Make NaCl PPAPI proxy honor the Disable3DApis policy.

BUG=chromium:90037
TEST=manual

Review URL: http://codereview.chromium.org/7808001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@100192 0039d316-1c4b-4281-b951-d872f2087c98

9 files changed, 90 insertions, 31 deletions

diff --git a/chrome/renderer/chrome_ppapi_interfaces.cc b/chrome/renderer/chrome_ppapi_interfaces.cc
index ede01ca..818b1d9 100644
--- a/chrome/renderer/chrome_ppapi_interfaces.cc
+++ b/chrome/renderer/chrome_ppapi_interfaces.cc
@@ -4,11 +4,13 @@
 
 #include "chrome/renderer/chrome_ppapi_interfaces.h"
 
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "base/rand_util_c.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/common/render_messages.h"
 #include "chrome/renderer/chrome_ppb_pdf_impl.h"
+#include "content/common/content_switches.h"
 #include "content/renderer/render_thread.h"
 #include "ppapi/c/private/ppb_nacl_private.h"
 #include "ppapi/c/private/ppb_pdf.h"
@@ -57,9 +59,14 @@ int UrandomFD(void) {
 #endif
 }
 
+bool Are3DInterfacesDisabled() {
+  return CommandLine::ForCurrentProcess()->HasSwitch(switches::kDisable3DAPIs);
+}
+
 const PPB_NaCl_Private ppb_nacl = {
   &LaunchSelLdr,
   &UrandomFD,
+  &Are3DInterfacesDisabled,
 };
 
 class PPB_NaCl_Impl {
@@ -92,4 +99,3 @@ void UninitializePPAPI() {
 }
 
 }  // namespace chrome
-
diff --git a/ppapi/api/private/ppb_nacl_private.idl b/ppapi/api/private/ppb_nacl_private.idl
index fc31dbb..2642a8e 100644
--- a/ppapi/api/private/ppb_nacl_private.idl
+++ b/ppapi/api/private/ppb_nacl_private.idl
@@ -1,4 +1,4 @@
-/* Copyright (c) 2010 The Chromium Authors. All rights reserved.
+/* Copyright (c) 2011 The Chromium Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
@@ -6,7 +6,7 @@
 /* This file contains NaCl private interfaces. */
 
 /* PPB_NaCl_Private */
-interface PPB_NaCl_Private_0_1 {
+interface PPB_NaCl_Private_0_2 {
   /* This function launches NaCl's sel_ldr process.  On success, the function
    * returns true, otherwise it returns false.  When it returns true, it will
    * write |socket_count| nacl::Handles to imc_handles and will write the
@@ -25,4 +25,10 @@ interface PPB_NaCl_Private_0_1 {
    * /dev/urandom.  On non-POSIX systems, this function returns 0.
    */
   int32_t UrandomFD();
+
+  /* Whether the Pepper 3D interfaces should be disabled in the NaCl PPAPI
+   * proxy. This is so paranoid admins can effectively prevent untrusted shader
+   * code to be processed by the graphics stack.
+   */
+  bool Are3DInterfacesDisabled();
 };
diff --git a/ppapi/c/private/ppb_nacl_private.h b/ppapi/c/private/ppb_nacl_private.h
index 3b07a9b..b741ae2 100644
--- a/ppapi/c/private/ppb_nacl_private.h
+++ b/ppapi/c/private/ppb_nacl_private.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,7 @@
 #include "ppapi/c/pp_resource.h"
 #include "ppapi/c/pp_stdint.h"
 
