OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "chrome/nacl/nacl_listener.h" | |
6 | |
7 #include <errno.h> | |
8 #include <stdlib.h> | |
9 | |
10 #include "base/command_line.h" | |
11 #include "base/logging.h" | |
12 #include "base/memory/scoped_ptr.h" | |
13 #include "base/message_loop.h" | |
14 #include "base/rand_util.h" | |
15 #include "chrome/common/nacl_messages.h" | |
16 #include "chrome/nacl/nacl_ipc_adapter.h" | |
17 #include "chrome/nacl/nacl_validation_db.h" | |
18 #include "chrome/nacl/nacl_validation_query.h" | |
19 #include "ipc/ipc_channel_handle.h" | |
20 #include "ipc/ipc_switches.h" | |
21 #include "ipc/ipc_sync_channel.h" | |
22 #include "ipc/ipc_sync_message_filter.h" | |
23 #include "native_client/src/trusted/service_runtime/sel_main_chrome.h" | |
24 #include "native_client/src/trusted/validator/nacl_file_info.h" | |
25 | |
26 #if defined(OS_POSIX) | |
27 #include "base/file_descriptor_posix.h" | |
28 #endif | |
29 | |
30 #if defined(OS_LINUX) | |
31 #include "content/public/common/child_process_sandbox_support_linux.h" | |
32 #endif | |
33 | |
34 #if defined(OS_WIN) | |
35 #include <fcntl.h> | |
36 #include <io.h> | |
37 | |
38 #include "content/public/common/sandbox_init.h" | |
39 #endif | |
40 | |
41 namespace { | |
42 #if defined(OS_MACOSX) | |
43 | |
44 // On Mac OS X, shm_open() works in the sandbox but does not give us | |
45 // an FD that we can map as PROT_EXEC. Rather than doing an IPC to | |
46 // get an executable SHM region when CreateMemoryObject() is called, | |
47 // we preallocate one on startup, since NaCl's sel_ldr only needs one | |
48 // of them. This saves a round trip. | |
49 | |
50 base::subtle::Atomic32 g_shm_fd = -1; | |
51 | |
52 int CreateMemoryObject(size_t size, int executable) { | |
53 if (executable && size > 0) { | |
54 int result_fd = base::subtle::NoBarrier_AtomicExchange(&g_shm_fd, -1); | |
55 if (result_fd != -1) { | |
56 // ftruncate() is disallowed by the Mac OS X sandbox and | |
57 // returns EPERM. Luckily, we can get the same effect with | |
58 // lseek() + write(). | |
59 if (lseek(result_fd, size - 1, SEEK_SET) == -1) { | |
60 LOG(ERROR) << "lseek() failed: " << errno; | |
61 return -1; | |
62 } | |
63 if (write(result_fd, "", 1) != 1) { | |
64 LOG(ERROR) << "write() failed: " << errno; | |
65 return -1; | |
66 } | |
67 return result_fd; | |
68 } | |
69 } | |
70 // Fall back to NaCl's default implementation. | |
71 return -1; | |
72 } | |
73 | |
74 #elif defined(OS_LINUX) | |
75 | |
76 int CreateMemoryObject(size_t size, int executable) { | |
77 return content::MakeSharedMemorySegmentViaIPC(size, executable); | |
78 } | |
79 | |
80 #elif defined(OS_WIN) | |
81 | |
82 NaClListener* g_listener; | |
83 | |
84 // We wrap the function to convert the bool return value to an int. | |
85 int BrokerDuplicateHandle(NaClHandle source_handle, | |
86 uint32_t process_id, | |
87 NaClHandle* target_handle, | |
88 uint32_t desired_access, | |
89 uint32_t options) { | |
90 return content::BrokerDuplicateHandle(source_handle, process_id, | |
91 target_handle, desired_access, | |
92 options); | |
93 } | |
94 | |
95 int AttachDebugExceptionHandler(const void* info, size_t info_size) { | |
96 std::string info_string(reinterpret_cast<const char*>(info), info_size); | |
97 bool result = false; | |
98 if (!g_listener->Send(new NaClProcessMsg_AttachDebugExceptionHandler( | |
99 info_string, &result))) | |
100 return false; | |
101 return result; | |
102 } | |
103 | |
104 #endif | |
105 | |
106 } // namespace | |
107 | |
108 class BrowserValidationDBProxy : public NaClValidationDB { | |
109 public: | |
110 explicit BrowserValidationDBProxy(NaClListener* listener) | |
111 : listener_(listener) { | |
112 } | |
113 | |
114 virtual bool QueryKnownToValidate(const std::string& signature) OVERRIDE { | |
115 // Initialize to false so that if the Send fails to write to the return | |
