| Index: chrome/browser/nacl_host/nacl_browser.h
|
| diff --git a/chrome/browser/nacl_host/nacl_browser.h b/chrome/browser/nacl_host/nacl_browser.h
|
| index f3d86460119f8565c535869d6d59961091837403..edbbcb5b96f059635f128ce645ca98d29882c4b2 100644
|
| --- a/chrome/browser/nacl_host/nacl_browser.h
|
| +++ b/chrome/browser/nacl_host/nacl_browser.h
|
| @@ -6,6 +6,7 @@
|
| #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_
|
|
|
| #include "base/bind.h"
|
| +#include "base/containers/mru_cache.h"
|
| #include "base/files/file_util_proxy.h"
|
| #include "base/memory/singleton.h"
|
| #include "base/memory/weak_ptr.h"
|
| @@ -15,6 +16,15 @@
|
| class URLPattern;
|
| class GURL;
|
|
|
| +namespace nacl {
|
| +
|
| +// Open an immutable executable file that can be mmapped.
|
| +// This function should only be called on a thread that can perform file IO.
|
| +void OpenNaClExecutableImpl(const base::FilePath& file_path,
|
| + base::PlatformFile* file);
|
| +
|
| +}
|
| +
|
| // Represents shared state for all NaClProcessHost objects in the browser.
|
| class NaClBrowser {
|
| public:
|
| @@ -70,6 +80,31 @@ class NaClBrowser {
|
| return validation_cache_.GetValidationCacheKey();
|
| }
|
|
|
| + // The NaCl singleton keeps information about NaCl executable files opened via
|
| + // PPAPI. This allows the NaCl process to get trusted information about the
|
| + // file directly from the browser process. In theory, a compromised renderer
|
| + // could provide a writable file handle or lie about the file's path. If we
|
| + // trusted the handle was read only but it was not, a mmaped file could
|
| + // mutated after validation, allowing an escape of the NaCl sandbox.
|
| + // Similarly, if we trusted the file path corresponded to the file handle but
|
| + // it did not, the validation cache could be tricked into bypassing validation
|
| + // for bad code.
|
| + // Instead of allowing these attacks, we only trust information we get
|
| + // directly from the browser process. Because the information is stored in a
|
| + // cache of bounded size, it is not guaranteed the browser process will be
|
| + // able to provide the requested information. In these cases, the NaCl
|
| + // process must make conservative assumptions about the origin of the file.
|
| + // In theory, a compromised renderer could guess file tokens in an attempt to
|
| + // read files it normally doesn't have access to. This would not compromise
|
| + // the NaCl sandbox, however, and only has a 1 in ~2**120 chance of success
|
| + // per guess.
|
| + // TODO(ncbray): move the cache onto the NaCl process host to completely
|
| + // prevent one process from guessing the token of another process.
|
| + void PutFilePath(const base::FilePath& path, uint64* file_token_lo,
|
| + uint64* file_token_hi);
|
| + bool GetFilePath(uint64 file_token_lo, uint64 file_token_hi,
|
| + base::FilePath* path);
|
| +
|
| bool QueryKnownToValidate(const std::string& signature, bool off_the_record);
|
| void SetKnownToValidate(const std::string& signature, bool off_the_record);
|
| void ClearValidationCache(const base::Closure& callback);
|
| @@ -123,6 +158,9 @@ class NaClBrowser {
|
| NaClResourceState validation_cache_state_;
|
| base::Callback<void(int)> debug_stub_port_listener_;
|
|
|
| + typedef base::HashingMRUCache<std::string, base::FilePath> PathCacheType;
|
| + PathCacheType path_cache_;
|
| +
|
| bool ok_;
|
|
|
| // A list of pending tasks to start NaCl processes.
|
|
|
Chromium Code Reviews
Issue 14750007:
NaCl: enable meta-based validation for shared libraries. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src