1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/nacl/loader/nacl_listener.h"
6
7 #include <errno.h>
8 #include <fcntl.h>
9 #include <stdlib.h>
10 #include <string.h>
11
12 #if defined(OS_POSIX)
13 #include <unistd.h>
14 #endif
15
16 #include "base/command_line.h"
17 #include "base/logging.h"
18 #include "base/memory/scoped_ptr.h"
19 #include "base/message_loop/message_loop.h"
20 #include "base/rand_util.h"
21 #include "components/nacl/common/nacl_messages.h"
22 #include "components/nacl/common/nacl_renderer_messages.h"
23 #include "components/nacl/loader/nacl_ipc_adapter.h"
24 #include "components/nacl/loader/nacl_validation_db.h"
25 #include "components/nacl/loader/nacl_validation_query.h"
26 #include "ipc/ipc_channel_handle.h"
27 #include "ipc/ipc_switches.h"
28 #include "ipc/ipc_sync_channel.h"
29 #include "ipc/ipc_sync_message_filter.h"
30 #include "native_client/src/public/chrome_main.h"
31 #include "native_client/src/public/nacl_app.h"
32 #include "native_client/src/public/nacl_file_info.h"
33 #include "native_client/src/trusted/service_runtime/include/sys/fcntl.h"
34
35 #if defined(OS_POSIX)
36 #include "base/file_descriptor_posix.h"
37 #endif
38
39 #if defined(OS_LINUX)
40 #include "content/public/common/child_process_sandbox_support_linux.h"
41 #endif
42
43 #if defined(OS_WIN)
44 #include <fcntl.h>
45 #include <io.h>
46
47 #include "content/public/common/sandbox_init.h"
48 #endif
49
50 namespace {
51
52 NaClListener* g_listener;
53
FatalLogHandler(const char * data,size_t bytes)54 void FatalLogHandler(const char* data, size_t bytes) {
55 // We use uint32_t rather than size_t for the case when the browser and NaCl
56 // processes are a mix of 32-bit and 64-bit processes.
57 uint32_t copy_bytes = std::min<uint32_t>(static_cast<uint32_t>(bytes),
58 nacl::kNaClCrashInfoMaxLogSize);
59
60 // We copy the length of the crash data to the start of the shared memory
61 // segment so we know how much to copy.
62 memcpy(g_listener->crash_info_shmem_memory(), ©_bytes, sizeof(uint32_t));
63
64 memcpy((char*)g_listener->crash_info_shmem_memory() + sizeof(uint32_t),
65 data,
66 copy_bytes);
67 }
68
69 #if defined(OS_MACOSX)
70
71 // On Mac OS X, shm_open() works in the sandbox but does not give us
72 // an FD that we can map as PROT_EXEC. Rather than doing an IPC to
73 // get an executable SHM region when CreateMemoryObject() is called,
74 // we preallocate one on startup, since NaCl's sel_ldr only needs one
75 // of them. This saves a round trip.
76
77 base::subtle::Atomic32 g_shm_fd = -1;
78
CreateMemoryObject(size_t size,int executable)79 int CreateMemoryObject(size_t size, int executable) {
80 if (executable && size > 0) {
81 int result_fd = base::subtle::NoBarrier_AtomicExchange(&g_shm_fd, -1);
82 if (result_fd != -1) {
83 // ftruncate() is disallowed by the Mac OS X sandbox and
84 // returns EPERM. Luckily, we can get the same effect with
85 // lseek() + write().
86 if (lseek(result_fd, size - 1, SEEK_SET) == -1) {
87 LOG(ERROR) << "lseek() failed: " << errno;
88 return -1;
89 }
90 if (write(result_fd, "", 1) != 1) {
91 LOG(ERROR) << "write() failed: " << errno;
92 return -1;
93 }
94 return result_fd;
95 }
96 }
97 // Fall back to NaCl's default implementation.
98 return -1;
99 }
100
101 #elif defined(OS_LINUX)
102
CreateMemoryObject(size_t size,int executable)103 int CreateMemoryObject(size_t size, int executable) {
104 return content::MakeSharedMemorySegmentViaIPC(size, executable);
105 }
106
107 #elif defined(OS_WIN)
108 // We wrap the function to convert the bool return value to an int.