-#define PPB_NACL_PRIVATE_INTERFACE "PPB_NaCl(Private);0.1"
+#define PPB_NACL_PRIVATE_INTERFACE "PPB_NaCl(Private);0.2"
 
 struct PPB_NaCl_Private {
   // This function launches NaCl's sel_ldr process.  On success, the function
@@ -24,6 +24,11 @@ struct PPB_NaCl_Private {
   // On POSIX systems, this function returns the file descriptor of
   // /dev/urandom.  On non-POSIX systems, this function returns 0.
   int (*UrandomFD)(void);
+
+  // Whether the Pepper 3D interfaces should be disabled in the NaCl PPAPI
+  // proxy. This is so paranoid admins can effectively prevent untrusted shader
+  // code to be processed by the graphics stack.
+  bool (*Are3DInterfacesDisabled)();
 };
 
 #endif  // PPAPI_C_PRIVATE_PPB_NACL_PRIVATE_H_
diff --git a/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.cc b/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.cc
index 830e7bf..cf56272 100644
--- a/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.cc
+++ b/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.cc
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
 #include <map>
 
 #include "native_client/src/include/nacl_macros.h"
@@ -15,6 +16,14 @@
 #include "native_client/src/shared/ppapi_proxy/utility.h"
 #include "native_client/src/shared/srpc/nacl_srpc.h"
 #include "native_client/src/trusted/plugin/plugin.h"
+#include "ppapi/c/dev/ppb_context_3d_dev.h"
+#include "ppapi/c/dev/ppb_context_3d_trusted_dev.h"
+#include "ppapi/c/dev/ppb_gles_chromium_texture_mapping_dev.h"
+#include "ppapi/c/dev/ppb_layer_compositor_dev.h"
+#include "ppapi/c/dev/ppb_surface_3d_dev.h"
+#include "ppapi/c/ppb_graphics_3d.h"
+#include "ppapi/c/ppb_opengles.h"
+#include "ppapi/c/trusted/ppb_graphics_3d_trusted.h"
 
 namespace ppapi_proxy {
 
@@ -39,14 +48,17 @@ std::map<NaClSrpcChannel*, PP_Instance>* channel_to_instance_id_map = NULL;
 // is requesting PPAPI Dev interfaces to be available.
 // Set by SetPPBGetInterface().
 PPB_GetInterface get_interface = NULL;
-bool plugin_requests_dev_interface = false;
+bool enable_dev_interfaces = false;
+
+// Whether Pepper 3D interfaces should be enabled.
+bool enable_3d_interfaces = true;
 
 }  // namespace
 
 // By default, disable developer (Dev) interfaces.  To enable developer
 // interfaces, set the environment variable NACL_ENABLE_PPAPI_DEV to 1.
 // Also, the plugin can request whether or not to enable dev interfaces.
-bool DevInterfaceEnabled() {
+bool AreDevInterfacesEnabled() {
   static bool first = true;
   static bool env_dev_enabled = false;
   if (first) {
@@ -59,7 +71,7 @@ bool DevInterfaceEnabled() {
     }
     first = false;
   }
-  return env_dev_enabled || plugin_requests_dev_interface;
+  return env_dev_enabled || enable_dev_interfaces;
 }
 
 
@@ -175,9 +187,11 @@ void CleanUpAfterDeadNexe(PP_Instance instance) {
 }
 
 void SetPPBGetInterface(PPB_GetInterface get_interface_function,
-                        bool dev_interface) {
+                        bool allow_dev_interfaces,
+                        bool allow_3d_interfaces) {
   get_interface = get_interface_function;
-  plugin_requests_dev_interface = dev_interface;
+  enable_dev_interfaces = allow_dev_interfaces;
+  enable_3d_interfaces = allow_3d_interfaces;
 }
 
