NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_browser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/nacl_host/nacl_browser.h"
 
 #include "base/command_line.h"
 #include "base/file_util.h"
 #include "base/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
+#include "base/rand_util.h"
 #include "base/strings/string_split.h"
 #include "base/win/windows_version.h"
 #include "build/build_config.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_paths_internal.h"
 #include "chrome/common/chrome_switches.h"
 #include "content/public/browser/browser_thread.h"
 #include "extensions/common/url_pattern.h"
 #include "googleurl/src/gurl.h"
 
 namespace {
 
 // An arbitrary delay to coalesce multiple writes to the cache.
 const int kValidationCacheCoalescingTimeMS = 6000;
 const char kValidationCacheSequenceName[] = "NaClValidationCache";
 const base::FilePath::CharType kValidationCacheFileName[] =
     FILE_PATH_LITERAL("nacl_validation_cache.bin");
 
 const bool kValidationCacheEnabledByDefault = true;
 
 enum ValidationCacheStatus {
   CACHE_MISS = 0,
   CACHE_HIT,
   CACHE_MAX
 };
 
+// Keep the cache bounded to an arbitrary size.  If it's too small, useful
+// entries could be evicted when multiple .nexes are loaded at once.  On the
+// other hand, entries are not always claimed, so the size of the cache will

[Mark Seaborn, 2013/05/24 20:21:58]

Say "claimed (and hence removed)"?  Otherwise it's not clear what "claimed"
means.

Why aren't entries always claimed?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+// likely saturate at its maximum size.
+const int kFilePathCacheSize = 100;
+
 const base::FilePath::StringType NaClIrtName() {
   base::FilePath::StringType irt_name(FILE_PATH_LITERAL("nacl_irt_"));
 
 #if defined(ARCH_CPU_X86_FAMILY)
 #if defined(ARCH_CPU_X86_64)
   bool is64 = true;
 #elif defined(OS_WIN)
   bool is64 = (base::win::OSInfo::GetInstance()->wow64_status() ==
                base::win::OSInfo::WOW64_ENABLED);
 #else
@@ skipping 50 matching lines @@
   UMA_HISTOGRAM_ENUMERATION("NaCl.ValidationCache.Query", status, CACHE_MAX);
 }
 
 void LogCacheSet(ValidationCacheStatus status) {
   // Bucket zero is reserved for future use.
   UMA_HISTOGRAM_ENUMERATION("NaCl.ValidationCache.Set", status, CACHE_MAX);
 }
 
 }  // namespace
 
+namespace nacl {
+
+void OpenNaClExecutableImpl(const base::FilePath& file_path,
+                            base::PlatformFile* file) {
+  // Get a file descriptor. On Windows, we need 'GENERIC_EXECUTE' in order to
+  // memory map the executable.
+  // IMPORTANT: This file descriptor must not have write access - that could
+  // allow a NaCl inner sandbox escape.
+  base::PlatformFileError error_code;
+  *file = base::CreatePlatformFile(
+      file_path,
+      (base::PLATFORM_FILE_OPEN |
+       base::PLATFORM_FILE_READ |
+       base::PLATFORM_FILE_EXECUTE),  // Windows only flag.
+      NULL,
+      &error_code);
+  if (error_code != base::PLATFORM_FILE_OK) {
+    *file = base::kInvalidPlatformFileValue;
+    return;
+  }
+  // Check that the file does not reference a directory. Returning a descriptor
+  // to an extension directory could allow an outer sandbox escape. openat

[Mark Seaborn, 2013/05/24 20:21:58]

