NaCl: enable meta-based validation for shared libraries.

chrome/browser/nacl_host/nacl_browser.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_
 #define CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_
 
 #include "base/bind.h"
+#include "base/containers/mru_cache.h"
 #include "base/files/file_util_proxy.h"
 #include "base/memory/singleton.h"
 #include "base/memory/weak_ptr.h"
 #include "base/platform_file.h"
 #include "chrome/browser/nacl_host/nacl_validation_cache.h"
 
 class URLPattern;
 class GURL;
 
+namespace nacl {
+
+// Open an immutable executable file that can be mmapped.
+// This function should only be called on a thread that can perform file IO.
+void OpenNaClExecutableImpl(const base::FilePath& file_path,
+                            base::PlatformFile* file);
+
+}
+
 // Represents shared state for all NaClProcessHost objects in the browser.
 class NaClBrowser {
  public:
   static NaClBrowser* GetInstance();
 
   // Will it be possible to launch a NaCl process, eventually?
   bool IsOk() const;
 
   // Are we ready to launch a NaCl process now?  Implies IsOk().
   bool IsReady() const;
@@ skipping 35 matching lines @@
   void ClearGdbDebugStubPortListener();
 
   bool ValidationCacheIsEnabled() const {
     return validation_cache_is_enabled_;
   }
 
   const std::string& GetValidationCacheKey() const {
     return validation_cache_.GetValidationCacheKey();
   }
 
+  // The NaCl singleton keeps information about NaCl executable files opened via
+  // PPAPI.  This allows the NaCl process to get trusted information about the
+  // file directly from the browser process.  In theory, a compromised renderer
+  // could provide a writable file handle or lie about the file's path.  If we
+  // trusted the handle was read only but it was not, an mmapped file could be
+  // modified after validation, allowing an escape from the NaCl sandbox.
+  // Similarly, if we trusted the file path corresponded to the file handle but
+  // it did not, the validation cache could be tricked into bypassing validation
+  // for bad code.
+  // Instead of allowing these attacks, the NaCl process only trusts information
+  // it gets directly from the browser process.  Because the information is
+  // stored in a cache of bounded size, it is not guaranteed the browser process
+  // will be able to provide the requested information.  In these cases, the
+  // NaCl process must make conservative assumptions about the origin of the
+  // file.
+  // In theory, a compromised renderer could guess file tokens in an attempt to
+  // read files it normally doesn't have access to.  This would not compromise
+  // the NaCl sandbox, however, and only has a 1 in ~2**120 chance of success
+  // per guess.
+  // TODO(ncbray): move the cache onto NaClProcessHost so that we don't need to
+  // rely on tokens being unguessable by another process.
+  void PutFilePath(const base::FilePath& path, uint64* file_token_lo,
+                   uint64* file_token_hi);
+  bool GetFilePath(uint64 file_token_lo, uint64 file_token_hi,
+                   base::FilePath* path);
+
   bool QueryKnownToValidate(const std::string& signature, bool off_the_record);
   void SetKnownToValidate(const std::string& signature, bool off_the_record);
   void ClearValidationCache(const base::Closure& callback);
 
  private:
   friend struct DefaultSingletonTraits<NaClBrowser>;
 
   enum NaClResourceState {
     NaClResourceUninitialized,
     NaClResourceRequested,
@@ skipping 33 matching lines @@
   std::vector<URLPattern> debug_patterns_;
   bool inverse_debug_patterns_;
   NaClValidationCache validation_cache_;
   NaClValidationCache off_the_record_validation_cache_;
   base::FilePath validation_cache_file_path_;
   bool validation_cache_is_enabled_;
   bool validation_cache_is_modified_;
   NaClResourceState validation_cache_state_;
   base::Callback<void(int)> debug_stub_port_listener_;
 
+  typedef base::HashingMRUCache<std::string, base::FilePath> PathCacheType;
+  PathCacheType path_cache_;
+
   bool ok_;
 
   // A list of pending tasks to start NaCl processes.
   std::vector<base::Closure> waiting_;
 
   DISALLOW_COPY_AND_ASSIGN(NaClBrowser);
 };
 
 #endif  // CHROME_BROWSER_NACL_HOST_NACL_BROWSER_H_