NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_file_host.cc

Index: chrome/browser/nacl_host/nacl_file_host.cc
diff --git a/chrome/browser/nacl_host/nacl_file_host.cc b/chrome/browser/nacl_host/nacl_file_host.cc
index 8b7dcad72327ccbf704711c27c2dc1ad805c347e..b925260f813984f5994b91913c13874e23c433cb 100644
--- a/chrome/browser/nacl_host/nacl_file_host.cc
+++ b/chrome/browser/nacl_host/nacl_file_host.cc
@@ -12,6 +12,7 @@
 #include "base/threading/sequenced_worker_pool.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/browser/extensions/extension_info_map.h"
+#include "chrome/browser/nacl_host/nacl_browser.h"
 #include "chrome/browser/renderer_host/chrome_render_message_filter.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/extensions/extension.h"
@@ -130,6 +131,27 @@ void DoCreateTemporaryFile(
   chrome_render_message_filter->Send(reply_msg);
 }
 
+void DoOpenNaClExecutableRegister(

[Mark Seaborn, 2013/05/16 23:01:47]

Not sure I understand the name, since it suggests "executable register" is a
noun phrase.  "RegisterNaClExecutableFile"?

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+    scoped_refptr<ChromeRenderMessageFilter> chrome_render_message_filter,
+    base::PlatformFile file,
+    base::FilePath file_path,
+    IPC::Message* reply_msg) {
+  // IO thread owns the NaClBrowser singleton.
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
+  uint64_t nonce = nacl_browser->PutFilePath(file_path);
+
+  IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess(
+      file,
+      chrome_render_message_filter->peer_handle(),
+      true /* close_source */);
+
+  ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams(
+      reply_msg, file_desc, nonce);
+  chrome_render_message_filter->Send(reply_msg);
+}
+
 // Convert the file URL into a file path in the extension directory.
 // This function is security sensitive.  Be sure to check with a security
 // person before you modify it.
@@ -196,39 +218,19 @@ void DoOpenNaClExecutableOnThreadPool(
     return;
   }
 
-  // Get a file descriptor. On Windows, we need 'GENERIC_EXECUTE' in order to
-  // memory map the executable.
-  // IMPORTANT: This file descriptor must not have write access - that could
-  // allow a sandbox escape.
-  base::PlatformFileError error_code;
-  base::PlatformFile file = base::CreatePlatformFile(
-      file_path,
-      base::PLATFORM_FILE_OPEN |
-          base::PLATFORM_FILE_READ |
-          base::PLATFORM_FILE_EXECUTE,  // Windows only flag.
-      NULL,
-      &error_code);
-  if (error_code != base::PLATFORM_FILE_OK) {
-    NotifyRendererOfError(chrome_render_message_filter, reply_msg);
-    return;
-  }
-  // Check that the file does not reference a directory. Returning a descriptor
-  // to an extension directory could allow a sandbox escape.
-  base::PlatformFileInfo file_info;
-  if (!base::GetPlatformFileInfo(file, &file_info) || file_info.is_directory)
-  {
+  base::PlatformFile file;
+  nacl::OpenNaClExecutableImpl(file_path, &file);
+  if (file != base::kInvalidPlatformFileValue) {
+    BrowserThread::PostTask(
+        BrowserThread::IO, FROM_HERE,
+        base::Bind(

[Mark Seaborn, 2013/05/16 23:01:47]

Why does this need a PostTask() now?  Is the CreatePlatformFile() call being
moved to a different thread?  If so, why?

[Nick Bray (chromium), 2013/05/21 20:09:06]

Done.

+            &DoOpenNaClExecutableRegister,
+            chrome_render_message_filter,
+            file, file_path, reply_msg));
+  } else {
     NotifyRendererOfError(chrome_render_message_filter, reply_msg);
     return;
   }
-
-  IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess(
-      file,
-      chrome_render_message_filter->peer_handle(),
-      true /* close_source */);
-
-  ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams(
-      reply_msg, file_path, file_desc);
-  chrome_render_message_filter->Send(reply_msg);
 }
 
 }  // namespace