search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cygprofile: increase timeouts to allow showing web contents
[chromium-blink-merge.git] / components / nacl / loader / nacl_listener.cc
blob45caede5248d8a15012c2dfb08444d136765f0c0
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/nacl/loader/nacl_listener.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <stdlib.h>
10 #include <string.h>
11
12 #if defined(OS_POSIX)
13 #include <unistd.h>
14 #endif
15
16 #include "base/command_line.h"
17 #include "base/logging.h"
18 #include "base/memory/scoped_ptr.h"
19 #include "base/rand_util.h"
20 #include "base/single_thread_task_runner.h"
21 #include "components/nacl/common/nacl_messages.h"
22 #include "components/nacl/common/nacl_renderer_messages.h"
23 #include "components/nacl/common/nacl_switches.h"
24 #include "components/nacl/loader/nacl_ipc_adapter.h"
25 #include "components/nacl/loader/nacl_validation_db.h"
26 #include "components/nacl/loader/nacl_validation_query.h"
27 #include "ipc/ipc_channel_handle.h"
28 #include "ipc/ipc_switches.h"
29 #include "ipc/ipc_sync_channel.h"
30 #include "ipc/ipc_sync_message_filter.h"
31 #include "native_client/src/public/chrome_main.h"
32 #include "native_client/src/public/nacl_app.h"
33 #include "native_client/src/public/nacl_desc.h"
34
35 #if defined(OS_POSIX)
36 #include "base/file_descriptor_posix.h"
37 #endif
38
39 #if defined(OS_LINUX)
40 #include "content/public/common/child_process_sandbox_support_linux.h"
41 #endif
42
43 #if defined(OS_WIN)
44 #include <io.h>
45
46 #include "content/public/common/sandbox_init.h"
47 #endif
48
49 namespace {
50
51 NaClListener* g_listener;
52
53 void FatalLogHandler(const char* data, size_t bytes) {
54 // We use uint32_t rather than size_t for the case when the browser and NaCl
55 // processes are a mix of 32-bit and 64-bit processes.
56 uint32_t copy_bytes = std::min<uint32_t>(static_cast<uint32_t>(bytes),
57 nacl::kNaClCrashInfoMaxLogSize);
58
59 // We copy the length of the crash data to the start of the shared memory
60 // segment so we know how much to copy.
61 memcpy(g_listener->crash_info_shmem_memory(), &copy_bytes, sizeof(uint32_t));
62
63 memcpy((char*)g_listener->crash_info_shmem_memory() + sizeof(uint32_t),
64 data,
65 copy_bytes);
66 }
67
68 void LoadStatusCallback(int load_status) {
69 g_listener->trusted_listener()->Send(
70 new NaClRendererMsg_ReportLoadStatus(
71 static_cast<NaClErrorCode>(load_status)));
72 }
73
74 #if defined(OS_MACOSX)
75
76 // On Mac OS X, shm_open() works in the sandbox but does not give us
77 // an FD that we can map as PROT_EXEC. Rather than doing an IPC to
78 // get an executable SHM region when CreateMemoryObject() is called,
79 // we preallocate one on startup, since NaCl's sel_ldr only needs one
80 // of them. This saves a round trip.
81
82 base::subtle::Atomic32 g_shm_fd = -1;
83
84 int CreateMemoryObject(size_t size, int executable) {
85 if (executable && size > 0) {
86 int result_fd = base::subtle::NoBarrier_AtomicExchange(&g_shm_fd, -1);
87 if (result_fd != -1) {
88 // ftruncate() is disallowed by the Mac OS X sandbox and
89 // returns EPERM. Luckily, we can get the same effect with
90 // lseek() + write().
91 if (lseek(result_fd, size - 1, SEEK_SET) == -1) {
92 LOG(ERROR) << "lseek() failed: " << errno;
93 return -1;
94 }
95 if (write(result_fd, "", 1) != 1) {
96 LOG(ERROR) << "write() failed: " << errno;
97 return -1;
98 }
99 return result_fd;
100 }
101 }
102 // Fall back to NaCl's default implementation.
103 return -1;
104 }
105
106 #elif defined(OS_LINUX)
107
108 int CreateMemoryObject(size_t size, int executable) {
109 return content::MakeSharedMemorySegmentViaIPC(size, executable);
110 }
111
112 #elif defined(OS_WIN)
113 // We wrap the function to convert the bool return value to an int.
