Chromium Code Reviews Chromium Code Reviews
Issue 14750007:
NaCl: enable meta-based validation for shared libraries. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/browser/nacl_host/nacl_browser.h |
| diff --git a/chrome/browser/nacl_host/nacl_browser.h b/chrome/browser/nacl_host/nacl_browser.h |
| index f3d86460119f8565c535869d6d59961091837403..a3e65ea10a5a9c3df38e978e763f87182195a372 100644 |
| --- a/chrome/browser/nacl_host/nacl_browser.h |
| +++ b/chrome/browser/nacl_host/nacl_browser.h |
| @@ -6,6 +6,7 @@ |
| #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_ |
| #include "base/bind.h" |
| +#include "base/containers/mru_cache.h" |
| #include "base/files/file_util_proxy.h" |
| #include "base/memory/singleton.h" |
| #include "base/memory/weak_ptr.h" |
| @@ -15,6 +16,15 @@ |
| class URLPattern; |
| class GURL; |
| +namespace nacl { |
| + |
| +// Open an immutable executable file that can be mmapped. |
| +// This function should only be called on a thread that can perform file IO. |
| +void OpenNaClExecutableImpl(const base::FilePath& file_path, |
| + base::PlatformFile* file); |
| + |
| +} |
| + |
| // Represents shared state for all NaClProcessHost objects in the browser. |
| class NaClBrowser { |
| public: |
| @@ -70,6 +80,32 @@ class NaClBrowser { |
| return validation_cache_.GetValidationCacheKey(); |
| } |
| + // The NaCl singleton keeps information about NaCl executable files opened via |
| + // PPAPI. This allows the NaCl process to get trusted information about the |
| + // file directly from the browser process. In theory, a compromised renderer |
| + // could provide a writable file handle or lie about the file's path. If we |
| + // trusted the handle was read only but it was not, an mmapped file could be |
| + // modified after validation, allowing an escape from the NaCl sandbox. |
| + // Similarly, if we trusted the file path corresponded to the file handle but |
| + // it did not, the validation cache could be tricked into bypassing validation |
| + // for bad code. |
| + // Instead of allowing these attacks, the NaCl process only trusts information |
| + // it gets directly from the browser process. Because the information is |
| + // stored in a cache of bounded size, it is not guaranteed the browser process |
| + // will be able to provide the requested information. In these cases, the |
| + // NaCl process must make conservative assumptions about the origin of the |
| + // file. |
| + // In theory, a compromised renderer could guess file tokens in an attempt to |
| + // read files it normally doesn't have access to. This would not compromise |
| + // the NaCl sandbox, however, and only has a 1 in ~2**120 chance of success |
| + // per guess. |
| + // TODO(ncbray): move the cache onto NaClProcesHost so that we don't need to |
|
Mark Seaborn
2013/05/24 21:55:42
"NaClProcessHost"
|
| + // rely on tokens being unguessable by another process. |
| + void PutFilePath(const base::FilePath& path, uint64* file_token_lo, |
| + uint64* file_token_hi); |
| + bool GetFilePath(uint64 file_token_lo, uint64 file_token_hi, |
| + base::FilePath* path); |
| + |
| bool QueryKnownToValidate(const std::string& signature, bool off_the_record); |
| void SetKnownToValidate(const std::string& signature, bool off_the_record); |
| void ClearValidationCache(const base::Closure& callback); |
| @@ -123,6 +159,9 @@ class NaClBrowser { |
| NaClResourceState validation_cache_state_; |
| base::Callback<void(int)> debug_stub_port_listener_; |
| + typedef base::HashingMRUCache<std::string, base::FilePath> PathCacheType; |
| + PathCacheType path_cache_; |
| + |
| bool ok_; |
| // A list of pending tasks to start NaCl processes. |
