base::Bind(

[Mark Seaborn, 2013/05/16 23:01:47]

Why does this need a PostTask() now?  Is the CreatePlatformFile() call being
moved to a different thread?  If so, why?

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+            &DoOpenNaClExecutableRegister,
+            chrome_render_message_filter,
+            file, file_path, reply_msg));
+  } else {
     NotifyRendererOfError(chrome_render_message_filter, reply_msg);
     return;
   }
-  // Check that the file does not reference a directory. Returning a descriptor
-  // to an extension directory could allow a sandbox escape.
-  base::PlatformFileInfo file_info;
-  if (!base::GetPlatformFileInfo(file, &file_info) || file_info.is_directory)
-  {
-    NotifyRendererOfError(chrome_render_message_filter, reply_msg);
-    return;
-  }
-
-  IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess(
-      file,
-      chrome_render_message_filter->peer_handle(),
-      true /* close_source */);
-
-  ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams(
-      reply_msg, file_path, file_desc);
-  chrome_render_message_filter->Send(reply_msg);
 }
 
 }  // namespace
 
 namespace nacl_file_host {
 
 void GetReadonlyPnaclFd(
     scoped_refptr<ChromeRenderMessageFilter> chrome_render_message_filter,
     const std::string& filename,
     IPC::Message* reply_msg) {
@@ skipping 94 matching lines @@
       base::Bind(
           &DoOpenNaClExecutableOnThreadPool,
           chrome_render_message_filter,
           extension_info_map,
           file_url, reply_msg))) {
     NotifyRendererOfError(chrome_render_message_filter, reply_msg);
   }
 }
 
 }  // namespace nacl_file_host