diff options
| author | rsesek@chromium.org <rsesek@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-25 16:29:45 +0000 |
|---|---|---|
| committer | rsesek@chromium.org <rsesek@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-25 16:29:45 +0000 |
| commit | 32a93e0c1ac080239558a2ff6a499857d144571f (patch) | |
| tree | d0239ad9a566322c79163a03d91351b3bf1cf127 /chrome/browser/nacl_host/nacl_file_host.cc | |
| parent | fa13583bee02fb9e2b02c7d761bfb291e9035abc (diff) | |
| download | chromium_src-32a93e0c1ac080239558a2ff6a499857d144571f.zip chromium_src-32a93e0c1ac080239558a2ff6a499857d144571f.tar.gz chromium_src-32a93e0c1ac080239558a2ff6a499857d144571f.tar.bz2 | |
Revert 202278 "NaCl: enable meta-based validation for shared lib..."
Regressed Linux sizes for nacl_helper
http://build.chromium.org/p/chromium/buildstatus?builder=Linux&number=39450
> NaCl: enable meta-based validation for shared libraries.
>
> This is the Chrome-side half of a CL to allow mmaping and skipping validation
> for chrome-extension: files we have seen before and know are safe. To do this
> we need to know the path of the file on disk, but we don't entirely trust the
> renderer not to tamper with it. To work around this, a nonce is passed along
> with the file handle. This nonce can be used by the NaCl process to acquire the
> file handle directly from the browser process, as well as a fresh copy of the
> file handle.
>
> This change significantly revises the OpenNaClExecutable method of the
> PPB_NaCl_Private interface. The method was added anticipation of this CL, but
> the overall design shifted after the method was added.
>
> BUG=https://code.google.com/p/chromium/issues/detail?id=224434
>
> Review URL: https://chromiumcodereview.appspot.com/14750007
TBR=ncbray@chromium.org
Review URL: https://codereview.chromium.org/15820005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202304 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/nacl_host/nacl_file_host.cc')
| -rw-r--r-- | chrome/browser/nacl_host/nacl_file_host.cc | 66 |
1 files changed, 30 insertions, 36 deletions
diff --git a/chrome/browser/nacl_host/nacl_file_host.cc b/chrome/browser/nacl_host/nacl_file_host.cc index 16015ca..7cb61e6 100644 --- a/chrome/browser/nacl_host/nacl_file_host.cc +++ b/chrome/browser/nacl_host/nacl_file_host.cc @@ -12,7 +12,6 @@ #include "base/threading/sequenced_worker_pool.h" #include "base/utf_string_conversions.h" #include "chrome/browser/extensions/extension_info_map.h" -#include "chrome/browser/nacl_host/nacl_browser.h" #include "chrome/browser/renderer_host/chrome_render_message_filter.h" #include "chrome/common/chrome_paths.h" #include "chrome/common/extensions/manifest_handlers/shared_module_info.h" @@ -129,29 +128,6 @@ void DoCreateTemporaryFile( chrome_render_message_filter->Send(reply_msg); } -void DoRegisterOpenedNaClExecutableFile( - scoped_refptr<ChromeRenderMessageFilter> chrome_render_message_filter, - base::PlatformFile file, - base::FilePath file_path, - IPC::Message* reply_msg) { - // IO thread owns the NaClBrowser singleton. - DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO)); - - NaClBrowser* nacl_browser = NaClBrowser::GetInstance(); - uint64_t file_token_lo = 0; - uint64_t file_token_hi = 0; - nacl_browser->PutFilePath(file_path, &file_token_lo, &file_token_hi); - - IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess( - file, - chrome_render_message_filter->peer_handle(), - true /* close_source */); - - ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams( - reply_msg, file_desc, file_token_lo, file_token_hi); - chrome_render_message_filter->Send(reply_msg); -} - // Convert the file URL into a file path in the extension directory. // This function is security sensitive. Be sure to check with a security // person before you modify it. @@ -218,21 +194,39 @@ void DoOpenNaClExecutableOnThreadPool( return; } - base::PlatformFile file; - nacl::OpenNaClExecutableImpl(file_path, &file); - if (file != base::kInvalidPlatformFileValue) { - // This function is running on the blocking pool, but the path needs to be - // registered in a structure owned by the IO thread. - BrowserThread::PostTask( - BrowserThread::IO, FROM_HERE, - base::Bind( - &DoRegisterOpenedNaClExecutableFile, - chrome_render_message_filter, - file, file_path, reply_msg)); - } else { + // Get a file descriptor. On Windows, we need 'GENERIC_EXECUTE' in order to + // memory map the executable. + // IMPORTANT: This file descriptor must not have write access - that could + // allow a sandbox escape. + base::PlatformFileError error_code; + base::PlatformFile file = base::CreatePlatformFile( + file_path, + base::PLATFORM_FILE_OPEN | + base::PLATFORM_FILE_READ | + base::PLATFORM_FILE_EXECUTE, // Windows only flag. + NULL, + &error_code); + if (error_code != base::PLATFORM_FILE_OK) { NotifyRendererOfError(chrome_render_message_filter, reply_msg); return; } + // Check that the file does not reference a directory. Returning a descriptor + // to an extension directory could allow a sandbox escape. + base::PlatformFileInfo file_info; + if (!base::GetPlatformFileInfo(file, &file_info) || file_info.is_directory) + { + NotifyRendererOfError(chrome_render_message_filter, reply_msg); + return; + } + + IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess( + file, + chrome_render_message_filter->peer_handle(), + true /* close_source */); + + ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams( + reply_msg, file_path, file_desc); + chrome_render_message_filter->Send(reply_msg); } } // namespace |