From 2e9903c857ee69a3f8e4d1dfea961ff6fafe7ba3 Mon Sep 17 00:00:00 2001 From: "bbudge@chromium.org" Date: Sat, 28 Dec 2013 02:17:38 +0000 Subject: Do PPB_FileIO Write on the plugin side. This eliminates IPC for FileIO.Write, instead using the plugin's file descriptor. Performs the file op on the plugin's thread if blocking, otherwise on the file thread. FileIOResources know their maximum written offset after they are opened. They can thus calculate whether a Write or SetLength operation will extend this max offset. If so, they call FileSystemResource::RequestQuota. This can return synchronously or asynchronously, and either returns the requested amount or 0 in case it can't be satisfied. FileSystemResource will request a quota reservation from the host, queuing up unsatisfied requests. The quota reservation will be at least 1MB with this CL. The main point of a quota reservation is to reduce the number of times we query the quota system. Both the FileSystemResource and the host maintain a collection of open files that are subject to quota. These are kept in sync. Maps that take PP_Resource to resource or host are used to ensure good performance and make it easier to keep the resource and host collections synced. SetLength uses the plugin side machinery to request quota. When its request is granted, it calls over to the host side as before. This is because of OS X sandbox restrictions. For trusted plugins, I assume that this plugin / host checking is sufficient. In particular, SetLength is performed in the browser process without checking the length against quota restrictions. We're essentially assuming trusted plugins don't cheat. For untrusted plugins, this approach isn't sufficient. NaClMessageScanner audits the FIleSystem and FileIO message traffic to maintain a parallel accounting of quota reservation and current file sizes. In addition, we wrap the native file handle in a NaClDescQuota for files that need quota checking. This NaClDescQuota uses NaClMessageScanner information to determine whether or not to allow a Write. We must check at the descriptor level since the untrusted plugin may bypass our proxy code and use the file handle directly to Write. We must also fail any attempt to call ftruncate directly. BUG=194304 Review URL: https://codereview.chromium.org/100703004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@242659 0039d316-1c4b-4281-b951-d872f2087c98 --- ppapi/ppapi_tests.gypi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ppapi/ppapi_tests.gypi') diff --git a/ppapi/ppapi_tests.gypi b/ppapi/ppapi_tests.gypi index 0b4570a..9a4dd52 100644 --- a/ppapi/ppapi_tests.gypi +++ b/ppapi/ppapi_tests.gypi @@ -174,6 +174,7 @@ 'proxy/interface_list_unittest.cc', 'proxy/mock_resource.cc', 'proxy/mock_resource.h', + 'proxy/nacl_message_scanner_unittest.cc', 'proxy/pdf_resource_unittest.cc', 'proxy/plugin_dispatcher_unittest.cc', 'proxy/plugin_resource_tracker_unittest.cc', @@ -207,7 +208,7 @@ }], ], # TODO(jschuh): crbug.com/167187 fix size_t to int truncations. - 'msvs_disabled_warnings': [ 4267, ], + 'msvs_disabled_warnings': [ 4267, ], }, { 'target_name': 'ppapi_example_skeleton', -- cgit v1.1