NaCl: enable meta-based validation for shared libraries.

This is the Chrome-side half of a CL to allow mmaping and skipping validation
for chrome-extension: files we have seen before and know are safe.  To do this
we need to know the path of the file on disk, but we don't entirely trust the
renderer not to tamper with it.  To work around this, a nonce is passed along
with the file handle.  This nonce can be used by the NaCl process to acquire the
file handle directly from the browser process, as well as a fresh copy of the
file handle.

This change significantly revises the OpenNaClExecutable method of the
PPB_NaCl_Private interface.  The method was added anticipation of this CL, but
the overall design shifted after the method was added.

BUG=https://code.google.com/p/chromium/issues/detail?id=224434

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=202278

R=dmichael@chromium.org, jschuh@chromium.org, mseaborn@chromium.org

Review URL: https://codereview.chromium.org/14750007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202702 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 76 insertions, 0 deletions

diff --git a/chrome/nacl/nacl_listener.cc b/chrome/nacl/nacl_listener.cc
index b0b27e9..d70ecd1 100644
--- a/chrome/nacl/nacl_listener.cc
+++ b/chrome/nacl/nacl_listener.cc
@@ -21,6 +21,7 @@
 #include "ipc/ipc_sync_channel.h"
 #include "ipc/ipc_sync_message_filter.h"
 #include "native_client/src/trusted/service_runtime/sel_main_chrome.h"
+#include "native_client/src/trusted/validator/nacl_file_info.h"
 
 #if defined(OS_POSIX)
 #include "base/file_descriptor_posix.h"
@@ -130,6 +131,38 @@ class BrowserValidationDBProxy : public NaClValidationDB {
     }
   }
 
+  virtual bool ResolveFileToken(struct NaClFileToken* file_token,
+                                int32* fd, std::string* path) OVERRIDE {
+    *fd = -1;
+    *path = "";
+    if (file_token->lo == 0 && file_token->hi == 0) {
+      return false;
+    }
+    IPC::PlatformFileForTransit ipc_fd;
+    base::FilePath ipc_path;
+    if (!listener_->Send(new NaClProcessMsg_ResolveFileToken(file_token->lo,
+                                                             file_token->hi,
+                                                             &ipc_fd,
+                                                             &ipc_path))) {
+      return false;
+    }
+    if (ipc_fd == IPC::InvalidPlatformFileForTransit()) {
+      return false;
+    }
+    base::PlatformFile handle =
+        IPC::PlatformFileForTransitToPlatformFile(ipc_fd);
+#if defined(OS_WIN)
+    // On Windows, valid handles are 32 bit unsigned integers so this is safe.
+    *fd = reinterpret_cast<uintptr_t>(handle);
+#else
+    *fd = handle;
+#endif
+    // It doesn't matter if the path is invalid UTF8 as long as it's consistent
+    // and unforgeable.
+    *path = ipc_path.AsUTF8Unsafe();
+    return true;
+  }
+
  private:
   // The listener never dies, otherwise this might be a dangling reference.
   NaClListener* listener_;
diff --git a/chrome/nacl/nacl_validation_db.h b/chrome/nacl/nacl_validation_db.h
index c4fabcb..81351d22 100644
--- a/chrome/nacl/nacl_validation_db.h
+++ b/chrome/nacl/nacl_validation_db.h
@@ -9,6 +9,8 @@
 
 #include "base/basictypes.h"
 
+struct NaClFileToken;
+
 class NaClValidationDB {
  public:
   NaClValidationDB() {}
@@ -16,6 +18,8 @@ class NaClValidationDB {
 
   virtual bool QueryKnownToValidate(const std::string& signature) = 0;
   virtual void SetKnownToValidate(const std::string& signature) = 0;
+  virtual bool ResolveFileToken(struct NaClFileToken* file_token,
+                                int32* fd, std::string* path) = 0;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(NaClValidationDB);
diff --git a/chrome/nacl/nacl_validation_query.cc b/chrome/nacl/nacl_validation_query.cc
index 37d9b78..0ff831c 100644
--- a/chrome/nacl/nacl_validation_query.cc
+++ b/chrome/nacl/nacl_validation_query.cc
@@ -7,6 +7,8 @@
 #include "base/logging.h"
 #include "crypto/nss_util.h"
 #include "chrome/nacl/nacl_validation_db.h"
+#include "native_client/src/include/portability.h"
+#include "native_client/src/trusted/validator/nacl_file_info.h"
 #include "native_client/src/trusted/validator/validation_cache.h"
 
