// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/nacl/renderer/json_manifest.h"
#include <set>
#include "base/containers/scoped_ptr_hash_map.h"
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/macros.h"
#include "components/nacl/renderer/nexe_load_manager.h"
#include "third_party/jsoncpp/source/include/json/reader.h"
#include "third_party/jsoncpp/source/include/json/value.h"
#include "url/gurl.h"
namespace nacl {
namespace {
// Top-level section name keys
const char* const kProgramKey = "program";
const char* const kInterpreterKey = "interpreter";
const char* const kFilesKey = "files";
// ISA Dictionary keys
const char* const kX8632Key = "x86-32";
const char* const kX8632NonSFIKey = "x86-32-nonsfi";
const char* const kX8664Key = "x86-64";
const char* const kX8664NonSFIKey = "x86-64-nonsfi";
const char* const kArmKey = "arm";
const char* const kArmNonSFIKey = "arm-nonsfi";
const char* const kPortableKey = "portable";
// Url Resolution keys
const char* const kPnaclDebugKey = "pnacl-debug";
const char* const kPnaclTranslateKey = "pnacl-translate";
const char* const kUrlKey = "url";
// PNaCl keys
const char* const kOptLevelKey = "optlevel";
// Sample NaCl manifest file:
// {
// "program": {
// "x86-32": {"url": "myprogram_x86-32.nexe"},
// "x86-64": {"url": "myprogram_x86-64.nexe"},
// "arm": {"url": "myprogram_arm.nexe"}
// },
// "interpreter": {
// "x86-32": {"url": "interpreter_x86-32.nexe"},
// "x86-64": {"url": "interpreter_x86-64.nexe"},
// "arm": {"url": "interpreter_arm.nexe"}
// },
// "files": {
// "foo.txt": {
// "portable": {"url": "foo.txt"}
// },
// "bar.txt": {
// "x86-32": {"url": "x86-32/bar.txt"},
// "portable": {"url": "bar.txt"}
// },
// "libfoo.so": {
// "x86-64" : { "url": "..." }
// }
// }
// }
// Sample PNaCl manifest file:
// {
// "program": {
// "portable": {
// "pnacl-translate": {
// "url": "myprogram.pexe"
// },
// "pnacl-debug": {
// "url": "myprogram.debug.pexe",
// "opt_level": 0
// }
// }
// },
// "files": {
// "foo.txt": {
// "portable": {"url": "foo.txt"}
// },
// "bar.txt": {
// "portable": {"url": "bar.txt"}
// }
// }
// }
// Returns the key for the architecture in non-SFI mode.
std::string GetNonSFIKey(const std::string& sandbox_isa) {
return sandbox_isa + "-nonsfi";
}
// Looks up |property_name| in the vector |valid_names| with length
// |valid_name_count|. Returns true if |property_name| is found.
bool FindMatchingProperty(const std::string& property_name,
const char** valid_names,
size_t valid_name_count) {
for (size_t i = 0; i < valid_name_count; ++i) {
if (property_name == valid_names[i]) {
return true;
}
}
return false;
}
// Return true if this is a valid dictionary. Having only keys present in
// |valid_keys| and having at least the keys in |required_keys|.
// Error messages will be placed in |error_string|, given that the dictionary
// was the property value of |container_key|.
// E.g., "container_key" : dictionary
bool IsValidDictionary(const Json::Value& dictionary,
const std::string& container_key,
const std::string& parent_key,
const char** valid_keys,
size_t valid_key_count,
const char** required_keys,
size_t required_key_count,
std::string* error_string) {
if (!dictionary.isObject()) {
std::stringstream error_stream;
error_stream << parent_key << " property '" << container_key
<< "' is non-dictionary value '"
<< dictionary.toStyledString() << "'.";
*error_string = error_stream.str();
return false;
}
// Check for unknown dictionary members.
Json::Value::Members members = dictionary.getMemberNames();
for (size_t i = 0; i < members.size(); ++i) {
std::string property_name = members[i];
if (!FindMatchingProperty(property_name,
valid_keys,
valid_key_count)) {
// For forward compatibility, we do not prohibit other keys being in
// the dictionary.
VLOG(1) << "WARNING: '" << parent_key << "' property '"
<< container_key << "' has unknown key '"
<< property_name << "'.";
}
}
// Check for required members.
for (size_t i = 0; i < required_key_count; ++i) {
if (!dictionary.isMember(required_keys[i])) {
std::stringstream error_stream;
error_stream << parent_key << " property '" << container_key
<< "' does not have required key: '"
<< required_keys[i] << "'.";
*error_string = error_stream.str();
return false;
}
}
return true;
}
// Validate a "url" dictionary assuming it was resolved from container_key.