114 int BrokerDuplicateHandle(NaClHandle source_handle,
115 uint32_t process_id,
116 NaClHandle* target_handle,
117 uint32_t desired_access,
118 uint32_t options) {
119 return content::BrokerDuplicateHandle(source_handle, process_id,
120 target_handle, desired_access,
121 options);
122 }
123
124 int AttachDebugExceptionHandler(const void* info, size_t info_size) {
125 std::string info_string(reinterpret_cast<const char*>(info), info_size);
126 bool result = false;
127 if (!g_listener->Send(new NaClProcessMsg_AttachDebugExceptionHandler(
128 info_string, &result)))
129 return false;
130 return result;
131 }
132
133 void DebugStubPortSelectedHandler(uint16_t port) {
134 g_listener->Send(new NaClProcessHostMsg_DebugStubPortSelected(port));
135 }
136
137 #endif
138
139 // Creates the PPAPI IPC channel between the NaCl IRT and the host
140 // (browser/renderer) process, and starts to listen it on the thread where
141 // the given message_loop_proxy runs.
142 // Also, creates and sets the corresponding NaClDesc to the given nap with
143 // the FD #.
144 void SetUpIPCAdapter(
145 IPC::ChannelHandle* handle,
146 scoped_refptr<base::SingleThreadTaskRunner> task_runner,
147 struct NaClApp* nap,
148 int nacl_fd,
149 NaClIPCAdapter::ResolveFileTokenCallback resolve_file_token_cb,
150 NaClIPCAdapter::OpenResourceCallback open_resource_cb) {
151 scoped_refptr<NaClIPCAdapter> ipc_adapter(new NaClIPCAdapter(
152 *handle, task_runner.get(), resolve_file_token_cb, open_resource_cb));
153 ipc_adapter->ConnectChannel();
154 #if defined(OS_POSIX)
155 handle->socket =
156 base::FileDescriptor(ipc_adapter->TakeClientFileDescriptor());
157 #endif
158
159 // Pass a NaClDesc to the untrusted side. This will hold a ref to the
160 // NaClIPCAdapter.
161 NaClAppSetDesc(nap, nacl_fd, ipc_adapter->MakeNaClDesc());
162 }
163
164 } // namespace
165
166 class BrowserValidationDBProxy : public NaClValidationDB {
167 public:
168 explicit BrowserValidationDBProxy(NaClListener* listener)
169 : listener_(listener) {
170 }
171
172 bool QueryKnownToValidate(const std::string& signature) override {
173 // Initialize to false so that if the Send fails to write to the return
174 // value we're safe. For example if the message is (for some reason)
175 // dispatched as an async message the return parameter will not be written.
176 bool result = false;
177 if (!listener_->Send(new NaClProcessMsg_QueryKnownToValidate(signature,
178 &result))) {
179 LOG(ERROR) << "Failed to query NaCl validation cache.";
180 result = false;
181 }
182 return result;
183 }
184
185 void SetKnownToValidate(const std::string& signature) override {
186 // Caching is optional: NaCl will still work correctly if the IPC fails.
187 if (!listener_->Send(new NaClProcessMsg_SetKnownToValidate(signature))) {
188 LOG(ERROR) << "Failed to update NaCl validation cache.";
189 }
190 }
191
192 private:
193 // The listener never dies, otherwise this might be a dangling reference.
194 NaClListener* listener_;
195 };
196
197
198 NaClListener::NaClListener() : shutdown_event_(true, false),
199 io_thread_("NaCl_IOThread"),
200 #if defined(OS_LINUX)
201 prereserved_sandbox_size_(0),
202 #endif
203 #if defined(OS_POSIX)
204 number_of_cores_(-1), // unknown/error
205 #endif
206 main_loop_(NULL),
207 is_started_(false) {
208 io_thread_.StartWithOptions(
209 base::Thread::Options(base::MessageLoop::TYPE_IO, 0));
210 DCHECK(g_listener == NULL);
211 g_listener = this;
212 }
213
214 NaClListener::~NaClListener() {
215 NOTREACHED();
216 shutdown_event_.Signal();
217 g_listener = NULL;
218 }
219
220 bool NaClListener::Send(IPC::Message* msg) {
221 DCHECK(main_loop_ != NULL);
222 if (base::MessageLoop::current() == main_loop_) {
223 // This thread owns the channel.
