| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/nacl/nacl_listener.h" | |
| 6 | |
| 7 #include <errno.h> | |
| 8 #include <stdlib.h> | |
| 9 | |
| 10 #include "base/command_line.h" | |
| 11 #include "base/logging.h" | |
| 12 #include "base/memory/scoped_ptr.h" | |
| 13 #include "base/message_loop.h" | |
| 14 #include "base/rand_util.h" | |
| 15 #include "chrome/common/nacl_messages.h" | |
| 16 #include "chrome/nacl/nacl_ipc_adapter.h" | |
| 17 #include "chrome/nacl/nacl_validation_db.h" | |
| 18 #include "chrome/nacl/nacl_validation_query.h" | |
| 19 #include "ipc/ipc_channel_handle.h" | |
| 20 #include "ipc/ipc_switches.h" | |
| 21 #include "ipc/ipc_sync_channel.h" | |
| 22 #include "ipc/ipc_sync_message_filter.h" | |
| 23 #include "native_client/src/trusted/service_runtime/sel_main_chrome.h" | |
| 24 #include "native_client/src/trusted/validator/nacl_file_info.h" | |
| 25 | |
| 26 #if defined(OS_POSIX) | |
| 27 #include "base/file_descriptor_posix.h" | |
| 28 #endif | |
| 29 | |
| 30 #if defined(OS_LINUX) | |
| 31 #include "content/public/common/child_process_sandbox_support_linux.h" | |
| 32 #endif | |
| 33 | |
| 34 #if defined(OS_WIN) | |
| 35 #include <fcntl.h> | |
| 36 #include <io.h> | |
| 37 | |
| 38 #include "content/public/common/sandbox_init.h" | |
| 39 #endif | |
| 40 | |
| 41 namespace { | |
| 42 #if defined(OS_MACOSX) | |
| 43 | |
| 44 // On Mac OS X, shm_open() works in the sandbox but does not give us | |
| 45 // an FD that we can map as PROT_EXEC. Rather than doing an IPC to | |
| 46 // get an executable SHM region when CreateMemoryObject() is called, | |
| 47 // we preallocate one on startup, since NaCl's sel_ldr only needs one | |
| 48 // of them. This saves a round trip. | |
| 49 | |
| 50 base::subtle::Atomic32 g_shm_fd = -1; | |
| 51 | |
| 52 int CreateMemoryObject(size_t size, int executable) { | |
| 53 if (executable && size > 0) { | |
| 54 int result_fd = base::subtle::NoBarrier_AtomicExchange(&g_shm_fd, -1); | |
| 55 if (result_fd != -1) { | |
| 56 // ftruncate() is disallowed by the Mac OS X sandbox and | |
| 57 // returns EPERM. Luckily, we can get the same effect with | |
| 58 // lseek() + write(). | |
| 59 if (lseek(result_fd, size - 1, SEEK_SET) == -1) { | |
| 60 LOG(ERROR) << "lseek() failed: " << errno; | |
| 61 return -1; | |
| 62 } | |
| 63 if (write(result_fd, "", 1) != 1) { | |
| 64 LOG(ERROR) << "write() failed: " << errno; | |
| 65 return -1; | |
| 66 } | |
| 67 return result_fd; | |
| 68 } | |
| 69 } | |
| 70 // Fall back to NaCl's default implementation. | |
| 71 return -1; | |
| 72 } | |
| 73 | |
| 74 #elif defined(OS_LINUX) | |
| 75 | |
| 76 int CreateMemoryObject(size_t size, int executable) { | |
| 77 return content::MakeSharedMemorySegmentViaIPC(size, executable); | |
| 78 } | |
| 79 | |
| 80 #elif defined(OS_WIN) | |
| 81 | |
| 82 NaClListener* g_listener; | |
| 83 | |
| 84 // We wrap the function to convert the bool return value to an int. | |
| 85 int BrokerDuplicateHandle(NaClHandle source_handle, | |
| 86 uint32_t process_id, | |
| 87 NaClHandle* target_handle, | |