// E.g., "container_key" : { "url": "foo.txt" }
bool IsValidUrlSpec(const Json::Value& url_spec,
const std::string& container_key,
const std::string& parent_key,
const std::string& sandbox_isa,
std::string* error_string) {
static const char* kManifestUrlSpecRequired[] = {
kUrlKey
};
const char** urlSpecPlusOptional;
size_t urlSpecPlusOptionalLength;
if (sandbox_isa == kPortableKey) {
static const char* kPnaclUrlSpecPlusOptional[] = {
kUrlKey,
kOptLevelKey,
};
urlSpecPlusOptional = kPnaclUrlSpecPlusOptional;
urlSpecPlusOptionalLength = arraysize(kPnaclUrlSpecPlusOptional);
} else {
// URL specifications must not contain "pnacl-translate" keys.
// This prohibits NaCl clients from invoking PNaCl.
if (url_spec.isMember(kPnaclTranslateKey)) {
std::stringstream error_stream;
error_stream << "PNaCl-like NMF with application/x-nacl mimetype instead "
<< "of x-pnacl mimetype (has " << kPnaclTranslateKey << ").";
*error_string = error_stream.str();
return false;
}
urlSpecPlusOptional = kManifestUrlSpecRequired;
urlSpecPlusOptionalLength = arraysize(kManifestUrlSpecRequired);
}
if (!IsValidDictionary(url_spec, container_key, parent_key,
urlSpecPlusOptional,
urlSpecPlusOptionalLength,
kManifestUrlSpecRequired,
arraysize(kManifestUrlSpecRequired),
error_string)) {
return false;
}
// Verify the correct types of the fields if they exist.
Json::Value url = url_spec[kUrlKey];
if (!url.isString()) {
std::stringstream error_stream;
error_stream << parent_key << " property '" << container_key <<
"' has non-string value '" << url.toStyledString() <<
"' for key '" << kUrlKey << "'.";
*error_string = error_stream.str();
return false;
}
Json::Value opt_level = url_spec[kOptLevelKey];
if (!opt_level.empty() && !opt_level.isNumeric()) {
std::stringstream error_stream;
error_stream << parent_key << " property '" << container_key <<
"' has non-numeric value '" << opt_level.toStyledString() <<
"' for key '" << kOptLevelKey << "'.";
*error_string = error_stream.str();
return false;
}
return true;
}
// Validate a "pnacl-translate" or "pnacl-debug" dictionary, assuming
// it was resolved from container_key.
// E.g., "container_key" : { "pnacl-translate" : URLSpec }
bool IsValidPnaclTranslateSpec(const Json::Value& pnacl_spec,
const std::string& container_key,
const std::string& parent_key,
const std::string& sandbox_isa,
std::string* error_string) {
static const char* kManifestPnaclSpecValid[] = {
kPnaclDebugKey,
kPnaclTranslateKey
};
static const char* kManifestPnaclSpecRequired[] = { kPnaclTranslateKey };
if (!IsValidDictionary(pnacl_spec, container_key, parent_key,
kManifestPnaclSpecValid,
arraysize(kManifestPnaclSpecValid),
kManifestPnaclSpecRequired,
arraysize(kManifestPnaclSpecRequired),
error_string)) {
return false;
}
Json::Value url_spec = pnacl_spec[kPnaclTranslateKey];
return IsValidUrlSpec(url_spec, kPnaclTranslateKey,
container_key, sandbox_isa, error_string);
}
// Validates that |dictionary| is a valid ISA dictionary. An ISA dictionary
// is validated to have keys from within the set of recognized ISAs. Unknown
// ISAs are allowed, but ignored and warnings are produced. It is also
// validated
// that it must have an entry to match the ISA specified in |sandbox_isa| or
// have a fallback 'portable' entry if there is no match. Returns true if
// |dictionary| is an ISA to URL map. Sets |error_info| to something
// descriptive if it fails.
bool IsValidISADictionary(const Json::Value& dictionary,
const std::string& parent_key,
const std::string& sandbox_isa,
bool must_find_matching_entry,
bool nonsfi_enabled,
JsonManifest::ErrorInfo* error_info) {
// An ISA to URL dictionary has to be an object.
if (!dictionary.isObject()) {
error_info->error = PP_NACL_ERROR_MANIFEST_SCHEMA_VALIDATE;
error_info->string = std::string("manifest: ") + parent_key +
" property is not an ISA to URL dictionary";
return false;
}
// Build the set of reserved ISA dictionary keys.
const char** isaProperties;
size_t isaPropertiesLength;
if (sandbox_isa == kPortableKey) {
// The known values for PNaCl ISA dictionaries in the manifest.