224 return channel_->Send(msg);
225 } else {
226 // This thread does not own the channel.
227 return filter_->Send(msg);
228 }
229 }
230
231 // The NaClProcessMsg_ResolveFileTokenAsyncReply message must be
232 // processed in a MessageFilter so it can be handled on the IO thread.
233 // The main thread used by NaClListener is busy in
234 // NaClChromeMainAppStart(), so it can't be used for servicing messages.
235 class FileTokenMessageFilter : public IPC::MessageFilter {
236 public:
237 bool OnMessageReceived(const IPC::Message& msg) override {
238 bool handled = true;
239 IPC_BEGIN_MESSAGE_MAP(FileTokenMessageFilter, msg)
240 IPC_MESSAGE_HANDLER(NaClProcessMsg_ResolveFileTokenReply,
241 OnResolveFileTokenReply)
242 IPC_MESSAGE_UNHANDLED(handled = false)
243 IPC_END_MESSAGE_MAP()
244 return handled;
245 }
246
247 void OnResolveFileTokenReply(
248 uint64_t token_lo,
249 uint64_t token_hi,
250 IPC::PlatformFileForTransit ipc_fd,
251 base::FilePath file_path) {
252 CHECK(g_listener);
253 g_listener->OnFileTokenResolved(token_lo, token_hi, ipc_fd, file_path);
254 }
255 private:
256 ~FileTokenMessageFilter() override {}
257 };
258
259 void NaClListener::Listen() {
260 std::string channel_name =
261 base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
262 switches::kProcessChannelID);
263 channel_ = IPC::SyncChannel::Create(this, io_thread_.task_runner().get(),
264 &shutdown_event_);
265 filter_ = channel_->CreateSyncMessageFilter();
266 channel_->AddFilter(new FileTokenMessageFilter());
267 channel_->Init(channel_name, IPC::Channel::MODE_CLIENT, true);
268 main_loop_ = base::MessageLoop::current();
269 main_loop_->Run();
270 }
271
272 bool NaClListener::OnMessageReceived(const IPC::Message& msg) {
273 bool handled = true;
274 IPC_BEGIN_MESSAGE_MAP(NaClListener, msg)
275 IPC_MESSAGE_HANDLER(NaClProcessMsg_AddPrefetchedResource,
276 OnAddPrefetchedResource)
277 IPC_MESSAGE_HANDLER(NaClProcessMsg_Start, OnStart)
278 IPC_MESSAGE_UNHANDLED(handled = false)
279 IPC_END_MESSAGE_MAP()
280 return handled;
281 }
282
283 bool NaClListener::OnOpenResource(
284 const IPC::Message& msg,
285 const std::string& key,
286 NaClIPCAdapter::OpenResourceReplyCallback cb) {
287 // This callback is executed only on |io_thread_| with NaClIPCAdapter's
288 // |lock_| not being held.
289 DCHECK(!cb.is_null());
290 PrefetchedResourceFilesMap::iterator it =
291 prefetched_resource_files_.find(key);
292
293 if (it != prefetched_resource_files_.end()) {
294 // Fast path for prefetched FDs.
295 IPC::PlatformFileForTransit file = it->second.first;
296 base::FilePath path = it->second.second;
297 prefetched_resource_files_.erase(it);
298 // A pre-opened resource descriptor is available. Run the reply callback
299 // and return true.
300 cb.Run(msg, file, path);
301 return true;
302 }
303
304 // Return false to fall back to the slow path. Let NaClIPCAdapter issue an
305 // IPC to the renderer.
