NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_process_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/nacl_host/nacl_process_host.h"
 
 #include <string>
 #include <vector>
 
 #include "base/base_switches.h"
@@ skipping 605 matching lines @@
   return true;
 }
 
 bool NaClProcessHost::OnMessageReceived(const IPC::Message& msg) {
   bool handled = true;
   IPC_BEGIN_MESSAGE_MAP(NaClProcessHost, msg)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_QueryKnownToValidate,
                         OnQueryKnownToValidate)
     IPC_MESSAGE_HANDLER(NaClProcessMsg_SetKnownToValidate,
                         OnSetKnownToValidate)
+    IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_ResolveFileToken,
+                                    OnResolveFileToken)
 #if defined(OS_WIN)
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NaClProcessMsg_AttachDebugExceptionHandler,
                                     OnAttachDebugExceptionHandler)
 #endif
     IPC_MESSAGE_HANDLER(NaClProcessHostMsg_PpapiChannelCreated,
                         OnPpapiChannelCreated)
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
   return handled;
 }
@@ skipping 118 matching lines @@
   const ChildProcessData& data = process_->GetData();
   if (!ShareHandleToSelLdr(data.handle,
                            internal_->socket_for_sel_ldr, true,
                            &params.handles)) {
     return false;
   }
 
   if (params.uses_irt) {
     base::PlatformFile irt_file = nacl_browser->IrtFile();
     CHECK_NE(irt_file, base::kInvalidPlatformFileValue);
-
     // Send over the IRT file handle.  We don't close our own copy!
     if (!ShareHandleToSelLdr(data.handle, irt_file, false, &params.handles))
       return false;
   }
 
 #if defined(OS_MACOSX)
   // For dynamic loading support, NaCl requires a file descriptor that
   // was created in /tmp, since those created with shm_open() are not
   // mappable with PROT_EXEC.  Rather than requiring an extra IPC
   // round trip out of the sandbox, we create an FD here.
@@ skipping 148 matching lines @@
 void NaClProcessHost::OnQueryKnownToValidate(const std::string& signature,
                                              bool* result) {
   NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
   *result = nacl_browser->QueryKnownToValidate(signature, off_the_record_);
 }
 
 void NaClProcessHost::OnSetKnownToValidate(const std::string& signature) {
   NaClBrowser::GetInstance()->SetKnownToValidate(signature, off_the_record_);
 }
 
+void NaClProcessHost::FileResolved(
+    base::PlatformFile* file,
+    const base::FilePath& file_path,
+    IPC::Message* reply_msg) {
+  if (*file != base::kInvalidPlatformFileValue) {
+    IPC::PlatformFileForTransit handle = IPC::GetFileHandleForProcess(
+        *file,
+        process_->GetData().handle,
+        true /* close_source */);
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        handle,
+        file_path);
+  } else {
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+  }
+  Send(reply_msg);
+}
+
+void NaClProcessHost::OnResolveFileToken(uint64 file_token_lo,
+                                         uint64 file_token_hi,
+                                         IPC::Message* reply_msg) {
+  // Was the file registered?

[Mark Seaborn, 2013/05/24 20:21:58]

Nit: add empty line after each comment paragraph for readability.

+  // Note that the file path cache is of bounded size, and old entries can get
+  // evicted.  If a large number of NaCl modules are being launched at once,
+  // resolving the file_token may fail because the path cache was thrashed
+  // while the file_token was in flight.  In this case the query fails, and we
+  // need to fall back to the slower path.
+  // However: each NaCl process will consume 2-3 entries as it starts up, this

[Mark Seaborn, 2013/05/24 20:21:58]

Why 2-3?  Explain more in comment, perhaps?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // means that eviction will not happen unless you start up 33+ NaCl processes
+  // at the same time, and this still requires worst-case timing.  As a
+  // practical matter, no entries should be evicted prematurely.
+  // The cache itself should take ~ (150 characters * 2 bytes/char + ~60 bytes
+  // data structure overhead) * 100 = 35k when full, so making it bigger should
+  // not be a problem, if needed.
+  // TODO(ncbray): track behavior with UMA. If entries are getting evicted or
+  // bogus keys are getting queried, this would be good to know.
+  base::FilePath file_path;
+  if (!NaClBrowser::GetInstance()->GetFilePath(file_token_lo, file_token_hi,
+                                               &file_path)) {
+    NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+        reply_msg,
+        IPC::InvalidPlatformFileForTransit(),
+        base::FilePath(FILE_PATH_LITERAL("")));
+    Send(reply_msg);
+    return;
+  }
+
+  // Scratch space to share between the callbacks.
+  base::PlatformFile* data = new base::PlatformFile();
+
+  // Open the file.
+  if (!content::BrowserThread::PostBlockingPoolTaskAndReply(
+      FROM_HERE,

[Mark Seaborn, 2013/05/24 20:21:58]

Indent arguments properly.  i.e.:

// Wrong
if (some_function(
    arg1)) ...

// Right
if (some_function(
        arg1)) ...

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+      base::Bind(nacl::OpenNaClExecutableImpl,
+                 file_path, data),
+      base::Bind(&NaClProcessHost::FileResolved,
+                 weak_factory_.GetWeakPtr(),
+                 base::Owned(data),
+                 file_path,
+                 reply_msg))) {
+     NaClProcessMsg_ResolveFileToken::WriteReplyParams(
+         reply_msg,
+         IPC::InvalidPlatformFileForTransit(),
+         base::FilePath(FILE_PATH_LITERAL("")));
+     Send(reply_msg);
+  }
+}
+
 #if defined(OS_WIN)
 void NaClProcessHost::OnAttachDebugExceptionHandler(const std::string& info,
                                                     IPC::Message* reply_msg) {
   if (!AttachDebugExceptionHandler(info, reply_msg)) {
     // Send failure message.
     NaClProcessMsg_AttachDebugExceptionHandler::WriteReplyParams(reply_msg,
                                                                  false);
     Send(reply_msg);
   }
 }
@@ skipping 48 matching lines @@
   } else {
     NaClStartDebugExceptionHandlerThread(
         process_handle.Take(), info,
         base::MessageLoopProxy::current(),
         base::Bind(&NaClProcessHost::OnDebugExceptionHandlerLaunchedByBroker,
                    weak_factory_.GetWeakPtr()));
     return true;
   }
 }
 #endif