BrokerDuplicateHandle(NaClHandle source_handle,uint32_t process_id,NaClHandle * target_handle,uint32_t desired_access,uint32_t options)109 int BrokerDuplicateHandle(NaClHandle source_handle,
110 uint32_t process_id,
111 NaClHandle* target_handle,
112 uint32_t desired_access,
113 uint32_t options) {
114 return content::BrokerDuplicateHandle(source_handle, process_id,
115 target_handle, desired_access,
116 options);
117 }
118
AttachDebugExceptionHandler(const void * info,size_t info_size)119 int AttachDebugExceptionHandler(const void* info, size_t info_size) {
120 std::string info_string(reinterpret_cast<const char*>(info), info_size);
121 bool result = false;
122 if (!g_listener->Send(new NaClProcessMsg_AttachDebugExceptionHandler(
123 info_string, &result)))
124 return false;
125 return result;
126 }
127
DebugStubPortSelectedHandler(uint16_t port)128 void DebugStubPortSelectedHandler(uint16_t port) {
129 g_listener->Send(new NaClProcessHostMsg_DebugStubPortSelected(port));
130 }
131
132 #endif
133
134 // Creates the PPAPI IPC channel between the NaCl IRT and the host
135 // (browser/renderer) process, and starts to listen it on the thread where
136 // the given message_loop_proxy runs.
137 // Also, creates and sets the corresponding NaClDesc to the given nap with
138 // the FD #.
SetUpIPCAdapter(IPC::ChannelHandle * handle,scoped_refptr<base::MessageLoopProxy> message_loop_proxy,struct NaClApp * nap,int nacl_fd)139 scoped_refptr<NaClIPCAdapter> SetUpIPCAdapter(
140 IPC::ChannelHandle* handle,
141 scoped_refptr<base::MessageLoopProxy> message_loop_proxy,
142 struct NaClApp* nap,
143 int nacl_fd) {
144 scoped_refptr<NaClIPCAdapter> ipc_adapter(
145 new NaClIPCAdapter(*handle, message_loop_proxy.get()));
146 ipc_adapter->ConnectChannel();
147 #if defined(OS_POSIX)
148 handle->socket =
149 base::FileDescriptor(ipc_adapter->TakeClientFileDescriptor(), true);
150 #endif
151
152 // Pass a NaClDesc to the untrusted side. This will hold a ref to the
153 // NaClIPCAdapter.
154 NaClAppSetDesc(nap, nacl_fd, ipc_adapter->MakeNaClDesc());
155 return ipc_adapter;
156 }
157
158 } // namespace
159
160 class BrowserValidationDBProxy : public NaClValidationDB {
161 public:
BrowserValidationDBProxy(NaClListener * listener)162 explicit BrowserValidationDBProxy(NaClListener* listener)
163 : listener_(listener) {
164 }
165
QueryKnownToValidate(const std::string & signature)166 virtual bool QueryKnownToValidate(const std::string& signature) OVERRIDE {
167 // Initialize to false so that if the Send fails to write to the return
168 // value we're safe. For example if the message is (for some reason)
169 // dispatched as an async message the return parameter will not be written.
170 bool result = false;
171 if (!listener_->Send(new NaClProcessMsg_QueryKnownToValidate(signature,
172 &result))) {
173 LOG(ERROR) << "Failed to query NaCl validation cache.";
174 result = false;
175 }
176 return result;
177 }
178
SetKnownToValidate(const std::string & signature)179 virtual void SetKnownToValidate(const std::string& signature) OVERRIDE {
180 // Caching is optional: NaCl will still work correctly if the IPC fails.
181 if (!listener_->Send(new NaClProcessMsg_SetKnownToValidate(signature))) {
182 LOG(ERROR) << "Failed to update NaCl validation cache.";
183 }
184 }
185
186 // This is the "old" code path for resolving file tokens. It's only
187 // used for resolving the main nexe.
188 // TODO(teravest): Remove this.
ResolveFileToken(struct NaClFileToken * file_token,int32 * fd,std::string * path)189 virtual bool ResolveFileToken(struct NaClFileToken* file_token,
190 int32* fd, std::string* path) OVERRIDE {
191 *fd = -1;
192 *path = "";
193 if (!NaClFileTokenIsValid(file_token)) {
194 return false;
195 }
196 IPC::PlatformFileForTransit ipc_fd = IPC::InvalidPlatformFileForTransit();
197 base::FilePath ipc_path;
198 if (!listener_->Send(new NaClProcessMsg_ResolveFileToken(file_token->lo,
199 file_token->hi,
200 &ipc_fd,
201 &ipc_path))) {
202 return false;
203 }
204 if (ipc_fd == IPC::InvalidPlatformFileForTransit()) {
205 return false;
206 }
207 base::PlatformFile handle =
208 IPC::PlatformFileForTransitToPlatformFile(ipc_fd);
209 #if defined(OS_WIN)
210 // On Windows, valid handles are 32 bit unsigned integers so this is safe.
