Do PPB_FileIO Query and Read in the plugin process.

chrome/nacl/nacl_ipc_adapter.cc

Index: chrome/nacl/nacl_ipc_adapter.cc
diff --git a/chrome/nacl/nacl_ipc_adapter.cc b/chrome/nacl/nacl_ipc_adapter.cc
index 845150ea51c85da09eef15d2d40a12da7e8d0434..6f5504928dccab2cbc8997e2c1af218d78d1a450 100644
--- a/chrome/nacl/nacl_ipc_adapter.cc
+++ b/chrome/nacl/nacl_ipc_adapter.cc
@@ -435,6 +435,12 @@ bool NaClIPCAdapter::OnMessageReceived(const IPC::Message& msg) {
           break;
         }
         case ppapi::proxy::SerializedHandle::FILE:
+          // IMPORTANT: The NaClDescIoDescFromHandleAllocCtor function creates
+          // a NaClDesc that checks the flags before reading and writing. This
+          // is necessary since PPB_FileIO now sends a file descriptor which may
+          // have write capabilities, and we don't want the plugin to be able to

[dmichael (off chromium), 2013/07/18 20:28:09]

"may have write capabilities"...  we intend not to do that, right? Maybe it
would be better to say "should not have write capabilities"?

[bbudge, 2013/07/18 21:28:16]

It's non-trivial to create and share a fd with different capabilities in the
host. So we may return an fd with write capabilities, and we count on the
NaClDesc to fail before making the system call. This check happens in trusted
code so should be safe, as long as we're sure the write flags have been cleared
on the host side. We can't do that here because it would break the trusted and
private APIs.

+          // write with it and so bypass quota checks, which still happen in the
+          // host.
           nacl_desc.reset(new NaClDescWrapper(NaClDescIoDescFromHandleAllocCtor(
 #if defined(OS_WIN)
               iter->descriptor(),