306 return false;
307 }
308
309 void NaClListener::OnAddPrefetchedResource(
310 const nacl::NaClResourcePrefetchResult& prefetched_resource_file) {
311 DCHECK(!is_started_);
312 if (is_started_)
313 return;
314 bool result = prefetched_resource_files_.insert(std::make_pair(
315 prefetched_resource_file.file_key,
316 std::make_pair(
317 prefetched_resource_file.file,
318 prefetched_resource_file.file_path_metadata))).second;
319 if (!result) {
320 LOG(FATAL) << "Duplicated open_resource key: "
321 << prefetched_resource_file.file_key;
322 }
323 }
324
325 void NaClListener::OnStart(const nacl::NaClStartParams& params) {
326 is_started_ = true;
327 #if defined(OS_LINUX) || defined(OS_MACOSX)
328 int urandom_fd = dup(base::GetUrandomFD());
329 if (urandom_fd < 0) {
330 LOG(FATAL) << "Failed to dup() the urandom FD";
331 }
332 NaClChromeMainSetUrandomFd(urandom_fd);
333 #endif
334 struct NaClApp* nap = NULL;
335 NaClChromeMainInit();
336
337 CHECK(base::SharedMemory::IsHandleValid(params.crash_info_shmem_handle));
338 crash_info_shmem_.reset(new base::SharedMemory(
339 params.crash_info_shmem_handle, false /* not readonly */));
340 CHECK(crash_info_shmem_->Map(nacl::kNaClCrashInfoShmemSize));
341 NaClSetFatalErrorCallback(&FatalLogHandler);
342
343 nap = NaClAppCreate();
344 if (nap == NULL) {
345 LOG(FATAL) << "NaClAppCreate() failed";
346 }
347
348 IPC::ChannelHandle browser_handle;
349 IPC::ChannelHandle ppapi_renderer_handle;
350 IPC::ChannelHandle manifest_service_handle;
351
352 if (params.enable_ipc_proxy) {
353 browser_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
354 ppapi_renderer_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
355 manifest_service_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
356
357 // Create the PPAPI IPC channels between the NaCl IRT and the host
358 // (browser/renderer) processes. The IRT uses these channels to
359 // communicate with the host and to initialize the IPC dispatchers.
360 SetUpIPCAdapter(&browser_handle, io_thread_.task_runner(), nap,
361 NACL_CHROME_DESC_BASE,
362 NaClIPCAdapter::ResolveFileTokenCallback(),
363 NaClIPCAdapter::OpenResourceCallback());
364 SetUpIPCAdapter(&ppapi_renderer_handle, io_thread_.task_runner(), nap,
365 NACL_CHROME_DESC_BASE + 1,
366 NaClIPCAdapter::ResolveFileTokenCallback(),
367 NaClIPCAdapter::OpenResourceCallback());
368 SetUpIPCAdapter(
369 &manifest_service_handle, io_thread_.task_runner(), nap,
370 NACL_CHROME_DESC_BASE + 2,
371 base::Bind(&NaClListener::ResolveFileToken, base::Unretained(this)),
372 base::Bind(&NaClListener::OnOpenResource, base::Unretained(this)));
373 }
374
375 trusted_listener_ =
376 new NaClTrustedListener(IPC::Channel::GenerateVerifiedChannelID("nacl"),
377 io_thread_.task_runner().get(), &shutdown_event_);
378 if (!Send(new NaClProcessHostMsg_PpapiChannelsCreated(
379 browser_handle,
380 ppapi_renderer_handle,
381 trusted_listener_->TakeClientChannelHandle(),
382 manifest_service_handle)))
383 LOG(FATAL) << "Failed to send IPC channel handle to NaClProcessHost.";
384
385 struct NaClChromeMainArgs* args = NaClChromeMainArgsCreate();
386 if (args == NULL) {
387 LOG(FATAL) << "NaClChromeMainArgsCreate() failed";
388 }
389
390 #if defined(OS_LINUX) || defined(OS_MACOSX)
391 args->number_of_cores = number_of_cores_;
392 args->create_memory_object_func = CreateMemoryObject;
393 # if defined(OS_MACOSX)
394 CHECK(params.mac_shm_fd != IPC::InvalidPlatformFileForTransit());
395 g_shm_fd = IPC::PlatformFileForTransitToPlatformFile(params.mac_shm_fd);
396 # endif
397 #endif
398
399 DCHECK(params.process_type != nacl::kUnknownNaClProcessType);
400 CHECK(params.irt_handle != IPC::InvalidPlatformFileForTransit());
401 NaClHandle irt_handle =
402 IPC::PlatformFileForTransitToPlatformFile(params.irt_handle);
403
404 #if defined(OS_WIN)
405 args->irt_fd = _open_osfhandle(reinterpret_cast<intptr_t>(irt_handle),
406 _O_RDONLY | _O_BINARY);
407 if (args->irt_fd < 0) {
408 LOG(FATAL) << "_open_osfhandle() failed";
409 }
410 #else
411 args->irt_fd = irt_handle;
412 #endif
413
414 if (params.validation_cache_enabled) {
415 // SHA256 block size.
