NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_process_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/nacl_host/nacl_process_host.h"
 
 #include <string>
 #include <vector>
 
 #include "base/base_switches.h"
@@ skipping 605 matching lines @@
   return true;
 }
 
 bool NaClProcessHost::OnMessageReceived(const IPC::Message& msg) {
   bool handled = true;
   IPC_BEGIN_MESSAGE_MAP(NaClProcessHost, msg)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_QueryKnownToValidate,
                         OnQueryKnownToValidate)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_SetKnownToValidate,
                         OnSetKnownToValidate)
+    IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_ResolveFileNonce,
+                                    OnResolveFileNonce)
 #if defined(OS_WIN)
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_AttachDebugExceptionHandler,
                                     OnAttachDebugExceptionHandler)
 #endif
     IPC_MESSAGE_HANDLER(NaClProcessHostMsg_PpapiChannelCreated,
                         OnPpapiChannelCreated)
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
   return handled;
 }
@@ skipping 118 matching lines @@
   const ChildProcessData& data = process_->GetData();
   if (!ShareHandleToSelLdr(data.handle,
                            internal_->socket_for_sel_ldr, true,
                            &params.handles)) {
     return false;
   }
 
   if (params.uses_irt) {
     base::PlatformFile irt_file = nacl_browser->IrtFile();
     CHECK_NE(irt_file, base::kInvalidPlatformFileValue);
-
     // Send over the IRT file handle.  We don't close our own copy!
     if (!ShareHandleToSelLdr(data.handle, irt_file, false, &params.handles))
       return false;
   }
 
 #if defined(OS_MACOSX)
   // For dynamic loading support, NaCl requires a file descriptor that
   // was created in /tmp, since those created with shm_open() are not
   // mappable with PROT_EXEC.  Rather than requiring an extra IPC
   // round trip out of the sandbox, we create an FD here.
@@ skipping 148 matching lines @@
 void NaClProcessHost::OnQueryKnownToValidate(const std::string& signature,
                                              bool* result) {
   NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
   *result = nacl_browser->QueryKnownToValidate(signature, off_the_record_);
 }
 
 void NaClProcessHost::OnSetKnownToValidate(const std::string& signature) {
   NaClBrowser::GetInstance()->SetKnownToValidate(signature, off_the_record_);
 }
 
+void NaClProcessHost::FileResolved(
+    base::PlatformFile* file,
+    const base::FilePath& file_path,
+    IPC::Message* reply_msg) {
+

[Mark Seaborn, 2013/05/16 23:01:47]

Remove empty line at function start

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+  if (*file != base::kInvalidPlatformFileValue) {
+    IPC::PlatformFileForTransit handle = IPC::GetFileHandleForProcess(
+        *file,
+        process_->GetData().handle,
+        true /* close_source */);
+    NaClProcessMsg_ResolveFileNonce::WriteReplyParams(
+        reply_msg,
+        handle,
+        file_path);
+  } else {
+    NaClProcessMsg_ResolveFileNonce::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+  }
+  Send(reply_msg);
+}
+
+void NaClProcessHost::OnResolveFileNonce(uint64 nonce,
+                                         IPC::Message* reply_msg) {
+  // Was the file registered?
+  // Note that the file path cache is of bounded size, and old entries can get
+  // evicted.  If a large number of NaCl modules are being launched at once,
+  // resolving the nonce may fail because the path cache was thrashed while the

[Mark Seaborn, 2013/05/16 23:01:47]

As I said in the other comment, this is bad, so you should at least have a TODO
to fix this.

[Nick Bray (chromium), 2013/05/21 20:09:06]

The cache is big enough this shouldn't happen in practice, this behavior is not
particularly bad, and there isn't a good alternative, given architectural
constraints.  A TODO would just be clutter.

+  // nonce was in flight.  In this case the query fails, and we need to fall
+  // back to the slower path.
+  base::FilePath file_path;
+  if (!NaClBrowser::GetInstance()->GetFilePath(nonce, &file_path)){

[Mark Seaborn, 2013/05/16 23:01:47]

Add space: ") {"

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+     NaClProcessMsg_ResolveFileNonce::WriteReplyParams(

[Mark Seaborn, 2013/05/16 23:01:47]

Wrong indentation here (it's using 2+3 instead of 2+2)

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+         reply_msg,
+         IPC::InvalidPlatformFileForTransit(),
+         base::FilePath(FILE_PATH_LITERAL("")));
+     Send(reply_msg);
+     return;
+  }
+
+  // Scratch space to share between the callbacks.
+  base::PlatformFile* data = new base::PlatformFile();
+
+  // Open the file.
+  if (!content::BrowserThread::PostBlockingPoolTaskAndReply(
+      FROM_HERE,

[Mark Seaborn, 2013/05/16 23:01:47]

Indent the function's arguments

[Nick Bray (chromium), 2013/05/21 20:09:06]

They are.  Four space indent.  Which is ambiguous with the bracket alignment, in
this case.  If you have a better suggestion, please be explicit.

+      base::Bind(nacl::OpenNaClExecutableImpl,
+                 file_path, data),
+      base::Bind(&NaClProcessHost::FileResolved,
+                 weak_factory_.GetWeakPtr(),
+                 base::Owned(data),
+                 file_path,
+                 reply_msg))) {
+     NaClProcessMsg_ResolveFileNonce::WriteReplyParams(
+         reply_msg,
+         IPC::InvalidPlatformFileForTransit(),
+         base::FilePath(FILE_PATH_LITERAL("")));
+     Send(reply_msg);
+  }
+}
+
 #if defined(OS_WIN)
 void NaClProcessHost::OnAttachDebugExceptionHandler(const std::string& info,
                                                     IPC::Message* reply_msg) {
   if (!AttachDebugExceptionHandler(info, reply_msg)) {
     // Send failure message.
     NaClProcessMsg_AttachDebugExceptionHandler::WriteReplyParams(reply_msg,
                                                                  false);
     Send(reply_msg);
   }
 }
@@ skipping 48 matching lines @@
   } else {
     NaClStartDebugExceptionHandlerThread(
         process_handle.Take(), info,
         base::MessageLoopProxy::current(),
         base::Bind(&NaClProcessHost::OnDebugExceptionHandlerLaunchedByBroker,
                    weak_factory_.GetWeakPtr()));
     return true;
   }
 }
 #endif