Supply Windows handle-passing function to NaCl

Pass BrokerDuplicateHandle() to the NaCl loader process in
nacl_listener.cc.

Pass BrokerDuplicateHandle() to the NaCl trusted plugin.  We need to
add this to PPB_NaCl_Private in order to pass it through.

Remove the use of the "init_handle_passing" SRPC call.  Otherwise the
NaCl process will attempt to do an imc_connect() to the renderer,
which involves sending a handle to it, which fails.

Add a wrapper for AddTargetPeer() to 'content' so that
nacl_process_host.cc can use it.

Change the renderer's handle-passing policy to allow sending handles
other than Sections.  The NaCl trusted plugin sends other handle types
to the NaCl loader process.

This change will allow the sandbox to be tightened up, in the future,
so that the NaCl loader process and the renderer process do not have
handles to each other.

BUG=http://code.google.com/p/nativeclient/issues/detail?id=2719
TEST=nacl_integration etc.

Review URL: https://chromiumcodereview.appspot.com/10039001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@132496 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 52 insertions, 0 deletions

diff --git a/chrome/browser/nacl_host/nacl_process_host.cc b/chrome/browser/nacl_host/nacl_process_host.cc
index 4bf5b40..a804c8c 100644
--- a/chrome/browser/nacl_host/nacl_process_host.cc
+++ b/chrome/browser/nacl_host/nacl_process_host.cc
@@ -50,6 +50,7 @@
 #include "base/threading/thread.h"
 #include "base/process_util.h"
 #include "chrome/browser/nacl_host/nacl_broker_service_win.h"
+#include "content/public/common/sandbox_init.h"
 #include "native_client/src/trusted/service_runtime/win/debug_exception_handler.h"
 #endif
 
@@ -918,6 +919,9 @@ bool NaClProcessHost::SendStart() {
   const ChildProcessData& data = process_->GetData();
 #if defined(OS_WIN)
   // Copy the process handle into the renderer process.
+  // TODO(mseaborn): Remove this.  The renderer process uses this
+  // handle with NaCl's handle_pass module, but we are replacing
+  // handle_pass with Chrome's BrokerDuplicateHandle() function.
   if (!DuplicateHandle(base::GetCurrentProcessHandle(),
                        data.handle,
                        chrome_render_message_filter_->peer_handle(),
@@ -928,6 +932,17 @@ bool NaClProcessHost::SendStart() {
     DLOG(ERROR) << "DuplicateHandle() failed";
     return false;
   }
+  // If we are on 64-bit Windows, the NaCl process's sandbox is
+  // managed by a different process from the renderer's sandbox.  We
+  // need to inform the renderer's sandbox about the NaCl process so
+  // that the renderer can send handles to the NaCl process using
+  // BrokerDuplicateHandle().
+  if (RunningOnWOW64()) {
+    if (!content::BrokerAddTargetPeer(data.handle)) {
+      DLOG(ERROR) << "Failed to add NaCl process PID";
+      return false;
+    }
+  }
 #else
   // We use pid as process handle on Posix
   nacl_process_handle = data.handle;
diff --git a/chrome/nacl/nacl_listener.cc b/chrome/nacl/nacl_listener.cc
index d0e0a8a..b82ca0f 100644
--- a/chrome/nacl/nacl_listener.cc
+++ b/chrome/nacl/nacl_listener.cc
@@ -26,6 +26,8 @@
 #if defined(OS_WIN)
 #include <fcntl.h>
 #include <io.h>
+
+#include "content/public/common/sandbox_init.h"
 #endif
 
 namespace {
@@ -67,6 +69,19 @@ int CreateMemoryObject(size_t size, int executable) {
   return content::MakeSharedMemorySegmentViaIPC(size, executable);
 }
 
+#elif defined(OS_WIN)
+
+// We wrap the function to convert the bool return value to an int.
+int BrokerDuplicateHandle(NaClHandle source_handle,
+                          uint32_t process_id,
+                          NaClHandle* target_handle,
+                          uint32_t desired_access,
+                          uint32_t options) {
+  return content::BrokerDuplicateHandle(source_handle, process_id,
+                                        target_handle, desired_access,
+                                        options);
+}
+
 #endif
 
 // Use an env var because command line args are eaten by nacl_helper.
@@ -203,6 +218,9 @@ void NaClListener::OnStartSelLdr(std::vector<nacl::FileDescriptor> handles,
   args->imc_bootstrap_handle = nacl::ToNativeHandle(handles[0]);
   args->enable_exception_handling = enable_exception_handling;
   args->enable_debug_stub = debug_enabled_;
+#if defined(OS_WIN)
+  args->broker_duplicate_handle_func = BrokerDuplicateHandle;
+#endif
   NaClChromeMainStart(args);
   NOTREACHED();
 }
diff --git a/chrome/renderer/chrome_ppapi_interfaces.cc b/chrome/renderer/chrome_ppapi_interfaces.cc
index 321f86b..2430391 100644
--- a/chrome/renderer/chrome_ppapi_interfaces.cc
+++ b/chrome/renderer/chrome_ppapi_interfaces.cc
@@ -23,6 +23,10 @@
 #include "ppapi/native_client/src/trusted/plugin/nacl_entry_points.h"
 #endif
 
+#if defined(OS_WIN)
+#include "content/public/common/sandbox_init.h"
+#endif
+
 using content::RenderThread;
 
 namespace chrome {
@@ -78,11 +82,26 @@ void EnableBackgroundSelLdrLaunch() {
       RenderThread::Get()->GetSyncMessageFilter();
 }
 
+int BrokerDuplicateHandle(void* source_handle,
+                          unsigned int process_id,
+                          void** target_handle,
+                          unsigned int desired_access,
+                          unsigned int options) {
+#if defined(OS_WIN)
+  return content::BrokerDuplicateHandle(source_handle, process_id,
+                                        target_handle, desired_access,
+                                        options);
+#else
+  return 0;
+#endif
+}
+
 const PPB_NaCl_Private ppb_nacl = {
   &LaunchSelLdr,
   &UrandomFD,
   &Are3DInterfacesDisabled,
   &EnableBackgroundSelLdrLaunch,
+  &BrokerDuplicateHandle,
 };
 
 class PPB_NaCl_Impl {