NaCl: enable meta-based validation for shared libraries.

chrome/nacl/nacl_validation_query.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/nacl/nacl_validation_query.h"
 
 #include "base/logging.h"
 #include "crypto/nss_util.h"
 #include "chrome/nacl/nacl_validation_db.h"
 #include "native_client/src/trusted/validator/validation_cache.h"
@@ skipping 11 matching lines @@
   CHECK(nacl_version.length() >= 4);
 }
 
 NaClValidationQuery* NaClValidationQueryContext::CreateQuery() {
   NaClValidationQuery* query = new NaClValidationQuery(db_, profile_key_);
   // Changing the version effectively invalidates existing hashes.
   query->AddData(nacl_version_);
   return query;
 }
 
+bool NaClValidationQueryContext::ResolveFileNonce(uint64 nonce, int32* fd,
+                                                  std::string* path) {
+  return db_->ResolveFileNonce(nonce, fd, path);
+}
+
 NaClValidationQuery::NaClValidationQuery(NaClValidationDB* db,
                                          const std::string& profile_key)
     : state_(READY),
       hasher_(crypto::HMAC::SHA256),
       db_(db),
       buffer_length_(0) {
   // Without this line on Linux, HMAC::Init will instantiate a singleton that
   // in turn attempts to open a file.  Disabling this behavior avoids a ~70 ms
   // stall the first time HMAC is used.
   // This function is also called in nacl_helper_linux.cc, but nacl_helper may
@@ skipping 78 matching lines @@
 }
 
 static void SetKnownToValidate(void* query) {
   static_cast<NaClValidationQuery*>(query)->SetKnownToValidate();
 }
 
 static void DestroyQuery(void* query) {
   delete static_cast<NaClValidationQuery*>(query);
 }
 
+static int ResolveFileNonce(void* handle, uint64 nonce, int32* fd,

[Mark Seaborn, 2013/05/16 23:01:47]

So you're returning absolute filenames to the NaCl process.  This means that
you'll reveal pathnames like "/home/mseaborn/..." to the NaCl process.

That isn't ideal, although env vars are currently inherited by the NaCl process
which expose similar information.  But it would be nice not to add to the set of
things that are exposed this way.

Could you pass a hash of the filename to the NaCl process instead?

[Nick Bray (chromium), 2013/05/21 20:09:06]

Security team is not worried, and I have too much to deal with already.  The
interface does not preclude changing this later.

+                            char** file_path, uint32 *file_path_length) {
+  std::string path;
+  *file_path = NULL;
+  *file_path_length = 0;
+  bool ok = static_cast<NaClValidationQueryContext*>(handle)->
+      ResolveFileNonce(nonce, fd, &path);
+  if (ok) {
+    *file_path = (char *) malloc(path.length() + 1);

[Mark Seaborn, 2013/05/16 23:01:47]

Use C++-style casts?

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+    CHECK(*file_path);
+    memcpy(*file_path, path.data(), path.length());
+    (*file_path)[path.length()] = 0;
+    *file_path_length = (uint32) path.length();

[Mark Seaborn, 2013/05/16 23:01:47]

Ditto

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+  }
+  return ok;
+}
+
 struct NaClValidationCache* CreateValidationCache(
     NaClValidationDB* db, const std::string& profile_key,
     const std::string& nacl_version) {
   NaClValidationCache* cache =
       static_cast<NaClValidationCache*>(malloc(sizeof(NaClValidationCache)));
   // Make sure any fields introduced in a cross-repo change are zeroed.
   memset(cache, 0, sizeof(*cache));
   cache->handle = new NaClValidationQueryContext(db, profile_key, nacl_version);
   cache->CreateQuery = CreateQuery;
   cache->AddData = AddData;
   cache->QueryKnownToValidate = QueryKnownToValidate;
   cache->SetKnownToValidate = SetKnownToValidate;
   cache->DestroyQuery = DestroyQuery;
+  cache->ResolveFileNonce = ResolveFileNonce;
   return cache;
 }