416 CHECK_EQ(params.validation_cache_key.length(), (size_t) 64);
417 // The cache structure is not freed and exists until the NaCl process exits.
418 args->validation_cache = CreateValidationCache(
419 new BrowserValidationDBProxy(this), params.validation_cache_key,
420 params.version);
421 }
422
423 CHECK(params.imc_bootstrap_handle != IPC::InvalidPlatformFileForTransit());
424 args->imc_bootstrap_handle =
425 IPC::PlatformFileForTransitToPlatformFile(params.imc_bootstrap_handle);
426 args->enable_debug_stub = params.enable_debug_stub;
427
428 // Now configure parts that depend on process type.
429 // Start with stricter settings.
430 args->enable_exception_handling = 0;
431 args->enable_dyncode_syscalls = 0;
432 // pnacl_mode=1 mostly disables things (IRT interfaces and syscalls).
433 args->pnacl_mode = 1;
434 // Bound the initial nexe's code segment size under PNaCl to reduce the
435 // chance of a code spraying attack succeeding (see
436 // https://code.google.com/p/nativeclient/issues/detail?id=3572).
437 // We can't apply this arbitrary limit outside of PNaCl because it might
438 // break existing NaCl apps, and this limit is only useful if the dyncode
439 // syscalls are disabled.
440 args->initial_nexe_max_code_bytes = 64 << 20; // 64 MB.
441
442 if (params.process_type == nacl::kNativeNaClProcessType) {
443 args->enable_exception_handling = 1;
444 args->enable_dyncode_syscalls = 1;
445 args->pnacl_mode = 0;
446 args->initial_nexe_max_code_bytes = 0;
447 } else if (params.process_type == nacl::kPNaClTranslatorProcessType) {
448 args->pnacl_mode = 0;
449 }
450
451 #if defined(OS_POSIX)
452 args->debug_stub_server_bound_socket_fd =
453 IPC::PlatformFileForTransitToPlatformFile(
454 params.debug_stub_server_bound_socket);
455 #endif
456 #if defined(OS_WIN)
457 args->broker_duplicate_handle_func = BrokerDuplicateHandle;
458 args->attach_debug_exception_handler_func = AttachDebugExceptionHandler;
459 args->debug_stub_server_port_selected_handler_func =
460 DebugStubPortSelectedHandler;
461 #endif
462 args->load_status_handler_func = LoadStatusCallback;
463 #if defined(OS_LINUX)
464 args->prereserved_sandbox_size = prereserved_sandbox_size_;
465 #endif
466
467 base::PlatformFile nexe_file = IPC::PlatformFileForTransitToPlatformFile(
468 params.nexe_file);
469 std::string file_path_str = params.nexe_file_path_metadata.AsUTF8Unsafe();
470 args->nexe_desc = NaClDescCreateWithFilePathMetadata(nexe_file,
471 file_path_str.c_str());
472
473 int exit_status;
474 if (!NaClChromeMainStart(nap, args, &exit_status))
475 NaClExit(1);
476
477 // Report the plugin's exit status if the application started successfully.
478 trusted_listener_->Send(new NaClRendererMsg_ReportExitStatus(exit_status));
479 NaClExit(exit_status);
480 }
481
482 void NaClListener::ResolveFileToken(
483 uint64_t token_lo,
484 uint64_t token_hi,
485 base::Callback<void(IPC::PlatformFileForTransit, base::FilePath)> cb) {
486 if (!Send(new NaClProcessMsg_ResolveFileToken(token_lo, token_hi))) {
487 cb.Run(IPC::PlatformFileForTransit(), base::FilePath());
488 return;
489 }
490 resolved_cb_ = cb;
491 }
492
493 void NaClListener::OnFileTokenResolved(
494 uint64_t token_lo,
495 uint64_t token_hi,
496 IPC::PlatformFileForTransit ipc_fd,
497 base::FilePath file_path) {
498 resolved_cb_.Run(ipc_fd, file_path);
499 resolved_cb_.Reset();
500 }