| 88 uint32_t desired_access, | |
| 89 uint32_t options) { | |
| 90 return content::BrokerDuplicateHandle(source_handle, process_id, | |
| 91 target_handle, desired_access, | |
| 92 options); | |
| 93 } | |
| 94 | |
| 95 int AttachDebugExceptionHandler(const void* info, size_t info_size) { | |
| 96 std::string info_string(reinterpret_cast<const char*>(info), info_size); | |
| 97 bool result = false; | |
| 98 if (!g_listener->Send(new NaClProcessMsg_AttachDebugExceptionHandler( | |
| 99 info_string, &result))) | |
| 100 return false; | |
| 101 return result; | |
| 102 } | |
| 103 | |
| 104 #endif | |
| 105 | |
| 106 } // namespace | |
| 107 | |
| 108 class BrowserValidationDBProxy : public NaClValidationDB { | |
| 109 public: | |
| 110 explicit BrowserValidationDBProxy(NaClListener* listener) | |
| 111 : listener_(listener) { | |
| 112 } | |
| 113 | |
| 114 virtual bool QueryKnownToValidate(const std::string& signature) OVERRIDE { | |
| 115 // Initialize to false so that if the Send fails to write to the return | |
| 116 // value we're safe. For example if the message is (for some reason) | |
| 117 // dispatched as an async message the return parameter will not be written. | |
| 118 bool result = false; | |
| 119 if (!listener_->Send(new NaClProcessMsg_QueryKnownToValidate(signature, | |
| 120 &result))) { | |
| 121 LOG(ERROR) << "Failed to query NaCl validation cache."; | |
| 122 result = false; | |
| 123 } | |
| 124 return result; | |
| 125 } | |
| 126 | |
| 127 virtual void SetKnownToValidate(const std::string& signature) OVERRIDE { | |
| 128 // Caching is optional: NaCl will still work correctly if the IPC fails. | |
| 129 if (!listener_->Send(new NaClProcessMsg_SetKnownToValidate(signature))) { | |
| 130 LOG(ERROR) << "Failed to update NaCl validation cache."; | |
| 131 } | |
| 132 } | |
| 133 | |
| 134 virtual bool ResolveFileToken(struct NaClFileToken* file_token, | |
| 135 int32* fd, std::string* path) OVERRIDE { | |
| 136 *fd = -1; | |
| 137 *path = ""; | |
| 138 if (file_token->lo == 0 && file_token->hi == 0) { | |
| 139 return false; | |
| 140 } | |
| 141 IPC::PlatformFileForTransit ipc_fd = IPC::InvalidPlatformFileForTransit(); | |
| 142 base::FilePath ipc_path; | |
| 143 if (!listener_->Send(new NaClProcessMsg_ResolveFileToken(file_token->lo, | |
| 144 file_token->hi, | |
| 145 &ipc_fd, | |
| 146 &ipc_path))) { | |
| 147 return false; | |
| 148 } | |
| 149 if (ipc_fd == IPC::InvalidPlatformFileForTransit()) { | |
| 150 return false; | |
| 151 } | |
| 152 base::PlatformFile handle = | |
| 153 IPC::PlatformFileForTransitToPlatformFile(ipc_fd); | |
| 154 #if defined(OS_WIN) | |
| 155 // On Windows, valid handles are 32 bit unsigned integers so this is safe. | |
| 156 *fd = reinterpret_cast<uintptr_t>(handle); | |
| 157 #else | |
| 158 *fd = handle; | |
| 159 #endif | |
| 160 // It doesn't matter if the path is invalid UTF8 as long as it's consistent | |
| 161 // and unforgeable. | |
| 162 *path = ipc_path.AsUTF8Unsafe(); | |
| 163 return true; | |
| 164 } | |
| 165 | |
| 166 private: | |
| 167 // The listener never dies, otherwise this might be a dangling reference. | |
