Support non-SFI mode in NaCl manifest file.

components/nacl/browser/nacl_process_host.cc

Index: components/nacl/browser/nacl_process_host.cc
diff --git a/components/nacl/browser/nacl_process_host.cc b/components/nacl/browser/nacl_process_host.cc
index dc87b50d1cd551754b955ed3605632813f1236be..4327a208968ef0c439ae2457bb18c17974c47094 100644
--- a/components/nacl/browser/nacl_process_host.cc
+++ b/components/nacl/browser/nacl_process_host.cc
@@ -240,6 +240,7 @@ NaClProcessHost::NaClProcessHost(const GURL& manifest_url,
                                  bool enable_dyncode_syscalls,
                                  bool enable_exception_handling,
                                  bool enable_crash_throttling,
+                                 bool enable_nonsfi,

[Mark Seaborn, 2014/02/27 17:10:22]

Can you rename this to "use_nonsfi_mode", so that:

* "enable_nonsfi_mode" always means "--enable-non-sfi-mode" was passed to the
browser.
* "use_nonsfi_mode" means the renderer or NMF file has requested using non-SFI
mode for this particular process.

[hidehiko, 2014/02/28 06:41:54]

Done.

                                  bool off_the_record,
                                  const base::FilePath& profile_directory)
     : manifest_url_(manifest_url),
@@ -258,6 +259,7 @@ NaClProcessHost::NaClProcessHost(const GURL& manifest_url,
       enable_dyncode_syscalls_(enable_dyncode_syscalls),
       enable_exception_handling_(enable_exception_handling),
       enable_crash_throttling_(enable_crash_throttling),
+      enable_nonsfi_(enable_nonsfi),
       off_the_record_(off_the_record),
       profile_directory_(profile_directory),
       render_view_id_(render_view_id) {
@@ -755,8 +757,7 @@ bool NaClProcessHost::StartNaClExecution() {
   params.enable_ipc_proxy = enable_ppapi_proxy();
   params.uses_irt = uses_irt_;
   params.enable_dyncode_syscalls = enable_dyncode_syscalls_;
-  params.enable_nonsfi_mode = CommandLine::ForCurrentProcess()->HasSwitch(
-      switches::kEnableNaClNonSfiMode);
+  params.enable_nonsfi_mode = enable_nonsfi_;

[Mark Seaborn, 2014/02/27 17:10:22]

I think this means the renderer (if compromised) can enable non-SFI mode even if
"--enable-non-sfi-mode" wasn't passed to the browser.  That's undesirable for
security.  Can you make sure the browser doesn't let the renderer enable this if
the option wasn't passed?

[hidehiko, 2014/02/28 06:41:54]

As we chatted, the binary won't be compatible, so we cannot run under SFI mode.
Instead, I added a sanity-check if the non-sfi mode is enabled actually or not.

 
   const ChildProcessData& data = process_->GetData();
   if (!ShareHandleToSelLdr(data.handle,