 const void* GetBrowserInterface(const char* interface_name) {
@@ -187,9 +201,25 @@ const void* GetBrowserInterface(const char* interface_name) {
     return NULL;
   }
   // If dev interface is not enabled, reject interfaces containing "(Dev)"
-  if (!DevInterfaceEnabled() && strstr(interface_name, "(Dev)") != NULL) {
+  if (!AreDevInterfacesEnabled() && strstr(interface_name, "(Dev)") != NULL) {
     return NULL;
   }
+  if (!enable_3d_interfaces) {
+    static const char* disabled_interface_names[] = {
+      PPB_GRAPHICS_3D_INTERFACE,
+      PPB_GRAPHICS_3D_TRUSTED_INTERFACE,
+      PPB_CONTEXT_3D_DEV_INTERFACE,
+      PPB_CONTEXT_3D_TRUSTED_DEV_INTERFACE,
+      PPB_GLES_CHROMIUM_TEXTURE_MAPPING_DEV_INTERFACE,
+      PPB_OPENGLES2_INTERFACE,
+      PPB_SURFACE_3D_DEV_INTERFACE,
+      PPB_LAYER_COMPOSITOR_DEV_INTERFACE
+    };
+    for (int i = 0; i < NACL_ARRAY_SIZE(disabled_interface_names); i++) {
+      if (strcmp(interface_name, disabled_interface_names[i]) == 0)
+        return NULL;
+    }
+  }
   return (*get_interface)(interface_name);
 }
 
diff --git a/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.h b/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.h
index 66e311b..b61ce110 100644
--- a/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.h
+++ b/ppapi/native_client/src/shared/ppapi_proxy/browser_globals.h
@@ -52,10 +52,10 @@ namespace ppapi_proxy {
 // channel used to talk to the instance.
 class BrowserPpp;
 
-// Returns true if the PPAPI Developer interface is enabled.
+// Returns true if the PPAPI Developer interfaces are enabled.
 // To enable, set the environment variable NACL_ENABLE_PPAPI_DEV=1
 // Note: Developer interfaces are _not_ enabled by default.
-bool DevInterfaceEnabled();
+bool AreDevInterfacesEnabled();
 
 // Associate a particular BrowserPpp with a PP_Instance value.  This allows the
 // browser side to look up information it needs to communicate with the stub.
@@ -91,7 +91,8 @@ void CleanUpAfterDeadNexe(PP_Instance instance);
 // Support for getting PPB_ browser interfaces.
 // Safe version CHECK's for NULL.
 void SetPPBGetInterface(PPB_GetInterface get_interface_function,
-                        bool dev_interface);
+                        bool allow_dev_interfaces,
+                        bool allow_3d_interfaces);
 const void* GetBrowserInterface(const char* interface_name);
 const void* GetBrowserInterfaceSafe(const char* interface_name);
 // Functions marked "shared" are to be provided by both the browser and the
diff --git a/ppapi/native_client/src/shared/ppapi_proxy/browser_nacl_file_rpc_server.cc b/ppapi/native_client/src/shared/ppapi_proxy/browser_nacl_file_rpc_server.cc
index 895dbd0..bd2547c 100644
--- a/ppapi/native_client/src/shared/ppapi_proxy/browser_nacl_file_rpc_server.cc
+++ b/ppapi/native_client/src/shared/ppapi_proxy/browser_nacl_file_rpc_server.cc
@@ -16,10 +16,10 @@
 #include "ppapi/c/pp_completion_callback.h"
 #include "srpcgen/ppb_rpc.h"
 
-using ppapi_proxy::MakeRemoteCompletionCallback;
-using ppapi_proxy::LookupBrowserPppForInstance;
+using ppapi_proxy::AreDevInterfacesEnabled;
 using ppapi_proxy::DebugPrintf;
-using ppapi_proxy::DevInterfaceEnabled;
+using ppapi_proxy::LookupBrowserPppForInstance;
+using ppapi_proxy::MakeRemoteCompletionCallback;
 
 void NaClFileRpcServer::StreamAsFile(
     NaClSrpcRpc* rpc,
@@ -45,8 +45,8 @@ void NaClFileRpcServer::StreamAsFile(
 }
 