| 168 NaClListener* listener_; | |
| 169 }; | |
| 170 | |
| 171 | |
| 172 NaClListener::NaClListener() : shutdown_event_(true, false), | |
| 173 io_thread_("NaCl_IOThread"), | |
| 174 #if defined(OS_LINUX) | |
| 175 prereserved_sandbox_size_(0), | |
| 176 #endif | |
| 177 main_loop_(NULL) { | |
| 178 io_thread_.StartWithOptions( | |
| 179 base::Thread::Options(base::MessageLoop::TYPE_IO, 0)); | |
| 180 #if defined(OS_WIN) | |
| 181 DCHECK(g_listener == NULL); | |
| 182 g_listener = this; | |
| 183 #endif | |
| 184 } | |
| 185 | |
| 186 NaClListener::~NaClListener() { | |
| 187 NOTREACHED(); | |
| 188 shutdown_event_.Signal(); | |
| 189 #if defined(OS_WIN) | |
| 190 g_listener = NULL; | |
| 191 #endif | |
| 192 } | |
| 193 | |
| 194 bool NaClListener::Send(IPC::Message* msg) { | |
| 195 DCHECK(main_loop_ != NULL); | |
| 196 if (base::MessageLoop::current() == main_loop_) { | |
| 197 // This thread owns the channel. | |
| 198 return channel_->Send(msg); | |
| 199 } else { | |
| 200 // This thread does not own the channel. | |
| 201 return filter_->Send(msg); | |
| 202 } | |
| 203 } | |
| 204 | |
| 205 void NaClListener::Listen() { | |
| 206 std::string channel_name = | |
| 207 CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | |
| 208 switches::kProcessChannelID); | |
| 209 channel_.reset(new IPC::SyncChannel( | |
| 210 this, io_thread_.message_loop_proxy().get(), &shutdown_event_)); | |
| 211 filter_ = new IPC::SyncMessageFilter(&shutdown_event_); | |
| 212 channel_->AddFilter(filter_.get()); | |
| 213 channel_->Init(channel_name, IPC::Channel::MODE_CLIENT, true); | |
| 214 main_loop_ = base::MessageLoop::current(); | |
| 215 main_loop_->Run(); | |
| 216 } | |
| 217 | |
| 218 bool NaClListener::OnMessageReceived(const IPC::Message& msg) { | |
| 219 bool handled = true; | |
| 220 IPC_BEGIN_MESSAGE_MAP(NaClListener, msg) | |
| 221 IPC_MESSAGE_HANDLER(NaClProcessMsg_Start, OnStart) | |
| 222 IPC_MESSAGE_UNHANDLED(handled = false) | |
| 223 IPC_END_MESSAGE_MAP() | |
| 224 return handled; | |
| 225 } | |
| 226 | |
| 227 void NaClListener::OnStart(const nacl::NaClStartParams& params) { | |
| 228 struct NaClChromeMainArgs *args = NaClChromeMainArgsCreate(); | |
| 229 if (args == NULL) { | |
| 230 LOG(ERROR) << "NaClChromeMainArgsCreate() failed"; | |
| 231 return; | |
| 232 } | |
| 233 | |
| 234 if (params.enable_ipc_proxy) { | |
| 235 // Create the initial PPAPI IPC channel between the NaCl IRT and the | |
| 236 // browser process. The IRT uses this channel to communicate with the | |
| 237 // browser and to create additional IPC channels to renderer processes. | |
| 238 IPC::ChannelHandle handle = | |
| 239 IPC::Channel::GenerateVerifiedChannelID("nacl"); | |
| 240 scoped_refptr<NaClIPCAdapter> ipc_adapter( | |
| 241 new NaClIPCAdapter(handle, io_thread_.message_loop_proxy().get())); | |
| 242 ipc_adapter->ConnectChannel(); | |
| 243 | |
| 244 // Pass a NaClDesc to the untrusted side. This will hold a ref to the | |
| 245 // NaClIPCAdapter. | |
| 246 args->initial_ipc_desc = ipc_adapter->MakeNaClDesc(); | |