116 // value we're safe. For example if the message is (for some reason) | |
117 // dispatched as an async message the return parameter will not be written. | |
118 bool result = false; | |
119 if (!listener_->Send(new NaClProcessMsg_QueryKnownToValidate(signature, | |
120 &result))) { | |
121 LOG(ERROR) << "Failed to query NaCl validation cache."; | |
122 result = false; | |
123 } | |
124 return result; | |
125 } | |
126 | |
127 virtual void SetKnownToValidate(const std::string& signature) OVERRIDE { | |
128 // Caching is optional: NaCl will still work correctly if the IPC fails. | |
129 if (!listener_->Send(new NaClProcessMsg_SetKnownToValidate(signature))) { | |
130 LOG(ERROR) << "Failed to update NaCl validation cache."; | |
131 } | |
132 } | |
133 | |
134 virtual bool ResolveFileToken(struct NaClFileToken* file_token, | |
135 int32* fd, std::string* path) OVERRIDE { | |
136 *fd = -1; | |
137 *path = ""; | |
138 if (file_token->lo == 0 && file_token->hi == 0) { | |
139 return false; | |
140 } | |
141 IPC::PlatformFileForTransit ipc_fd = IPC::InvalidPlatformFileForTransit(); | |
142 base::FilePath ipc_path; | |
143 if (!listener_->Send(new NaClProcessMsg_ResolveFileToken(file_token->lo, | |
144 file_token->hi, | |
145 &ipc_fd, | |
146 &ipc_path))) { | |
147 return false; | |
148 } | |
149 if (ipc_fd == IPC::InvalidPlatformFileForTransit()) { | |
150 return false; | |
151 } | |
152 base::PlatformFile handle = | |
153 IPC::PlatformFileForTransitToPlatformFile(ipc_fd); | |
154 #if defined(OS_WIN) | |
155 // On Windows, valid handles are 32 bit unsigned integers so this is safe. | |
156 *fd = reinterpret_cast<uintptr_t>(handle); | |
157 #else | |
158 *fd = handle; | |
159 #endif | |
160 // It doesn't matter if the path is invalid UTF8 as long as it's consistent | |
161 // and unforgeable. | |
162 *path = ipc_path.AsUTF8Unsafe(); | |
163 return true; | |
164 } | |
165 | |
166 private: | |
167 // The listener never dies, otherwise this might be a dangling reference. | |
168 NaClListener* listener_; | |
169 }; | |
170 | |
171 | |
172 NaClListener::NaClListener() : shutdown_event_(true, false), | |
173 io_thread_("NaCl_IOThread"), | |
174 #if defined(OS_LINUX) | |
175 prereserved_sandbox_size_(0), | |
176 #endif | |
177 main_loop_(NULL) { | |
178 io_thread_.StartWithOptions( | |
179 base::Thread::Options(base::MessageLoop::TYPE_IO, 0)); | |
180 #if defined(OS_WIN) | |
181 DCHECK(g_listener == NULL); | |
182 g_listener = this; | |
183 #endif | |
184 } | |
185 | |
186 NaClListener::~NaClListener() { | |
187 NOTREACHED(); | |
188 shutdown_event_.Signal(); | |
189 #if defined(OS_WIN) | |
190 g_listener = NULL; | |
191 #endif | |
192 } | |
193 | |
194 bool NaClListener::Send(IPC::Message* msg) { | |
195 DCHECK(main_loop_ != NULL); | |
196 if (base::MessageLoop::current() == main_loop_) { | |
197 // This thread owns the channel. | |
198 return channel_->Send(msg); | |
199 } else { | |
200 // This thread does not own the channel. | |
201 return filter_->Send(msg); | |
202 } | |
203 } | |
204 | |
205 void NaClListener::Listen() { | |
206 std::string channel_name = | |
207 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | |
208 switches::kProcessChannelID); | |
209 channel_.reset(new IPC::SyncChannel( | |
210 this, io_thread_.message_loop_proxy().get(), &shutdown_event_)); | |
211 filter_ = new IPC::SyncMessageFilter(&shutdown_event_); | |
212 channel_->AddFilter(filter_.get()); | |
213 channel_->Init(channel_name, IPC::Channel::MODE_CLIENT, true); | |
214 main_loop_ = base::MessageLoop::current(); | |
215 main_loop_->Run(); | |
216 } | |
217 | |
218 bool NaClListener::OnMessageReceived(const IPC::Message& msg) { | |
219 bool handled = true; | |
220 IPC_BEGIN_MESSAGE_MAP(NaClListener, msg) | |
221 IPC_MESSAGE_HANDLER(NaClProcessMsg_Start, OnStart) | |
