NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_process_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/nacl_host/nacl_process_host.h"
 
 #include <string>
 #include <vector>
 
 #include "base/base_switches.h"
@@ skipping 605 matching lines @@
   return true;
 }
 
 bool NaClProcessHost::OnMessageReceived(const IPC::Message& msg) {
   bool handled = true;
   IPC_BEGIN_MESSAGE_MAP(NaClProcessHost, msg)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_QueryKnownToValidate,
                         OnQueryKnownToValidate)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_SetKnownToValidate,
                         OnSetKnownToValidate)
+    IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_ResolveFileToken,
+                                    OnResolveFileToken)
 #if defined(OS_WIN)
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_AttachDebugExceptionHandler,
                                     OnAttachDebugExceptionHandler)
 #endif
     IPC_MESSAGE_HANDLER(NaClProcessHostMsg_PpapiChannelCreated,
                         OnPpapiChannelCreated)
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
   return handled;
 }
@@ skipping 118 matching lines @@
   const ChildProcessData& data = process_->GetData();
   if (!ShareHandleToSelLdr(data.handle,
                            internal_->socket_for_sel_ldr, true,
                            &params.handles)) {
     return false;
   }
 
   if (params.uses_irt) {
     base::PlatformFile irt_file = nacl_browser->IrtFile();
     CHECK_NE(irt_file, base::kInvalidPlatformFileValue);
-
     // Send over the IRT file handle.  We don't close our own copy!
     if (!ShareHandleToSelLdr(data.handle, irt_file, false, &params.handles))
       return false;
   }
 
 #if defined(OS_MACOSX)
   // For dynamic loading support, NaCl requires a file descriptor that
   // was created in /tmp, since those created with shm_open() are not
   // mappable with PROT_EXEC.  Rather than requiring an extra IPC
   // round trip out of the sandbox, we create an FD here.
@@ skipping 148 matching lines @@
 void NaClProcessHost::OnQueryKnownToValidate(const std::string& signature,
                                              bool* result) {
   NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
   *result = nacl_browser->QueryKnownToValidate(signature, off_the_record_);
 }
 
 void NaClProcessHost::OnSetKnownToValidate(const std::string& signature) {
   NaClBrowser::GetInstance()->SetKnownToValidate(signature, off_the_record_);
 }
 
+void NaClProcessHost::FileResolved(
+    base::PlatformFile* file,
+    const base::FilePath& file_path,
+    IPC::Message* reply_msg) {
+  if (*file != base::kInvalidPlatformFileValue) {
+    IPC::PlatformFileForTransit handle = IPC::GetFileHandleForProcess(
+        *file,
+        process_->GetData().handle,
+        true /* close_source */);
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        handle,
+        file_path);
+  } else {
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+  }
+  Send(reply_msg);
+}
+
+void NaClProcessHost::OnResolveFileToken(uint64 file_token_lo,
+                                         uint64 file_token_hi,
+                                         IPC::Message* reply_msg) {
+  // Was the file registered?
+  // Note that the file path cache is of bounded size, and old entries can get
+  // evicted.  If a large number of NaCl modules are being launched at once,
+  // resolving the file_token may fail because the path cache was thrashed
+  // while the file_token was in flight.  In this case the query fails, and we
+  // need to fall back to the slower path.
+  base::FilePath file_path;
+  if (!NaClBrowser::GetInstance()->GetFilePath(file_token_lo, file_token_hi,
+                                               &file_path)) {

[jschuh, 2013/05/23 01:02:32]

This seems like unambiguously bad occurrence. At a minimum we should have a
NOTREACHED, but maybe we should actually terminate the child process?

[Nick Bray (chromium), 2013/05/23 16:44:11]

See the above comment.  Bounding the cache size implies that it may be valid for
the query to fail. :/

[bsy_cr, 2013/05/23 17:57:24]

Just because it's valid doesn't mean it's likely.  We should do (upper bound)
estimates of number of tabs -- hundreds? -- that might re-open when the browser
restarts, and the percentage of them that might involve NaCl -- 5%? 10%? -- and
the number of manifest entries -- 64? 128? -- to get an estimate for when the
cache might hit size limits.  Assume worse case behavior (not serial startup),
etc.

Furthermore, since the cache doesn't actually hold file descriptors (limited
global resources) any more and just hold file tokens, that argument for keeping
the cache really small no longer apply.  The only limit is memory, albeit still
a limited resource, but much less limiting.  So, I'd like to see at least a
ballpark analysis/discussion for the proper size for the cache, its cost in
memory usage, versus the likelihood of a valid cache miss.  If the probability
of a valid cache miss is low, then this could be a useful signal.  Even if it is
not super low, a sharp spike in the cache miss rate is a signal that there might
be something "interesting" going on in the wild.

Could we have UMA or other feedback statistics for this?  At least a comment
about the considerations, please.

[Nick Bray (chromium), 2013/05/24 16:54:28]

Done.

+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+    Send(reply_msg);
+    return;
+  }
+
+  // Scratch space to share between the callbacks.
+  base::PlatformFile* data = new base::PlatformFile();
+
+  // Open the file.
+  if (!content::BrowserThread::PostBlockingPoolTaskAndReply(
+      FROM_HERE,
+      base::Bind(nacl::OpenNaClExecutableImpl,
+                 file_path, data),
+      base::Bind(&NaClProcessHost::FileResolved,
+                 weak_factory_.GetWeakPtr(),
+                 base::Owned(data),
+                 file_path,
+                 reply_msg))) {
+     NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+         reply_msg,
+         IPC::InvalidPlatformFileForTransit(),
+         base::FilePath(FILE_PATH_LITERAL("")));
+     Send(reply_msg);
+  }
+}
+
 #if defined(OS_WIN)
 void NaClProcessHost::OnAttachDebugExceptionHandler(const std::string& info,
                                                     IPC::Message* reply_msg) {
   if (!AttachDebugExceptionHandler(info, reply_msg)) {
     // Send failure message.
     NaClProcessMsg_AttachDebugExceptionHandler::WriteReplyParams(reply_msg,
                                                                  false);
     Send(reply_msg);
   }
 }
@@ skipping 48 matching lines @@
   } else {
     NaClStartDebugExceptionHandlerThread(
         process_handle.Take(), info,
         base::MessageLoopProxy::current(),
         base::Bind(&NaClProcessHost::OnDebugExceptionHandlerLaunchedByBroker,
                    weak_factory_.GetWeakPtr()));
     return true;
   }
 }
 #endif