NaCl: enable meta-based validation for shared libraries.

This is the Chrome-side half of a CL to allow mmaping and skipping validation for chrome-extension: files we have seen before and know are safe. To do this we need to know the path of the file on disk, but we don't entirely trust the renderer not to tamper with it. To work around this, a nonce is passed along with the file handle. This nonce can be used by the NaCl process to acquire the file handle directly from the browser process, as well as a fresh copy of the file handle. This change significantly revises the OpenNaClExecutable method of the PPB_NaCl_Private interface. The method was added anticipation of this CL, but the overall design shifted after the method was added. BUG=https://code.google.com/p/chromium/issues/detail?id=224434 Review URL: https://chromiumcodereview.appspot.com/14750007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202278 0039d316-1c4b-4281-b951-d872f2087c98
author: ncbray@chromium.org <ncbray@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-05-25 14:10:09 +0000
committer: ncbray@chromium.org <ncbray@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-05-25 14:10:09 +0000
commit: 8adc12577f8f982a13411594c6a7a16c9697e37d (patch)
tree: 405c7345a70f180d0fc8281608c64a7c79e14fb5 /chrome/browser/nacl_host/nacl_file_host.cc
parent: 5816c3af91eeeefbdea545a7c3d111fe621abe45 (diff)
download: chromium_src-8adc12577f8f982a13411594c6a7a16c9697e37d.zip
chromium_src-8adc12577f8f982a13411594c6a7a16c9697e37d.tar.gz
chromium_src-8adc12577f8f982a13411594c6a7a16c9697e37d.tar.bz2
1 files changed, 36 insertions, 30 deletions
diff --git a/chrome/browser/nacl_host/nacl_file_host.cc b/chrome/browser/nacl_host/nacl_file_host.cc
index 7cb61e6..16015ca 100644
--- a/chrome/browser/nacl_host/nacl_file_host.cc
+++ b/chrome/browser/nacl_host/nacl_file_host.cc
@@ -12,6 +12,7 @@
 #include "base/threading/sequenced_worker_pool.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/browser/extensions/extension_info_map.h"
+#include "chrome/browser/nacl_host/nacl_browser.h"
 #include "chrome/browser/renderer_host/chrome_render_message_filter.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/extensions/manifest_handlers/shared_module_info.h"
@@ -128,6 +129,29 @@ void DoCreateTemporaryFile(
   chrome_render_message_filter->Send(reply_msg);
 }
 
+void DoRegisterOpenedNaClExecutableFile(
+    scoped_refptr<ChromeRenderMessageFilter> chrome_render_message_filter,
+    base::PlatformFile file,
+    base::FilePath file_path,
+    IPC::Message* reply_msg) {
+  // IO thread owns the NaClBrowser singleton.
+  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
+
+  NaClBrowser* nacl_browser = NaClBrowser::GetInstance();
+  uint64_t file_token_lo = 0;
+  uint64_t file_token_hi = 0;
+  nacl_browser->PutFilePath(file_path, &file_token_lo, &file_token_hi);
+
+  IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess(
+      file,
+      chrome_render_message_filter->peer_handle(),
+      true /* close_source */);
+
+  ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams(
+      reply_msg, file_desc, file_token_lo, file_token_hi);
+  chrome_render_message_filter->Send(reply_msg);
+}
+
 // Convert the file URL into a file path in the extension directory.
 // This function is security sensitive.  Be sure to check with a security
 // person before you modify it.
@@ -194,39 +218,21 @@ void DoOpenNaClExecutableOnThreadPool(
     return;
   }
 
-  // Get a file descriptor. On Windows, we need 'GENERIC_EXECUTE' in order to
-  // memory map the executable.
-  // IMPORTANT: This file descriptor must not have write access - that could
-  // allow a sandbox escape.
-  base::PlatformFileError error_code;
-  base::PlatformFile file = base::CreatePlatformFile(
-      file_path,
-      base::PLATFORM_FILE_OPEN |
-          base::PLATFORM_FILE_READ |
-          base::PLATFORM_FILE_EXECUTE,  // Windows only flag.
-      NULL,
-      &error_code);
-  if (error_code != base::PLATFORM_FILE_OK) {
-    NotifyRendererOfError(chrome_render_message_filter, reply_msg);
-    return;
-  }
-  // Check that the file does not reference a directory. Returning a descriptor
-  // to an extension directory could allow a sandbox escape.
-  base::PlatformFileInfo file_info;
-  if (!base::GetPlatformFileInfo(file, &file_info) || file_info.is_directory)
-  {
+  base::PlatformFile file;
+  nacl::OpenNaClExecutableImpl(file_path, &file);
+  if (file != base::kInvalidPlatformFileValue) {
+    // This function is running on the blocking pool, but the path needs to be
+    // registered in a structure owned by the IO thread.
+    BrowserThread::PostTask(
+        BrowserThread::IO, FROM_HERE,
+        base::Bind(
+            &DoRegisterOpenedNaClExecutableFile,
+            chrome_render_message_filter,
+            file, file_path, reply_msg));
+  } else {
     NotifyRendererOfError(chrome_render_message_filter, reply_msg);
     return;
   }
-
-  IPC::PlatformFileForTransit file_desc = IPC::GetFileHandleForProcess(
-      file,
-      chrome_render_message_filter->peer_handle(),
-      true /* close_source */);
-
-  ChromeViewHostMsg_OpenNaClExecutable::WriteReplyParams(
-      reply_msg, file_path, file_desc);
-  chrome_render_message_filter->Send(reply_msg);
 }
 
 }  // namespace
author	ncbray@chromium.org <ncbray@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-05-25 14:10:09 +0000
committer	ncbray@chromium.org <ncbray@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-05-25 14:10:09 +0000
commit	8adc12577f8f982a13411594c6a7a16c9697e37d (patch)
tree	405c7345a70f180d0fc8281608c64a7c79e14fb5 /chrome/browser/nacl_host/nacl_file_host.cc
parent	5816c3af91eeeefbdea545a7c3d111fe621abe45 (diff)
download	chromium_src-8adc12577f8f982a13411594c6a7a16c9697e37d.zip chromium_src-8adc12577f8f982a13411594c6a7a16c9697e37d.tar.gz chromium_src-8adc12577f8f982a13411594c6a7a16c9697e37d.tar.bz2