222 IPC_MESSAGE_UNHANDLED(handled = false) | |
223 IPC_END_MESSAGE_MAP() | |
224 return handled; | |
225 } | |
226 | |
227 void NaClListener::OnStart(const nacl::NaClStartParams& params) { | |
228 struct NaClChromeMainArgs *args = NaClChromeMainArgsCreate(); | |
229 if (args == NULL) { | |
230 LOG(ERROR) << "NaClChromeMainArgsCreate() failed"; | |
231 return; | |
232 } | |
233 | |
234 if (params.enable_ipc_proxy) { | |
235 // Create the initial PPAPI IPC channel between the NaCl IRT and the | |
236 // browser process. The IRT uses this channel to communicate with the | |
237 // browser and to create additional IPC channels to renderer processes. | |
238 IPC::ChannelHandle handle = | |
239 IPC::Channel::GenerateVerifiedChannelID("nacl"); | |
240 scoped_refptr<NaClIPCAdapter> ipc_adapter( | |
241 new NaClIPCAdapter(handle, io_thread_.message_loop_proxy().get())); | |
242 ipc_adapter->ConnectChannel(); | |
243 | |
244 // Pass a NaClDesc to the untrusted side. This will hold a ref to the | |
245 // NaClIPCAdapter. | |
246 args->initial_ipc_desc = ipc_adapter->MakeNaClDesc(); | |
247 #if defined(OS_POSIX) | |
248 handle.socket = base::FileDescriptor( | |
249 ipc_adapter->TakeClientFileDescriptor(), true); | |
250 #endif | |
251 if (!Send(new NaClProcessHostMsg_PpapiChannelCreated(handle))) | |
252 LOG(ERROR) << "Failed to send IPC channel handle to NaClProcessHost."; | |
253 } | |
254 | |
255 std::vector<nacl::FileDescriptor> handles = params.handles; | |
256 | |
257 #if defined(OS_LINUX) || defined(OS_MACOSX) | |
258 args->urandom_fd = dup(base::GetUrandomFD()); | |
259 if (args->urandom_fd < 0) { | |
260 LOG(ERROR) << "Failed to dup() the urandom FD"; | |
261 return; | |
262 } | |
263 args->create_memory_object_func = CreateMemoryObject; | |
264 # if defined(OS_MACOSX) | |
265 CHECK(handles.size() >= 1); | |
266 g_shm_fd = nacl::ToNativeHandle(handles[handles.size() - 1]); | |
267 handles.pop_back(); | |
268 # endif | |
269 #endif | |
270 | |
271 if (params.uses_irt) { | |
272 CHECK(handles.size() >= 1); | |
273 NaClHandle irt_handle = nacl::ToNativeHandle(handles[handles.size() - 1]); | |
274 handles.pop_back(); | |
275 | |
276 #if defined(OS_WIN) | |
277 args->irt_fd = _open_osfhandle(reinterpret_cast<intptr_t>(irt_handle), | |
278 _O_RDONLY | _O_BINARY); | |
279 if (args->irt_fd < 0) { | |
280 LOG(ERROR) << "_open_osfhandle() failed"; | |
281 return; | |
282 } | |
283 #else | |
284 args->irt_fd = irt_handle; | |
285 #endif | |
286 } else { | |
287 // Otherwise, the IRT handle is not even sent. | |
288 args->irt_fd = -1; | |
289 } | |
290 | |
291 if (params.validation_cache_enabled) { | |
292 // SHA256 block size. | |
293 CHECK_EQ(params.validation_cache_key.length(), (size_t) 64); | |
294 // The cache structure is not freed and exists until the NaCl process exits. | |
295 args->validation_cache = CreateValidationCache( | |
296 new BrowserValidationDBProxy(this), params.validation_cache_key, | |
297 params.version); | |
298 } | |
299 | |
300 CHECK(handles.size() == 1); | |
301 args->imc_bootstrap_handle = nacl::ToNativeHandle(handles[0]); | |
302 args->enable_exception_handling = params.enable_exception_handling; | |
303 args->enable_debug_stub = params.enable_debug_stub; | |
304 args->enable_dyncode_syscalls = params.enable_dyncode_syscalls; | |
305 #if defined(OS_LINUX) || defined(OS_MACOSX) | |
306 args->debug_stub_server_bound_socket_fd = nacl::ToNativeHandle( | |
307 params.debug_stub_server_bound_socket); | |
308 #endif | |
309 #if defined(OS_WIN) | |
310 args->broker_duplicate_handle_func = BrokerDuplicateHandle; | |
311 args->attach_debug_exception_handler_func = AttachDebugExceptionHandler; | |
312 #endif | |
313 #if defined(OS_LINUX) | |
314 args->prereserved_sandbox_size = prereserved_sandbox_size_; | |
315 #endif | |
316 NaClChromeMainStart(args); | |
317 NOTREACHED(); | |
318 } | |
OLD | NEW |