NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_browser.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_
 #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_
 
 #include "base/bind.h"
+#include "base/containers/mru_cache.h"
 #include "base/files/file_util_proxy.h"
 #include "base/memory/singleton.h"
 #include "base/memory/weak_ptr.h"
 #include "base/platform_file.h"
 #include "chrome/browser/nacl_host/nacl_validation_cache.h"
 
 class URLPattern;
 class GURL;
 
+namespace nacl {
+
+// Open an immutable executable file that can be mmapped.
+// This function should only be called on a thread that can perform file IO.
+void OpenNaClExecutableImpl(const base::FilePath& file_path,
+                            base::PlatformFile* file);
+
+}
+
 // Represents shared state for all NaClProcessHost objects in the browser.
 class NaClBrowser {
  public:
   static NaClBrowser* GetInstance();
 
   // Will it be possible to launch a NaCl process, eventually?
   bool IsOk() const;
 
   // Are we ready to launch a NaCl process now?  Implies IsOk().
   bool IsReady() const;
@@ skipping 35 matching lines @@
   void ClearGdbDebugStubPortListener();
 
   bool ValidationCacheIsEnabled() const {
     return validation_cache_is_enabled_;
   }
 
   const std::string& GetValidationCacheKey() const {
     return validation_cache_.GetValidationCacheKey();
   }
 
+  // The NaCl singleton keeps information about NaCl executable files opened via
+  // PPAPI.  This allows the NaCl process to get trusted information about the
+  // file directly from the browser process.  In theory, a compromised renderer
+  // could provide a writable file handle or lie about the file's path.  If we
+  // trusted the handle was read only but it was not, a mmaped file could

[Mark Seaborn, 2013/05/24 20:21:58]

"an mmapped"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // mutated after validation, allowing an escape of the NaCl sandbox.

[Mark Seaborn, 2013/05/24 20:21:58]

"could be mutated" -- or better, "could be modified"

"escape of" -> "escape from"?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // Similarly, if we trusted the file path corresponded to the file handle but
+  // it did not, the validation cache could be tricked into bypassing validation
+  // for bad code.
+  // Instead of allowing these attacks, we only trust information we get

[Mark Seaborn, 2013/05/24 20:21:58]

"we" -> "the NaCl process"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // directly from the browser process.  Because the information is stored in a
+  // cache of bounded size, it is not guaranteed the browser process will be
+  // able to provide the requested information.  In these cases, the NaCl
+  // process must make conservative assumptions about the origin of the file.
+  // In theory, a compromised renderer could guess file tokens in an attempt to
+  // read files it normally doesn't have access to.  This would not compromise
+  // the NaCl sandbox, however, and only has a 1 in ~2**120 chance of success
+  // per guess.
+  // TODO(ncbray): move the cache onto the NaCl process host to completely

[Mark Seaborn, 2013/05/24 20:21:58]

"onto the NaCl process host" -> "into NaClProcessHost"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // prevent one process from guessing the token of another process.

[Mark Seaborn, 2013/05/24 20:21:58]

Nit: it doesn't prevent guessing, it prevents guessing from having any
consequence.  "So that we don't rely on file tokens being unguessable"?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  void PutFilePath(const base::FilePath& path, uint64* file_token_lo,
+                   uint64* file_token_hi);
+  bool GetFilePath(uint64 file_token_lo, uint64 file_token_hi,
+                   base::FilePath* path);
+
   bool QueryKnownToValidate(const std::string& signature, bool off_the_record);
   void SetKnownToValidate(const std::string& signature, bool off_the_record);
   void ClearValidationCache(const base::Closure& callback);
 
  private:
   friend struct DefaultSingletonTraits<NaClBrowser>;
 
   enum NaClResourceState {
     NaClResourceUninitialized,
     NaClResourceRequested,
@@ skipping 33 matching lines @@
   std::vector<URLPattern> debug_patterns_;
   bool inverse_debug_patterns_;
   NaClValidationCache validation_cache_;
   NaClValidationCache off_the_record_validation_cache_;
   base::FilePath validation_cache_file_path_;
   bool validation_cache_is_enabled_;
   bool validation_cache_is_modified_;
   NaClResourceState validation_cache_state_;
   base::Callback<void(int)> debug_stub_port_listener_;
 
+  typedef base::HashingMRUCache<std::string, base::FilePath> PathCacheType;
+  PathCacheType path_cache_;
+
   bool ok_;
 
   // A list of pending tasks to start NaCl processes.
   std::vector<base::Closure> waiting_;
 
   DISALLOW_COPY_AND_ASSIGN(NaClBrowser);
 };
 
 #endif  // CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_