 NaClValidationQueryContext::NaClValidationQueryContext(
@@ -29,6 +31,13 @@ NaClValidationQuery* NaClValidationQueryContext::CreateQuery() {
   return query;
 }
 
+bool NaClValidationQueryContext::ResolveFileToken(
+    struct NaClFileToken* file_token,
+    int32* fd,
+    std::string* path) {
+  return db_->ResolveFileToken(file_token, fd, path);
+}
+
 NaClValidationQuery::NaClValidationQuery(NaClValidationDB* db,
                                          const std::string& profile_key)
     : state_(READY),
@@ -127,6 +136,24 @@ static void DestroyQuery(void* query) {
   delete static_cast<NaClValidationQuery*>(query);
 }
 
+static int ResolveFileToken(void* handle, struct NaClFileToken* file_token,
+                            int32* fd, char** file_path,
+                            uint32* file_path_length) {
+  std::string path;
+  *file_path = NULL;
+  *file_path_length = 0;
+  bool ok = static_cast<NaClValidationQueryContext*>(handle)->
+      ResolveFileToken(file_token, fd, &path);
+  if (ok) {
+    *file_path = static_cast<char*>(malloc(path.length() + 1));
+    CHECK(*file_path);
+    memcpy(*file_path, path.data(), path.length());
+    (*file_path)[path.length()] = 0;
+    *file_path_length = static_cast<uint32>(path.length());
+  }
+  return ok;
+}
+
 struct NaClValidationCache* CreateValidationCache(
     NaClValidationDB* db, const std::string& profile_key,
     const std::string& nacl_version) {
@@ -140,5 +167,6 @@ struct NaClValidationCache* CreateValidationCache(
   cache->QueryKnownToValidate = QueryKnownToValidate;
   cache->SetKnownToValidate = SetKnownToValidate;
   cache->DestroyQuery = DestroyQuery;
+  cache->ResolveFileToken = ResolveFileToken;
   return cache;
 }
diff --git a/chrome/nacl/nacl_validation_query.h b/chrome/nacl/nacl_validation_query.h
index fe82649..a849b81 100644
--- a/chrome/nacl/nacl_validation_query.h
+++ b/chrome/nacl/nacl_validation_query.h
@@ -11,6 +11,7 @@
 #include "base/strings/string_piece.h"
 #include "crypto/hmac.h"
 
+struct NaClFileToken;
 struct NaClValidationCache;
 class NaClValidationDB;
 class NaClValidationQuery;
@@ -23,6 +24,9 @@ class NaClValidationQueryContext {
 
   NaClValidationQuery* CreateQuery();
 
+  bool ResolveFileToken(struct NaClFileToken* file_token, int32* fd,
+                        std::string* path);
+
  private:
   NaClValidationDB* db_;
 
diff --git a/chrome/nacl/nacl_validation_query_unittest.cc b/chrome/nacl/nacl_validation_query_unittest.cc
index baf930d..511000d 100644
--- a/chrome/nacl/nacl_validation_query_unittest.cc
+++ b/chrome/nacl/nacl_validation_query_unittest.cc
@@ -67,6 +67,13 @@ class MockValidationDB : public NaClValidationDB {
                         NaClValidationQuery::kDigestLength));
   }
 
+  virtual bool ResolveFileToken(struct NaClFileToken* file_token, int32* fd,
+                                std::string* path) OVERRIDE {
+    *fd = -1;
+    *path = "";
+    return false;
+  }
+
   bool did_query_;
   bool did_set_;
   bool status_;