211 *fd = reinterpret_cast<uintptr_t>(handle);
212 #else
213 *fd = handle;
214 #endif
215 // It doesn't matter if the path is invalid UTF8 as long as it's consistent
216 // and unforgeable.
217 *path = ipc_path.AsUTF8Unsafe();
218 return true;
219 }
220
221 private:
222 // The listener never dies, otherwise this might be a dangling reference.
223 NaClListener* listener_;
224 };
225
226
NaClListener()227 NaClListener::NaClListener() : shutdown_event_(true, false),
228 io_thread_("NaCl_IOThread"),
229 #if defined(OS_LINUX)
230 prereserved_sandbox_size_(0),
231 #endif
232 #if defined(OS_POSIX)
233 number_of_cores_(-1), // unknown/error
234 #endif
235 main_loop_(NULL) {
236 io_thread_.StartWithOptions(
237 base::Thread::Options(base::MessageLoop::TYPE_IO, 0));
238 DCHECK(g_listener == NULL);
239 g_listener = this;
240 }
241
~NaClListener()242 NaClListener::~NaClListener() {
243 NOTREACHED();
244 shutdown_event_.Signal();
245 g_listener = NULL;
246 }
247
Send(IPC::Message * msg)248 bool NaClListener::Send(IPC::Message* msg) {
249 DCHECK(main_loop_ != NULL);
250 if (base::MessageLoop::current() == main_loop_) {
251 // This thread owns the channel.
252 return channel_->Send(msg);
253 } else {
254 // This thread does not own the channel.
255 return filter_->Send(msg);
256 }
257 }
258
259 // The NaClProcessMsg_ResolveFileTokenAsyncReply message must be
260 // processed in a MessageFilter so it can be handled on the IO thread.
261 // The main thread used by NaClListener is busy in
262 // NaClChromeMainAppStart(), so it can't be used for servicing messages.
263 class FileTokenMessageFilter : public IPC::MessageFilter {
264 public:
OnMessageReceived(const IPC::Message & msg)265 virtual bool OnMessageReceived(const IPC::Message& msg) OVERRIDE {
266 bool handled = true;
267 IPC_BEGIN_MESSAGE_MAP(FileTokenMessageFilter, msg)
268 IPC_MESSAGE_HANDLER(NaClProcessMsg_ResolveFileTokenAsyncReply,
269 OnResolveFileTokenAsyncReply)
270 IPC_MESSAGE_UNHANDLED(handled = false)
271 IPC_END_MESSAGE_MAP()
272 return handled;
273 }
274
OnResolveFileTokenAsyncReply(uint64_t token_lo,uint64_t token_hi,IPC::PlatformFileForTransit ipc_fd,base::FilePath file_path)275 void OnResolveFileTokenAsyncReply(
276 uint64_t token_lo,
277 uint64_t token_hi,
278 IPC::PlatformFileForTransit ipc_fd,
279 base::FilePath file_path) {
280 CHECK(g_listener);
281 g_listener->OnFileTokenResolved(token_lo, token_hi, ipc_fd, file_path);
282 }
283 private:
~FileTokenMessageFilter()284 virtual ~FileTokenMessageFilter() { }
285 };
286
Listen()287 void NaClListener::Listen() {
288 std::string channel_name =
289 CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
290 switches::kProcessChannelID);
291 channel_ = IPC::SyncChannel::Create(
292 this, io_thread_.message_loop_proxy().get(), &shutdown_event_);
293 filter_ = new IPC::SyncMessageFilter(&shutdown_event_);
294 channel_->AddFilter(filter_.get());
295 channel_->AddFilter(new FileTokenMessageFilter());
296 channel_->Init(channel_name, IPC::Channel::MODE_CLIENT, true);
297 main_loop_ = base::MessageLoop::current();
298 main_loop_->Run();
299 }
300
OnMessageReceived(const IPC::Message & msg)301 bool NaClListener::OnMessageReceived(const IPC::Message& msg) {
302 bool handled = true;
303 IPC_BEGIN_MESSAGE_MAP(NaClListener, msg)
304 IPC_MESSAGE_HANDLER(NaClProcessMsg_Start, OnStart)
305 IPC_MESSAGE_UNHANDLED(handled = false)
306 IPC_END_MESSAGE_MAP()
307 return handled;
308 }
309
