Do PPB_FileIO Query and Read in the plugin process.

chrome/nacl/nacl_ipc_adapter.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/nacl/nacl_ipc_adapter.h"
 
 #include <limits.h>
 #include <string.h>
 
 #include "base/basictypes.h"
@@ skipping 417 matching lines @@
           nacl_desc.reset(new NaClDescWrapper(ipc_adapter->MakeNaClDesc()));
           // Send back a message that the channel was created.
           scoped_ptr<IPC::Message> response(
               new PpapiHostMsg_ChannelCreated(channel_handle));
           task_runner_->PostTask(FROM_HERE,
               base::Bind(&NaClIPCAdapter::SendMessageOnIOThread, this,
                          base::Passed(&response)));
           break;
         }
         case ppapi::proxy::SerializedHandle::FILE:
+          // IMPORTANT: The NaClDescIoDescFromHandleAllocCtor function creates
+          // a NaClDesc that checks the flags before reading and writing. This
+          // is necessary since PPB_FileIO now sends a file descriptor which may
+          // have write capabilities, and we don't want the plugin to be able to

[dmichael (off chromium), 2013/07/18 20:28:09]

"may have write capabilities"...  we intend not to do that, right? Maybe it
would be better to say "should not have write capabilities"?

[bbudge, 2013/07/18 21:28:16]

It's non-trivial to create and share a fd with different capabilities in the
host. So we may return an fd with write capabilities, and we count on the
NaClDesc to fail before making the system call. This check happens in trusted
code so should be safe, as long as we're sure the write flags have been cleared
on the host side. We can't do that here because it would break the trusted and
private APIs.

+          // write with it and so bypass quota checks, which still happen in the
+          // host.
           nacl_desc.reset(new NaClDescWrapper(NaClDescIoDescFromHandleAllocCtor(
 #if defined(OS_WIN)
               iter->descriptor(),
 #else
               iter->descriptor().fd,
 #endif
               TranslatePepperFileReadWriteOpenFlags(iter->open_flag()))));
           break;
         case ppapi::proxy::SerializedHandle::INVALID: {
           // Nothing to do. TODO(dmichael): Should we log this? Or is it
@@ skipping 129 matching lines @@
   header.flags = msg.flags();
   header.num_fds = static_cast<int>(rewritten_msg->desc_count());
 
   rewritten_msg->SetData(header, msg.payload(), msg.payload_size());
   locked_data_.to_be_received_.push(rewritten_msg);
 }
 
 int TranslatePepperFileReadWriteOpenFlagsForTesting(int32_t pp_open_flags) {
   return TranslatePepperFileReadWriteOpenFlags(pp_open_flags);
 }