Chromium Code Reviews Chromium Code Reviews
Issue 14750007:
NaCl: enable meta-based validation for shared libraries. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ | 5 #ifndef CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ |
| 6 #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ | 6 #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ |
| 7 | 7 |
| 8 #include "base/bind.h" | 8 #include "base/bind.h" |
| 9 #include "base/containers/mru_cache.h" | |
| 9 #include "base/files/file_util_proxy.h" | 10 #include "base/files/file_util_proxy.h" |
| 10 #include "base/memory/singleton.h" | 11 #include "base/memory/singleton.h" |
| 11 #include "base/memory/weak_ptr.h" | 12 #include "base/memory/weak_ptr.h" |
| 12 #include "base/platform_file.h" | 13 #include "base/platform_file.h" |
| 13 #include "chrome/browser/nacl_host/nacl_validation_cache.h" | 14 #include "chrome/browser/nacl_host/nacl_validation_cache.h" |
| 14 | 15 |
| 15 class URLPattern; | 16 class URLPattern; |
| 16 class GURL; | 17 class GURL; |
| 17 | 18 |
| 19 namespace nacl { | |
| 20 | |
| 21 // Open an immutable executable file that can be mmapped. | |
| 22 // This function should only be called on a thread that can perform file IO. | |
| 23 void OpenNaClExecutableImpl(const base::FilePath& file_path, | |
| 24 base::PlatformFile* file); | |
| 25 | |
| 26 } | |
| 27 | |
| 18 // Represents shared state for all NaClProcessHost objects in the browser. | 28 // Represents shared state for all NaClProcessHost objects in the browser. |
| 19 class NaClBrowser { | 29 class NaClBrowser { |
| 20 public: | 30 public: |
| 21 static NaClBrowser* GetInstance(); | 31 static NaClBrowser* GetInstance(); |
| 22 | 32 |
| 23 // Will it be possible to launch a NaCl process, eventually? | 33 // Will it be possible to launch a NaCl process, eventually? |
| 24 bool IsOk() const; | 34 bool IsOk() const; |
| 25 | 35 |
| 26 // Are we ready to launch a NaCl process now? Implies IsOk(). | 36 // Are we ready to launch a NaCl process now? Implies IsOk(). |
| 27 bool IsReady() const; | 37 bool IsReady() const; |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 63 void ClearGdbDebugStubPortListener(); | 73 void ClearGdbDebugStubPortListener(); |
| 64 | 74 |
| 65 bool ValidationCacheIsEnabled() const { | 75 bool ValidationCacheIsEnabled() const { |
| 66 return validation_cache_is_enabled_; | 76 return validation_cache_is_enabled_; |
| 67 } | 77 } |
| 68 | 78 |
| 69 const std::string& GetValidationCacheKey() const { | 79 const std::string& GetValidationCacheKey() const { |
| 70 return validation_cache_.GetValidationCacheKey(); | 80 return validation_cache_.GetValidationCacheKey(); |
| 71 } | 81 } |
| 72 | 82 |
| 83 // The NaCl singleton keeps information about NaCl executable files opened via | |
| 84 // PPAPI. This allows the NaCl process to get trusted information about the | |
| 85 // file directly from the browser process. In theory, a compromised renderer | |
| 86 // could provide a writable file handle or lie about the file's path. If we | |
| 87 // trusted the handle was read only but it was not, an mmapped file could be | |
| 88 // modified after validation, allowing an escape from the NaCl sandbox. | |
| 89 // Similarly, if we trusted the file path corresponded to the file handle but | |
| 90 // it did not, the validation cache could be tricked into bypassing validation | |
| 91 // for bad code. | |
| 92 // Instead of allowing these attacks, the NaCl process only trusts information | |
| 93 // it gets directly from the browser process. Because the information is | |
| 94 // stored in a cache of bounded size, it is not guaranteed the browser process | |
| 95 // will be able to provide the requested information. In these cases, the | |
| 96 // NaCl process must make conservative assumptions about the origin of the | |
| 97 // file. | |
| 98 // In theory, a compromised renderer could guess file tokens in an attempt to | |
| 99 // read files it normally doesn't have access to. This would not compromise | |
| 100 // the NaCl sandbox, however, and only has a 1 in ~2**120 chance of success | |
| 101 // per guess. | |
| 102 // TODO(ncbray): move the cache onto NaClProcesHost so that we don't need to | |
|
Mark Seaborn
2013/05/24 21:55:42
"NaClProcessHost"
| |
| 103 // rely on tokens being unguessable by another process. | |
| 104 void PutFilePath(const base::FilePath& path, uint64* file_token_lo, | |
| 105 uint64* file_token_hi); | |
| 106 bool GetFilePath(uint64 file_token_lo, uint64 file_token_hi, | |
| 107 base::FilePath* path); | |
| 108 | |
| 73 bool QueryKnownToValidate(const std::string& signature, bool off_the_record); | 109 bool QueryKnownToValidate(const std::string& signature, bool off_the_record); |
| 74 void SetKnownToValidate(const std::string& signature, bool off_the_record); | 110 void SetKnownToValidate(const std::string& signature, bool off_the_record); |
| 75 void ClearValidationCache(const base::Closure& callback); | 111 void ClearValidationCache(const base::Closure& callback); |
| 76 | 112 |
| 77 private: | 113 private: |
| 78 friend struct DefaultSingletonTraits<NaClBrowser>; | 114 friend struct DefaultSingletonTraits<NaClBrowser>; |
| 79 | 115 |
| 80 enum NaClResourceState { | 116 enum NaClResourceState { |
| 81 NaClResourceUninitialized, | 117 NaClResourceUninitialized, |
| 82 NaClResourceRequested, | 118 NaClResourceRequested, |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 116 std::vector<URLPattern> debug_patterns_; | 152 std::vector<URLPattern> debug_patterns_; |
| 117 bool inverse_debug_patterns_; | 153 bool inverse_debug_patterns_; |
| 118 NaClValidationCache validation_cache_; | 154 NaClValidationCache validation_cache_; |
| 119 NaClValidationCache off_the_record_validation_cache_; | 155 NaClValidationCache off_the_record_validation_cache_; |
| 120 base::FilePath validation_cache_file_path_; | 156 base::FilePath validation_cache_file_path_; |
| 121 bool validation_cache_is_enabled_; | 157 bool validation_cache_is_enabled_; |
| 122 bool validation_cache_is_modified_; | 158 bool validation_cache_is_modified_; |
| 123 NaClResourceState validation_cache_state_; | 159 NaClResourceState validation_cache_state_; |
| 124 base::Callback<void(int)> debug_stub_port_listener_; | 160 base::Callback<void(int)> debug_stub_port_listener_; |
| 125 | 161 |
| 162 typedef base::HashingMRUCache<std::string, base::FilePath> PathCacheType; | |
| 163 PathCacheType path_cache_; | |
| 164 | |
| 126 bool ok_; | 165 bool ok_; |
| 127 | 166 |
| 128 // A list of pending tasks to start NaCl processes. | 167 // A list of pending tasks to start NaCl processes. |
| 129 std::vector<base::Closure> waiting_; | 168 std::vector<base::Closure> waiting_; |
| 130 | 169 |
| 131 DISALLOW_COPY_AND_ASSIGN(NaClBrowser); | 170 DISALLOW_COPY_AND_ASSIGN(NaClBrowser); |
| 132 }; | 171 }; |
| 133 | 172 |
| 134 #endif // CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ | 173 #endif // CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ |
| OLD | NEW |