OnStart(const nacl::NaClStartParams & params)310 void NaClListener::OnStart(const nacl::NaClStartParams& params) {
311 #if defined(OS_LINUX) || defined(OS_MACOSX)
312 int urandom_fd = dup(base::GetUrandomFD());
313 if (urandom_fd < 0) {
314 LOG(ERROR) << "Failed to dup() the urandom FD";
315 return;
316 }
317 NaClChromeMainSetUrandomFd(urandom_fd);
318 #endif
319 struct NaClApp* nap = NULL;
320 NaClChromeMainInit();
321
322 crash_info_shmem_.reset(new base::SharedMemory(params.crash_info_shmem_handle,
323 false));
324 CHECK(crash_info_shmem_->Map(nacl::kNaClCrashInfoShmemSize));
325 NaClSetFatalErrorCallback(&FatalLogHandler);
326
327 nap = NaClAppCreate();
328 if (nap == NULL) {
329 LOG(ERROR) << "NaClAppCreate() failed";
330 return;
331 }
332
333 IPC::ChannelHandle browser_handle;
334 IPC::ChannelHandle ppapi_renderer_handle;
335 IPC::ChannelHandle manifest_service_handle;
336
337 if (params.enable_ipc_proxy) {
338 browser_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
339 ppapi_renderer_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
340 manifest_service_handle = IPC::Channel::GenerateVerifiedChannelID("nacl");
341
342 // Create the PPAPI IPC channels between the NaCl IRT and the host
343 // (browser/renderer) processes. The IRT uses these channels to
344 // communicate with the host and to initialize the IPC dispatchers.
345 SetUpIPCAdapter(&browser_handle, io_thread_.message_loop_proxy(),
346 nap, NACL_CHROME_DESC_BASE);
347 SetUpIPCAdapter(&ppapi_renderer_handle, io_thread_.message_loop_proxy(),
348 nap, NACL_CHROME_DESC_BASE + 1);
349
350 scoped_refptr<NaClIPCAdapter> manifest_ipc_adapter =
351 SetUpIPCAdapter(&manifest_service_handle,
352 io_thread_.message_loop_proxy(),
353 nap,
354 NACL_CHROME_DESC_BASE + 2);
355 manifest_ipc_adapter->set_resolve_file_token_callback(
356 base::Bind(&NaClListener::ResolveFileToken, base::Unretained(this)));
357 }
358
359 trusted_listener_ = new NaClTrustedListener(
360 IPC::Channel::GenerateVerifiedChannelID("nacl"),
361 io_thread_.message_loop_proxy().get(),
362 &shutdown_event_);
363 if (!Send(new NaClProcessHostMsg_PpapiChannelsCreated(
364 browser_handle,
365 ppapi_renderer_handle,
366 trusted_listener_->TakeClientChannelHandle(),
367 manifest_service_handle)))
368 LOG(ERROR) << "Failed to send IPC channel handle to NaClProcessHost.";
369
370 std::vector<nacl::FileDescriptor> handles = params.handles;
371 struct NaClChromeMainArgs* args = NaClChromeMainArgsCreate();
372 if (args == NULL) {
373 LOG(ERROR) << "NaClChromeMainArgsCreate() failed";
374 return;
375 }
376
377 #if defined(OS_LINUX) || defined(OS_MACOSX)
378 args->number_of_cores = number_of_cores_;
379 args->create_memory_object_func = CreateMemoryObject;
380 # if defined(OS_MACOSX)
381 CHECK(handles.size() >= 1);
382 g_shm_fd = nacl::ToNativeHandle(handles[handles.size() - 1]);
383 handles.pop_back();
384 # endif
385 #endif
386
387 if (params.uses_irt) {
388 CHECK(handles.size() >= 1);
389 NaClHandle irt_handle = nacl::ToNativeHandle(handles[handles.size() - 1]);
390 handles.pop_back();
391
392 #if defined(OS_WIN)
393 args->irt_fd = _open_osfhandle(reinterpret_cast<intptr_t>(irt_handle),
394 _O_RDONLY | _O_BINARY);
395 if (args->irt_fd < 0) {
396 LOG(ERROR) << "_open_osfhandle() failed";
397 return;
398 }
399 #else
400 args->irt_fd = irt_handle;
401 #endif
402 } else {
403 // Otherwise, the IRT handle is not even sent.
404 args->irt_fd = -1;
405 }
406
407 if (params.validation_cache_enabled) {
408 // SHA256 block size.