 // GetFileDesc() will only provide file descriptors if the PPAPI Dev interface
-// is enabled. By default, it is _not_ enabled. See DevInterfaceEnabled() for
-// information on how to enable.
+// is enabled. By default, it is _not_ enabled. See AreDevInterfacesEnabled()
+// for information on how to enable.
 void NaClFileRpcServer::GetFileDesc(
     NaClSrpcRpc* rpc,
     NaClSrpcClosure* done,
@@ -63,7 +63,7 @@ void NaClFileRpcServer::GetFileDesc(
   NaClSrpcClosureRunner runner(done);
   rpc->result = NACL_SRPC_RESULT_APP_ERROR;
 
-  if (DevInterfaceEnabled()) {
+  if (AreDevInterfacesEnabled()) {
     plugin::Plugin* plugin = LookupBrowserPppForInstance(instance)->plugin();
     int32_t posix_file_desc = plugin->GetPOSIXFileDesc(url);
     DebugPrintf("NaClFile::GetFileDesc: posix_file_desc=%"NACL_PRId32"\n",
diff --git a/ppapi/native_client/src/shared/ppapi_proxy/browser_ppp.cc b/ppapi/native_client/src/shared/ppapi_proxy/browser_ppp.cc
index 683e45b0..69bdc14 100644
--- a/ppapi/native_client/src/shared/ppapi_proxy/browser_ppp.cc
+++ b/ppapi/native_client/src/shared/ppapi_proxy/browser_ppp.cc
@@ -26,7 +26,6 @@
 #include "native_client/src/shared/ppapi_proxy/utility.h"
 #include "native_client/src/trusted/desc/nacl_desc_wrapper.h"
 #include "native_client/src/trusted/plugin/plugin.h"
-#include "ppapi/c/ppp_input_event.h"
 #include "ppapi/c/dev/ppp_find_dev.h"
 #include "ppapi/c/dev/ppp_mouse_lock_dev.h"
 #include "ppapi/c/dev/ppp_printing_dev.h"
@@ -36,6 +35,8 @@
 #include "ppapi/c/dev/ppp_zoom_dev.h"
 #include "ppapi/c/pp_errors.h"
 #include "ppapi/c/ppp.h"
+#include "ppapi/c/ppp_input_event.h"
+#include "ppapi/c/private/ppb_nacl_private.h"
 
 namespace ppapi_proxy {
 
@@ -58,7 +59,16 @@ void PPBGetInterfaces() {
 int32_t BrowserPpp::InitializeModule(PP_Module module_id,
                                      PPB_GetInterface get_browser_interface) {
   DebugPrintf("PPP_InitializeModule: module=%"NACL_PRIu32"\n", module_id);
-  SetPPBGetInterface(get_browser_interface, plugin_->enable_dev_interface());
+  // Ask the browser for an interface which provides missing functions
+  const PPB_NaCl_Private* ppb_nacl = reinterpret_cast<const PPB_NaCl_Private*>(
+      get_browser_interface(PPB_NACL_PRIVATE_INTERFACE));
+  if (ppb_nacl == NULL) {
+    DebugPrintf("PPP_InitializeModule: NaCl private interface missing!\n");
+    return PP_ERROR_FAILED;
+  }
+  SetPPBGetInterface(get_browser_interface,
+                     plugin_->enable_dev_interfaces(),
+                     !ppb_nacl->Are3DInterfacesDisabled());
   PPBGetInterfaces();
 
   SetBrowserPppForInstance(plugin_->pp_instance(), this);
diff --git a/ppapi/native_client/src/trusted/plugin/plugin.cc b/ppapi/native_client/src/trusted/plugin/plugin.cc
index a676c32..5bc621c 100644
--- a/ppapi/native_client/src/trusted/plugin/plugin.cc
+++ b/ppapi/native_client/src/trusted/plugin/plugin.cc
@@ -16,8 +16,8 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/types.h>
 
