Implement SharedMemory::NewAnonymousReadOnly(contents).

base/memory/shared_memory_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/shared_memory.h"
 #include "base/process/kill.h"
 #include "base/rand_util.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/stringprintf.h"
 #include "base/sys_info.h"
 #include "base/test/multiprocess_test.h"
 #include "base/threading/platform_thread.h"
 #include "base/time/time.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/multiprocess_func_list.h"
 
 #if defined(OS_MACOSX)
 #include "base/mac/scoped_nsautorelease_pool.h"
 #endif
 
 #if defined(OS_POSIX)
+#include <errno.h>
+#include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
 #endif
 
 static const int kNumThreads = 5;
 static const int kNumTasks = 5;
 
 namespace base {
@@ skipping 321 matching lines @@
       else
         EXPECT_EQ(0, pointers[j][0]);
     }
   }
 
   for (int i = 0; i < count; i++) {
     memories[i].Close();
   }
 }
 
+TEST(SharedMemoryTest, AnonymousReadOnly) {
+  StringPiece contents = "Hello World";
+  scoped_ptr<SharedMemory> shmem(
+      SharedMemory::NewAnonymousReadOnly("Hello World"));
+
+  ASSERT_TRUE(shmem->Map(contents.size()));
+  EXPECT_EQ(
+      contents,
+      StringPiece(static_cast<const char*>(shmem->memory()), contents.size()));
+
+  // We'd like to check that if we send the read-only segment to another
+  // process, then that other process can't reopen it read/write.  (Since that
+  // would be a security hole.)  Setting up multiple processes is hard in a
+  // unittest, so this test checks that the *current* process can't reopen the
+  // segment read/write.  I think the test here is stronger than we actually
+  // care about, but there's a remote possibility that sending a file over a
+  // pipe would transform it into read/write.
+  SharedMemoryHandle handle = shmem->handle();
+#if OS_POSIX

[jln (very slow on Chromium), 2013/10/16 00:16:39]

Style:
#if defined()

[Jeffrey Yasskin, 2013/10/16 01:16:39]

Done.

+
+  EXPECT_EQ(O_RDONLY, fcntl(handle.fd, F_GETFL) & O_ACCMODE)
+      << "The descriptor itself should be read-only.";
+
+  errno = 0;
+  void* writable = mmap(NULL,
+                        shmem->mapped_size(),
+                        PROT_READ | PROT_WRITE,
+                        MAP_SHARED,
+                        handle.fd,
+                        0);
+  int mmap_errno = errno;
+  EXPECT_EQ(MAP_FAILED, writable)
+      << "It shouldn't be possible to re-mmap the descriptor writable.";
+  EXPECT_EQ(EACCES, mmap_errno);
+
+  // Try to re-open through /dev/fd.  This is an end-run around the notion of an
+  // FD as a capability.
+  const std::string shmem_path = StringPrintf("/dev/fd/%d", handle.fd);
+  errno = 0;
+  int readable_fd = open(shmem_path.c_str(), O_RDONLY);
+  EXPECT_NE(-1, readable_fd) << strerror(errno);
+  close(readable_fd);
+
+  errno = 0;
+  int writable_fd = open(shmem_path.c_str(), O_WRONLY);
+  int open_writable_errno = errno;
+  EXPECT_EQ(-1, writable_fd);
+  EXPECT_EQ(EACCES, open_writable_errno) << strerror(open_writable_errno);
+  close(writable_fd);
+
+  // However, if we explicitly make the entry in /dev/fd writable first, the
+  // open() call successfully creates a writable file on Linux.  The sandbox has
+  // to prevent opening this path.  TODO(jln): Write a test that attacks this
+  // from inside the sandbox.
+  fchmod(handle.fd, S_IRUSR | S_IWUSR);

[jln (very slow on Chromium), 2013/10/16 00:16:39]

Please, check the return value, it's better to keep the test tight.

[Jeffrey Yasskin, 2013/10/16 01:16:39]

Done.

+
+  errno = 0;
+  writable_fd = open(shmem_path.c_str(), O_WRONLY);
+  open_writable_errno = errno;
+  // Mac appears to get this right by treating open(/dev/fd/N) as dup(N).

[jln (very slow on Chromium), 2013/10/16 00:16:39]

This is not correct, open(/dev/fd/N) is very different from dup(). dup()
duplicates a reference to a file description, open(/dev/fd/N) will create a new
file description (for instance advisory locks and seeks are shared when duping).

OS X get this right by enforcing the requested access mode to be a subset of the
existing access mode.

Could you explicitly call out a problem in Linux (you can still say "OS X get
this right). It makes the following !OS_LINUX more natural.

[Jeffrey Yasskin, 2013/10/16 01:16:39]

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPag...
actually says that:

the call:

           fd = open("/dev/fd/0", mode);

     and the call:

           fd = fcntl(0, F_DUPFD, 0);

     are equivalent.

Which makes me think advisory locks and seeks would be shared. But I'm happy to
avoid claiming that in the comment.
Done.

[jln (very slow on Chromium), 2013/10/16 17:51:15]

Ohh yeah, F_DUPFD is confusing. It really has nothing to do with dup(). dup()
merely gives you a new descriptor (a reference to a file description), while
F_DUPFD gives you a copy of a file description (still pointing to the same inode
though).

i.e. remember that there are two levels of dereference between a fd and an
inode.

+#if !OS_LINUX

[jln (very slow on Chromium), 2013/10/16 00:16:39]

Style: #if !defined()

[Jeffrey Yasskin, 2013/10/16 01:16:39]

Done.

+  EXPECT_EQ(-1, writable_fd);
+  EXPECT_EQ(EACCES, open_writable_errno) << strerror(open_writable_errno);
+#endif
+  close(writable_fd);
+
+#elif OS_WIN

[Jeffrey Yasskin, 2013/10/15 23:03:52]

Please try to think of other attacks I should be testing on Windows. I don't
know the API there very well.

+  EXPECT_EQ(NULL, MapViewOfFile(handle, FILE_MAP_WRITE, 0, 0, 0))
+      << "Shouldn't be able to map memory writable.";
+
+  SharedMemoryHandle writable_handle = INVALID_HANDLE_VALUE;
+  EXPECT_EQ(0,
+            ::DuplicateHandle(GetCurrentProcess(),
+                              handle,
+                              GetCurrentProcess,
+                              &writable_handle,
+                              FILE_MAP_ALL_ACCESS,
+                              false,
+                              0))
+      << "Shouldn't be able to duplicate the handle into a writable one.";
+#else
+#error Unexpected platform; write a test that tries to make 'handle' writable.
+#endif
+}
+
 TEST(SharedMemoryTest, MapAt) {
   ASSERT_TRUE(SysInfo::VMAllocationGranularity() >= sizeof(uint32));
   const size_t kCount = SysInfo::VMAllocationGranularity();
   const size_t kDataSize = kCount * sizeof(uint32);
 
   SharedMemory memory;
   ASSERT_TRUE(memory.CreateAndMapAnonymous(kDataSize));
   ASSERT_TRUE(memory.Map(kDataSize));
   uint32* ptr = static_cast<uint32*>(memory.memory());
   ASSERT_NE(ptr, static_cast<void*>(NULL));
@@ skipping 178 matching lines @@
   SharedMemoryProcessTest::CleanUp();
 }
 
 MULTIPROCESS_TEST_MAIN(SharedMemoryTestMain) {
   return SharedMemoryProcessTest::TaskTestMain();
 }
 
 #endif  // !OS_IOS
 
 }  // namespace base