Implement SharedMemory::NewAnonymousReadOnly(contents).

base/memory/shared_memory_posix.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/memory/shared_memory.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
@@ skipping 12 matching lines @@
 
 #if defined(OS_MACOSX)
 #include "base/mac/foundation_util.h"
 #endif  // OS_MACOSX
 
 #if defined(OS_ANDROID)
 #include "base/os_compat_android.h"
 #include "third_party/ashmem/ashmem.h"
 #endif
 
+using file_util::ScopedFD;
+using file_util::ScopedFILE;
+
 namespace base {
 
 namespace {
 
 LazyInstance<Lock>::Leaky g_thread_lock_ = LAZY_INSTANCE_INITIALIZER;
 
 }
 
 SharedMemory::SharedMemory()
     : mapped_file_(-1),
+      readonly_mapped_file_(-1),
       inode_(0),
       mapped_size_(0),
       memory_(NULL),
       read_only_(false),
       requested_size_(0) {
 }
 
 SharedMemory::SharedMemory(SharedMemoryHandle handle, bool read_only)
     : mapped_file_(handle.fd),
+      readonly_mapped_file_(-1),
       inode_(0),
       mapped_size_(0),
       memory_(NULL),
       read_only_(read_only),
       requested_size_(0) {
   struct stat st;
   if (fstat(handle.fd, &st) == 0) {
     // If fstat fails, then the file descriptor is invalid and we'll learn this
     // fact when Map() fails.
     inode_ = st.st_ino;
   }
 }
 
 SharedMemory::SharedMemory(SharedMemoryHandle handle, bool read_only,
                            ProcessHandle process)
     : mapped_file_(handle.fd),
+      readonly_mapped_file_(-1),
       inode_(0),
       mapped_size_(0),
       memory_(NULL),
       read_only_(read_only),
       requested_size_(0) {
   // We don't handle this case yet (note the ignored parameter); let's die if
   // someone comes calling.
   NOTREACHED();
 }
 
@@ skipping 39 matching lines @@
   if (options.size == 0) return false;
 
   if (options.size > static_cast<size_t>(std::numeric_limits<int>::max()))
     return false;
 
   // This function theoretically can block on the disk, but realistically
   // the temporary files we create will just go into the buffer cache
   // and be deleted before they ever make it out to disk.
   base::ThreadRestrictions::ScopedAllowIO allow_io;
 
-  FILE *fp;
+  ScopedFILE fp;
   bool fix_size = true;
+  int readonly_fd_storage = -1;
+  ScopedFD readonly_fd(&readonly_fd_storage);
 
   FilePath path;
   if (options.name == NULL || options.name->empty()) {
     // It doesn't make sense to have a open-existing private piece of shmem
     DCHECK(!options.open_existing);
     // Q: Why not use the shm_open() etc. APIs?
     // A: Because they're limited to 4mb on OS X.  FFFFFFFUUUUUUUUUUU
-    fp = file_util::CreateAndOpenTemporaryShmemFile(&path, options.executable);
+    fp.reset(
+        file_util::CreateAndOpenTemporaryShmemFile(&path, options.executable));
 
-    // Deleting the file prevents anyone else from mapping it in (making it
-    // private), and prevents the need for cleanup (once the last fd is closed,
-    // it is truly freed).
     if (fp) {
+      // Also open as readonly so that we can ShareReadOnlyToProcess.
+      *readonly_fd = HANDLE_EINTR(open(path.value().c_str(), O_RDONLY));
+      if (*readonly_fd < 0) {
+        DPLOG(ERROR) << "open(\"" << path.value().c_str()
+                     << "\", O_RDONLY) failed";
+        fp.reset();
+      }
+      // Deleting the file prevents anyone else from mapping it in (making it
+      // private), and prevents the need for cleanup (once the last fd is
+      // closed,

[Mark Mentovai, 2013/11/20 14:21:41]

Reflow this comment, this word doesn’t need to be so lonely.

[Jeffrey Yasskin, 2013/11/20 18:02:09]

Done.

