NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_browser.h

Index: chrome/browser/nacl_host/nacl_browser.h
diff --git a/chrome/browser/nacl_host/nacl_browser.h b/chrome/browser/nacl_host/nacl_browser.h
index f3d86460119f8565c535869d6d59961091837403..edbbcb5b96f059635f128ce645ca98d29882c4b2 100644
--- a/chrome/browser/nacl_host/nacl_browser.h
+++ b/chrome/browser/nacl_host/nacl_browser.h
@@ -6,6 +6,7 @@
 #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_
 
 #include "base/bind.h"
+#include "base/containers/mru_cache.h"
 #include "base/files/file_util_proxy.h"
 #include "base/memory/singleton.h"
 #include "base/memory/weak_ptr.h"
@@ -15,6 +16,15 @@
 class URLPattern;
 class GURL;
 
+namespace nacl {
+
+// Open an immutable executable file that can be mmapped.
+// This function should only be called on a thread that can perform file IO.
+void OpenNaClExecutableImpl(const base::FilePath& file_path,
+                            base::PlatformFile* file);
+
+}
+
 // Represents shared state for all NaClProcessHost objects in the browser.
 class NaClBrowser {
  public:
@@ -70,6 +80,31 @@ class NaClBrowser {
     return validation_cache_.GetValidationCacheKey();
   }
 
+  // The NaCl singleton keeps information about NaCl executable files opened via
+  // PPAPI.  This allows the NaCl process to get trusted information about the
+  // file directly from the browser process.  In theory, a compromised renderer
+  // could provide a writable file handle or lie about the file's path.  If we
+  // trusted the handle was read only but it was not, a mmaped file could

[Mark Seaborn, 2013/05/24 20:21:58]

"an mmapped"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // mutated after validation, allowing an escape of the NaCl sandbox.

[Mark Seaborn, 2013/05/24 20:21:58]

"could be mutated" -- or better, "could be modified"

"escape of" -> "escape from"?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // Similarly, if we trusted the file path corresponded to the file handle but
+  // it did not, the validation cache could be tricked into bypassing validation
+  // for bad code.
+  // Instead of allowing these attacks, we only trust information we get

[Mark Seaborn, 2013/05/24 20:21:58]

"we" -> "the NaCl process"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // directly from the browser process.  Because the information is stored in a
+  // cache of bounded size, it is not guaranteed the browser process will be
+  // able to provide the requested information.  In these cases, the NaCl
+  // process must make conservative assumptions about the origin of the file.
+  // In theory, a compromised renderer could guess file tokens in an attempt to
+  // read files it normally doesn't have access to.  This would not compromise
+  // the NaCl sandbox, however, and only has a 1 in ~2**120 chance of success
+  // per guess.
+  // TODO(ncbray): move the cache onto the NaCl process host to completely

[Mark Seaborn, 2013/05/24 20:21:58]

"onto the NaCl process host" -> "into NaClProcessHost"

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  // prevent one process from guessing the token of another process.

[Mark Seaborn, 2013/05/24 20:21:58]

Nit: it doesn't prevent guessing, it prevents guessing from having any
consequence.  "So that we don't rely on file tokens being unguessable"?

[Nick Bray (chromium), 2013/05/24 21:35:24]

Done.

+  void PutFilePath(const base::FilePath& path, uint64* file_token_lo,
+                   uint64* file_token_hi);
+  bool GetFilePath(uint64 file_token_lo, uint64 file_token_hi,
+                   base::FilePath* path);
+
   bool QueryKnownToValidate(const std::string& signature, bool off_the_record);
   void SetKnownToValidate(const std::string& signature, bool off_the_record);
   void ClearValidationCache(const base::Closure& callback);
@@ -123,6 +158,9 @@ class NaClBrowser {
   NaClResourceState validation_cache_state_;
   base::Callback<void(int)> debug_stub_port_listener_;
 
+  typedef base::HashingMRUCache<std::string, base::FilePath> PathCacheType;
+  PathCacheType path_cache_;
+
   bool ok_;
 
   // A list of pending tasks to start NaCl processes.