"openat" -> "openat()" to be clearer what you're referring to?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // could be used to traverse into the file system.
+  base::PlatformFileInfo file_info;
+  if (!base::GetPlatformFileInfo(*file, &file_info) ||
+      file_info.is_directory) {
+    base::ClosePlatformFile(*file);
+    *file = base::kInvalidPlatformFileValue;
+    return;
+  }
+}
+
+}
+
 NaClBrowser::NaClBrowser()
     : weak_factory_(this),
       irt_platform_file_(base::kInvalidPlatformFileValue),
       irt_filepath_(),
       irt_state_(NaClResourceUninitialized),
       debug_patterns_(),
       inverse_debug_patterns_(false),
       validation_cache_file_path_(),
       validation_cache_is_enabled_(
           CheckEnvVar("NACL_VALIDATION_CACHE",
                       kValidationCacheEnabledByDefault)),
       validation_cache_is_modified_(false),
       validation_cache_state_(NaClResourceUninitialized),
+      path_cache_(kFilePathCacheSize),
       ok_(true) {
   InitIrtFilePath();
   InitValidationCacheFilePath();
 }
 
 NaClBrowser::~NaClBrowser() {
   if (irt_platform_file_ != base::kInvalidPlatformFileValue)
     base::ClosePlatformFile(irt_platform_file_);
 }
 
@@ skipping 233 matching lines @@
 void NaClBrowser::WaitForResources(const base::Closure& reply) {
   waiting_.push_back(reply);
   EnsureAllResourcesAvailable();
   CheckWaiting();
 }
 
 const base::FilePath& NaClBrowser::GetIrtFilePath() {
   return irt_filepath_;
 }
 
+void NaClBrowser::PutFilePath(const base::FilePath& path, uint64 *file_token_lo,

[Mark Seaborn, 2013/05/24 20:21:58]

Fix "*" spacing style

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+                                uint64 *file_token_hi) {

[Mark Seaborn, 2013/05/24 20:21:58]

Fix indentation

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  while (true) {
+    uint64 file_token[2] = {base::RandUint64(), base::RandUint64()};
+    // A zero file_token indicates there is no file_token, if we get zero, ask
+    // for another number.
+    if (file_token[0] != 0 || file_token[1] != 0) {
+      // If the file_token is in use, ask for another number.
+      std::string key(reinterpret_cast<char *>(file_token), sizeof(file_token));

[Mark Seaborn, 2013/05/24 20:21:58]

Spacing style should be "char*"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+      PathCacheType::iterator iter  = path_cache_.Peek(key);
+      if (iter == path_cache_.end()) {
+        path_cache_.Put(key, path);
+        *file_token_lo = file_token[0];
+        *file_token_hi = file_token[1];
+        break;
+      }
+    }
+  }
+}
+
+bool NaClBrowser::GetFilePath(uint64 file_token_lo, uint64 file_token_hi,
+                              base::FilePath* path) {
+  uint64 file_token[2] = {file_token_lo, file_token_hi};
+  std::string key(reinterpret_cast<char *>(file_token), sizeof(file_token));

[Mark Seaborn, 2013/05/24 20:21:58]

Spacing style should be "char*"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  PathCacheType::iterator iter  = path_cache_.Peek(key);

[Mark Seaborn, 2013/05/24 20:21:58]

Fix spacing (you have 2 spaces before '=')

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  if (iter == path_cache_.end()) {
+    *path = base::FilePath(FILE_PATH_LITERAL(""));
+    return false;
+  }
+  *path = iter->second;
+  path_cache_.Erase(iter);
+  return true;
+}
+
+
 bool NaClBrowser::QueryKnownToValidate(const std::string& signature,
                                        bool off_the_record) {
   if (off_the_record) {
     // If we're off the record, don't reorder the main cache.
     return validation_cache_.QueryKnownToValidate(signature, false) ||
         off_the_record_validation_cache_.QueryKnownToValidate(signature, true);
   } else {
     bool result = validation_cache_.QueryKnownToValidate(signature, true);
     LogCacheQuery(result ? CACHE_HIT : CACHE_MISS);
     // Queries can modify the MRU order of the cache.
@@ skipping 80 matching lines @@
     // because it can degrade the responsiveness of the browser.
     // The task is sequenced so that multiple writes happen in order.
     content::BrowserThread::PostBlockingPoolSequencedTask(
         kValidationCacheSequenceName,
         FROM_HERE,
         base::Bind(WriteCache, validation_cache_file_path_,
                    base::Owned(pickle)));
   }
   validation_cache_is_modified_ = false;
 }