+      // it is truly freed).
       if (unlink(path.value().c_str()))
         PLOG(WARNING) << "unlink";
     }
   } else {
     if (!FilePathForMemoryName(*options.name, &path))
       return false;
 
     // Make sure that the file is opened without any permission
     // to other users on the system.
     const mode_t kOwnerOnly = S_IRUSR | S_IWUSR;
@@ skipping 23 matching lines @@
            sb.st_uid != effective_uid)) {
         LOG(ERROR) <<
             "Invalid owner when opening existing shared memory file.";
         HANDLE_EINTR(close(fd));
         return false;
       }
 
       // An existing file was opened, so its size should not be fixed.
       fix_size = false;
     }
-    fp = NULL;
+
+    // Also open as readonly so that we can ShareReadOnlyToProcess.
+    *readonly_fd = HANDLE_EINTR(open(path.value().c_str(), O_RDONLY));
+    if (*readonly_fd < 0) {
+      DPLOG(ERROR) << "open(\"" << path.value().c_str()
+                   << "\", O_RDONLY) failed";
+      HANDLE_EINTR(close(fd));
+      fd = -1;
+    }
     if (fd >= 0) {
       // "a+" is always appropriate: if it's a new file, a+ is similar to w+.
-      fp = fdopen(fd, "a+");
+      fp.reset(fdopen(fd, "a+"));
     }
   }
   if (fp && fix_size) {
     // Get current size.
     struct stat stat;
-    if (fstat(fileno(fp), &stat) != 0) {
-      file_util::CloseFile(fp);
+    if (fstat(fileno(fp.get()), &stat) != 0)
       return false;
-    }
     const size_t current_size = stat.st_size;
     if (current_size != options.size) {
-      if (HANDLE_EINTR(ftruncate(fileno(fp), options.size)) != 0) {
-        file_util::CloseFile(fp);
+      if (HANDLE_EINTR(ftruncate(fileno(fp.get()), options.size)) != 0)
         return false;
-      }
     }
     requested_size_ = options.size;
   }
   if (fp == NULL) {
 #if !defined(OS_MACOSX)
     PLOG(ERROR) << "Creating shared memory in " << path.value() << " failed";
     FilePath dir = path.DirName();
     if (access(dir.value().c_str(), W_OK | X_OK) < 0) {
       PLOG(ERROR) << "Unable to access(W_OK|X_OK) " << dir.value();
       if (dir.value() == "/dev/shm") {
         LOG(FATAL) << "This is frequently caused by incorrect permissions on "
                    << "/dev/shm.  Try 'sudo chmod 1777 /dev/shm' to fix.";
       }
     }
 #else
     PLOG(ERROR) << "Creating shared memory in " << path.value() << " failed";
 #endif
     return false;
   }
 
-  return PrepareMapFile(fp);
+  return PrepareMapFile(fp.Pass(), readonly_fd.Pass());
 }
 
 // Our current implementation of shmem is with mmap()ing of files.
 // These files need to be deleted explicitly.
 // In practice this call is only needed for unit tests.
 bool SharedMemory::Delete(const std::string& name) {
   FilePath path;
   if (!FilePathForMemoryName(name, &path))
     return false;
 
   if (PathExists(path))
     return base::DeleteFile(path, false);
 
   // Doesn't exist, so success.
   return true;
 }
 
 bool SharedMemory::Open(const std::string& name, bool read_only) {
   FilePath path;
   if (!FilePathForMemoryName(name, &path))
     return false;
 
   read_only_ = read_only;
 
   const char *mode = read_only ? "r" : "r+";
-  FILE *fp = file_util::OpenFile(path, mode);
-  return PrepareMapFile(fp);
+  ScopedFILE fp(file_util::OpenFile(path, mode));
+  int readonly_fd = HANDLE_EINTR(open(path.value().c_str(), O_RDONLY));
+  if (readonly_fd < 0) {
+    DPLOG(ERROR) << "open(\"" << path.value().c_str() << "\", O_RDONLY) failed";
+  }
+  return PrepareMapFile(fp.Pass(), ScopedFD(&readonly_fd));

[Mark Mentovai, 2013/11/20 14:21:41]

Move the ScopedFD up (like you did above) to better handle early returns. These
can both be .Pass().

[Jeffrey Yasskin, 2013/11/20 18:02:09]

Done.

 }
 
 #endif  // !defined(OS_ANDROID)
 
 bool SharedMemory::MapAt(off_t offset, size_t bytes) {
   if (mapped_file_ == -1)
     return false;
 
   if (bytes > static_cast<size_t>(std::numeric_limits<int>::max()))
     return false;
@@ skipping 40 matching lines @@
 }
 
 void SharedMemory::Close() {
   Unmap();
 
   if (mapped_file_ > 0) {
     if (HANDLE_EINTR(close(mapped_file_)) < 0)
       PLOG(ERROR) << "close";
     mapped_file_ = -1;
   }
+  if (readonly_mapped_file_ > 0) {
+    if (HANDLE_EINTR(close(readonly_mapped_file_)) < 0)

[Mark Mentovai, 2013/11/20 14:21:41]

I have determined that it’s never correct to HANDLE_EINTR close.