| 247 #if defined(OS_POSIX) | |
| 248 handle.socket = base::FileDescriptor( | |
| 249 ipc_adapter->TakeClientFileDescriptor(), true); | |
| 250 #endif | |
| 251 if (!Send(new NaClProcessHostMsg_PpapiChannelCreated(handle))) | |
| 252 LOG(ERROR) << "Failed to send IPC channel handle to NaClProcessHost."; | |
| 253 } | |
| 254 | |
| 255 std::vector<nacl::FileDescriptor> handles = params.handles; | |
| 256 | |
| 257 #if defined(OS_LINUX) || defined(OS_MACOSX) | |
| 258 args->urandom_fd = dup(base::GetUrandomFD()); | |
| 259 if (args->urandom_fd < 0) { | |
| 260 LOG(ERROR) << "Failed to dup() the urandom FD"; | |
| 261 return; | |
| 262 } | |
| 263 args->create_memory_object_func = CreateMemoryObject; | |
| 264 # if defined(OS_MACOSX) | |
| 265 CHECK(handles.size() >= 1); | |
| 266 g_shm_fd = nacl::ToNativeHandle(handles[handles.size() - 1]); | |
| 267 handles.pop_back(); | |
| 268 # endif | |
| 269 #endif | |
| 270 | |
| 271 if (params.uses_irt) { | |
| 272 CHECK(handles.size() >= 1); | |
| 273 NaClHandle irt_handle = nacl::ToNativeHandle(handles[handles.size() - 1]); | |
| 274 handles.pop_back(); | |
| 275 | |
| 276 #if defined(OS_WIN) | |
| 277 args->irt_fd = _open_osfhandle(reinterpret_cast<intptr_t>(irt_handle), | |
| 278 _O_RDONLY | _O_BINARY); | |
| 279 if (args->irt_fd < 0) { | |
| 280 LOG(ERROR) << "_open_osfhandle() failed"; | |
| 281 return; | |
| 282 } | |
| 283 #else | |
| 284 args->irt_fd = irt_handle; | |
| 285 #endif | |
| 286 } else { | |
| 287 // Otherwise, the IRT handle is not even sent. | |
| 288 args->irt_fd = -1; | |
| 289 } | |
| 290 | |
| 291 if (params.validation_cache_enabled) { | |
| 292 // SHA256 block size. | |
| 293 CHECK_EQ(params.validation_cache_key.length(), (size_t) 64); | |
| 294 // The cache structure is not freed and exists until the NaCl process exits. | |
| 295 args->validation_cache = CreateValidationCache( | |
| 296 new BrowserValidationDBProxy(this), params.validation_cache_key, | |
| 297 params.version); | |
| 298 } | |
| 299 | |
| 300 CHECK(handles.size() == 1); | |
| 301 args->imc_bootstrap_handle = nacl::ToNativeHandle(handles[0]); | |
| 302 args->enable_exception_handling = params.enable_exception_handling; | |
| 303 args->enable_debug_stub = params.enable_debug_stub; | |
| 304 args->enable_dyncode_syscalls = params.enable_dyncode_syscalls; | |
| 305 #if defined(OS_LINUX) || defined(OS_MACOSX) | |
| 306 args->debug_stub_server_bound_socket_fd = nacl::ToNativeHandle( | |
| 307 params.debug_stub_server_bound_socket); | |
| 308 #endif | |
| 309 #if defined(OS_WIN) | |
| 310 args->broker_duplicate_handle_func = BrokerDuplicateHandle; | |
| 311 args->attach_debug_exception_handler_func = AttachDebugExceptionHandler; | |
| 312 #endif | |
| 313 #if defined(OS_LINUX) | |
| 314 args->prereserved_sandbox_size = prereserved_sandbox_size_; | |
| 315 #endif | |
| 316 NaClChromeMainStart(args); | |
| 317 NOTREACHED(); | |
| 318 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 16881004:
Move chrome/nacl to components/nacl. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master