409 CHECK_EQ(params.validation_cache_key.length(), (size_t) 64);
410 // The cache structure is not freed and exists until the NaCl process exits.
411 args->validation_cache = CreateValidationCache(
412 new BrowserValidationDBProxy(this), params.validation_cache_key,
413 params.version);
414 }
415
416 CHECK(handles.size() == 1);
417 args->imc_bootstrap_handle = nacl::ToNativeHandle(handles[0]);
418 args->enable_exception_handling = params.enable_exception_handling;
419 args->enable_debug_stub = params.enable_debug_stub;
420 args->enable_dyncode_syscalls = params.enable_dyncode_syscalls;
421 if (!params.enable_dyncode_syscalls) {
422 // Bound the initial nexe's code segment size under PNaCl to
423 // reduce the chance of a code spraying attack succeeding (see
424 // https://code.google.com/p/nativeclient/issues/detail?id=3572).
425 // We assume that !params.enable_dyncode_syscalls is synonymous
426 // with PNaCl. We can't apply this arbitrary limit outside of
427 // PNaCl because it might break existing NaCl apps, and this limit
428 // is only useful if the dyncode syscalls are disabled.
429 args->initial_nexe_max_code_bytes = 64 << 20; // 64 MB
430
431 // Indicate that this is a PNaCl module.
432 // TODO(jvoung): Plumb through something indicating that this is PNaCl
433 // instead of relying on enable_dyncode_syscalls.
434 args->pnacl_mode = 1;
435 }
436 #if defined(OS_LINUX) || defined(OS_MACOSX)
437 args->debug_stub_server_bound_socket_fd = nacl::ToNativeHandle(
438 params.debug_stub_server_bound_socket);
439 #endif
440 #if defined(OS_WIN)
441 args->broker_duplicate_handle_func = BrokerDuplicateHandle;
442 args->attach_debug_exception_handler_func = AttachDebugExceptionHandler;
443 args->debug_stub_server_port_selected_handler_func =
444 DebugStubPortSelectedHandler;
445 #endif
446 #if defined(OS_LINUX)
447 args->prereserved_sandbox_size = prereserved_sandbox_size_;
448 #endif
449
450 NaClFileInfo nexe_file_info;
451 base::PlatformFile nexe_file = IPC::PlatformFileForTransitToPlatformFile(
452 params.nexe_file);
453 #if defined(OS_WIN)
454 nexe_file_info.desc =
455 _open_osfhandle(reinterpret_cast<intptr_t>(nexe_file),
456 _O_RDONLY | _O_BINARY);
457 #elif defined(OS_POSIX)
458 nexe_file_info.desc = nexe_file;
459 #else
460 #error Unsupported target platform.
461 #endif
462 nexe_file_info.file_token.lo = params.nexe_token_lo;
463 nexe_file_info.file_token.hi = params.nexe_token_hi;
464 args->nexe_desc = NaClDescIoFromFileInfo(nexe_file_info, NACL_ABI_O_RDONLY);
465
466 int exit_status;
467 if (!NaClChromeMainStart(nap, args, &exit_status))
468 NaClExit(1);
469
470 // Report the plugin's exit status if the application started successfully.
471 trusted_listener_->Send(new NaClRendererMsg_ReportExitStatus(exit_status));
472 NaClExit(exit_status);
473 }
474
ResolveFileToken(uint64_t token_lo,uint64_t token_hi,base::Callback<void (IPC::PlatformFileForTransit,base::FilePath)> cb)475 void NaClListener::ResolveFileToken(
476 uint64_t token_lo,
477 uint64_t token_hi,
478 base::Callback<void(IPC::PlatformFileForTransit, base::FilePath)> cb) {
479 if (!Send(new NaClProcessMsg_ResolveFileTokenAsync(token_lo, token_hi))) {
480 cb.Run(IPC::PlatformFileForTransit(), base::FilePath());
481 return;
482 }
483 resolved_cb_ = cb;
484 }
485
OnFileTokenResolved(uint64_t token_lo,uint64_t token_hi,IPC::PlatformFileForTransit ipc_fd,base::FilePath file_path)486 void NaClListener::OnFileTokenResolved(
487 uint64_t token_lo,
488 uint64_t token_hi,
489 IPC::PlatformFileForTransit ipc_fd,
490 base::FilePath file_path) {
491 resolved_cb_.Run(ipc_fd, file_path);
492 resolved_cb_.Reset();
493 }
494