This is always true on Linux. The story is sadder on Mac, but the bottom line is
that I did some heinous stuff to make it true there too. More details (if you’re
interested) at http://crbug.com/269623 .

I still haven’t done a cleanup of all of the HANDLE_EINTR(close) sites yet, but
new code should be written correctly, so you can fix this line, line 195, line
208, and line 333 while you’re here.

[Jeffrey Yasskin, 2013/11/20 18:02:09]

Oh, ok; done. It was very slightly easier to unwrap all the close()s in the
file, if that's all right.

+      PLOG(ERROR) << "close";
+    readonly_mapped_file_ = -1;
+  }
 }
 
 void SharedMemory::Lock() {
   g_thread_lock_.Get().Acquire();
   LockOrUnlockCommon(F_LOCK);
 }
 
 void SharedMemory::Unlock() {
   LockOrUnlockCommon(F_ULOCK);
   g_thread_lock_.Get().Release();
 }
 
 #if !defined(OS_ANDROID)
-bool SharedMemory::PrepareMapFile(FILE *fp) {
+bool SharedMemory::PrepareMapFile(ScopedFILE fp, ScopedFD readonly_fd) {
   DCHECK_EQ(-1, mapped_file_);
-  if (fp == NULL) return false;
+  DCHECK_EQ(-1, readonly_mapped_file_);
+  if (fp == NULL || *readonly_fd < 0) return false;
 
   // This function theoretically can block on the disk, but realistically
   // the temporary files we create will just go into the buffer cache
   // and be deleted before they ever make it out to disk.
   base::ThreadRestrictions::ScopedAllowIO allow_io;
 
-  file_util::ScopedFILE file_closer(fp);
+  struct stat st;
+  struct stat readonly_st;
+  if (fstat(fileno(fp.get()), &st))
+    NOTREACHED();
+  if (fstat(*readonly_fd, &readonly_st))
+    NOTREACHED();
+  if (st.st_dev != readonly_st.st_dev || st.st_ino != readonly_st.st_ino) {
+    LOG(ERROR) << "writable and read-only inodes don't match; bailing";
+    return false;
+  }
 
-  mapped_file_ = dup(fileno(fp));
+  mapped_file_ = dup(fileno(fp.get()));
   if (mapped_file_ == -1) {
     if (errno == EMFILE) {
       LOG(WARNING) << "Shared memory creation failed; out of file descriptors";
       return false;
     } else {
       NOTREACHED() << "Call to dup failed, errno=" << errno;
     }
   }
-
-  struct stat st;
-  if (fstat(mapped_file_, &st))
-    NOTREACHED();
   inode_ = st.st_ino;
+  readonly_mapped_file_ = *readonly_fd.release();
 
   return true;
 }
 #endif
 
 // For the given shmem named |mem_name|, return a filename to mmap()
 // (and possibly create).  Modifies |filename|.  Return false on
 // error, or true of we are happy.
 bool SharedMemory::FilePathForMemoryName(const std::string& mem_name,
                                          FilePath* path) {
@@ skipping 32 matching lines @@
       NOTREACHED() << "lockf() failed."
                    << " function:" << function
                    << " fd:" << mapped_file_
                    << " errno:" << errno
                    << " msg:" << safe_strerror(errno);
     }
   }
 }
 
 bool SharedMemory::ShareToProcessCommon(ProcessHandle process,
-                                        SharedMemoryHandle *new_handle,
-                                        bool close_self) {
-  const int new_fd = dup(mapped_file_);
+                                        SharedMemoryHandle* new_handle,
+                                        bool close_self,
+                                        ShareMode share_mode) {
+  int handle_to_dup = -1;
+  switch(share_mode) {
+    case SHARE_CURRENT_MODE:
+      handle_to_dup = mapped_file_;
+      break;
+    case SHARE_READONLY:
+      // We could imagine re-opening the file from /dev/fd, but that can't make
+      // it readonly on Mac: https://codereview.chromium.org/27265002/#msg10
+      CHECK(readonly_mapped_file_ >= 0);
+      handle_to_dup = readonly_mapped_file_;
+      break;
+  }
+
+  const int new_fd = dup(handle_to_dup);
   if (new_fd < 0) {
     DPLOG(ERROR) << "dup() failed.";
     return false;
   }
 
   new_handle->fd = new_fd;
   new_handle->auto_close = true;
 
   if (close_self)
     Close();
 
   return true;
 }
 
 }  // namespace base