 #include <algorithm>
 #include <deque>
@@ -879,7 +879,7 @@ bool Plugin::Init(uint32_t argc, const char* argn[], const char* argv[]) {
     // and 'nacl' will be the URL for the manifest.
     if (IsForeignMIMEType()) {
       manifest_url = LookupArgument(kNaClManifestAttribute);
-      enable_dev_interface_ = RequiresDevInterface(manifest_url);
+      enable_dev_interfaces_ = RequiresDevInterfaces(manifest_url);
     }
     // Use the document URL as the base for resolving relative URLs to find the
     // manifest.  This takes into account the setting of <base> tags that
@@ -928,7 +928,7 @@ Plugin::Plugin(PP_Instance pp_instance)
       wrapper_factory_(NULL),
       last_error_string_(""),
       ppapi_proxy_(NULL),
-      enable_dev_interface_(false),
+      enable_dev_interfaces_(false),
       replayDidChangeView(false),
       replayHandleDocumentLoad(false),
       init_time_(0),
@@ -1219,7 +1219,7 @@ void Plugin::BitcodeDidTranslateContinuation(int32_t pp_error) {
 // Check manifest_url and return whether or not to enable PPAPI Dev interfaces.
 // Returning true here will enable the PPAPI Dev interfaces regardless of
 // the environment variable NACL_ENABLE_PPAPI_DEV.
-bool Plugin::RequiresDevInterface(const nacl::string& manifest_url) {
+bool Plugin::RequiresDevInterfaces(const nacl::string& manifest_url) {
   const char* extensions[] = {
       "chrome-extension://acadkphlmlegjaadjagenfimbpphcgnh/",  // PDF
   };
diff --git a/ppapi/native_client/src/trusted/plugin/plugin.h b/ppapi/native_client/src/trusted/plugin/plugin.h
index 3918aff..35e0f8b 100644
--- a/ppapi/native_client/src/trusted/plugin/plugin.h
+++ b/ppapi/native_client/src/trusted/plugin/plugin.h
@@ -9,9 +9,10 @@
 #define NATIVE_CLIENT_SRC_TRUSTED_PLUGIN_PLUGIN_H_
 
 #include <stdio.h>
+
 #include <map>
-#include <set>
 #include <queue>
+#include <set>
 #include <string>
 #include <vector>
 
@@ -46,8 +47,8 @@ class MouseLock_Dev;
 class Printing_Dev;
 class Selection_Dev;
 class URLLoader;
-class WidgetClient_Dev;
 class URLUtil_Dev;
+class WidgetClient_Dev;
 class Zoom_Dev;
 }
 
@@ -297,7 +298,7 @@ class Plugin : public pp::InstancePrivate {
   // Tests if the MIME type is not a NaCl MIME type.
   bool IsForeignMIMEType() const;
   // Returns true if PPAPI Dev interfaces should be allowed.
-  bool enable_dev_interface() { return enable_dev_interface_; }
+  bool enable_dev_interfaces() { return enable_dev_interfaces_; }
 
   Manifest const* manifest() const { return manifest_.get(); }
 
@@ -351,7 +352,7 @@ class Plugin : public pp::InstancePrivate {
   MethodInfo* GetMethodInfo(uintptr_t method_id, CallType call_type);
 
   // Check url and decide if PPAPI Dev interfaces are required.
-  bool RequiresDevInterface(const nacl::string& manifest_url);
+  bool RequiresDevInterfaces(const nacl::string& manifest_url);
 
   // Callback used when getting the URL for the .nexe file.  If the URL loading
   // is successful, the file descriptor is opened and can be passed to sel_ldr
@@ -468,7 +469,7 @@ class Plugin : public pp::InstancePrivate {
   ppapi_proxy::BrowserPpp* ppapi_proxy_;
 
   // PPAPI Dev interfaces are disabled by default.
-  bool enable_dev_interface_;
+  bool enable_dev_interfaces_;
 
   // If we get a DidChangeView event before the nexe is loaded, we store it and
   // replay it to nexe after it's loaded.