static const char* kPnaclManifestISAProperties[] = {
kPortableKey
};
isaProperties = kPnaclManifestISAProperties;
isaPropertiesLength = arraysize(kPnaclManifestISAProperties);
} else {
// The known values for NaCl ISA dictionaries in the manifest.
static const char* kNaClManifestISAProperties[] = {
kX8632Key,
kX8632NonSFIKey,
kX8664Key,
kX8664NonSFIKey,
kArmKey,
kArmNonSFIKey,
// "portable" is here to allow checking that, if present, it can
// only refer to an URL, such as for a data file, and not to
// "pnacl-translate", which would cause the creation of a nexe.
kPortableKey
};
isaProperties = kNaClManifestISAProperties;
isaPropertiesLength = arraysize(kNaClManifestISAProperties);
}
// Check that entries in the dictionary are structurally correct.
Json::Value::Members members = dictionary.getMemberNames();
for (size_t i = 0; i < members.size(); ++i) {
std::string property_name = members[i];
Json::Value property_value = dictionary[property_name];
std::string error_string;
if (FindMatchingProperty(property_name,
isaProperties,
isaPropertiesLength)) {
// For NaCl, arch entries can only be
// "arch/portable" : URLSpec
// For PNaCl arch in "program" dictionary entries can be
// "portable" : { "pnacl-translate": URLSpec }
// or "portable" : { "pnacl-debug": URLSpec }
// For PNaCl arch elsewhere, dictionary entries can only be
// "portable" : URLSpec
if ((sandbox_isa != kPortableKey &&
!IsValidUrlSpec(property_value, property_name, parent_key,
sandbox_isa, &error_string)) ||
(sandbox_isa == kPortableKey &&
parent_key == kProgramKey &&
!IsValidPnaclTranslateSpec(property_value, property_name, parent_key,
sandbox_isa, &error_string)) ||
(sandbox_isa == kPortableKey &&
parent_key != kProgramKey &&
!IsValidUrlSpec(property_value, property_name, parent_key,
sandbox_isa, &error_string))) {
error_info->error = PP_NACL_ERROR_MANIFEST_SCHEMA_VALIDATE;
error_info->string = "manifest: " + error_string;
return false;
}
} else {
// For forward compatibility, we do not prohibit other keys being in
// the dictionary, as they may be architectures supported in later
// versions. However, the value of these entries must be an URLSpec.
VLOG(1) << "IsValidISADictionary: unrecognized key '"
<< property_name << "'.";
if (!IsValidUrlSpec(property_value, property_name, parent_key,
sandbox_isa, &error_string)) {
error_info->error = PP_NACL_ERROR_MANIFEST_SCHEMA_VALIDATE;
error_info->string = "manifest: " + error_string;
return false;
}
}
}
if (sandbox_isa == kPortableKey) {
if (!dictionary.isMember(kPortableKey)) {
error_info->error = PP_NACL_ERROR_MANIFEST_PROGRAM_MISSING_ARCH;
error_info->string = "manifest: no version of " + parent_key +
" given for portable.";
return false;
}
} else if (must_find_matching_entry) {
// TODO(elijahtaylor) add ISA resolver here if we expand ISAs to include
// micro-architectures that can resolve to multiple valid sandboxes.
bool has_isa = dictionary.isMember(sandbox_isa);
bool has_nonsfi_isa =
nonsfi_enabled && dictionary.isMember(GetNonSFIKey(sandbox_isa));
bool has_portable = dictionary.isMember(kPortableKey);
if (!has_isa && !has_nonsfi_isa && !has_portable) {
error_info->error = PP_NACL_ERROR_MANIFEST_PROGRAM_MISSING_ARCH;
error_info->string = "manifest: no version of " + parent_key +
" given for current arch and no portable version found.";
return false;
}
}
return true;
}
void GrabUrlAndPnaclOptions(const Json::Value& url_spec,
std::string* url,
PP_PNaClOptions* pnacl_options) {
*url = url_spec[kUrlKey].asString();
pnacl_options->translate = PP_TRUE;
if (url_spec.isMember(kOptLevelKey)) {
int32_t opt_raw = url_spec[kOptLevelKey].asInt();
// Currently only allow 0 or 2, since that is what we test.
if (opt_raw <= 0)
pnacl_options->opt_level = 0;
else
pnacl_options->opt_level = 2;
}
}
} // namespace
typedef base::ScopedPtrHashMap<PP_Instance, nacl::JsonManifest> JsonManifestMap;
base::LazyInstance<JsonManifestMap> g_manifest_map = LAZY_INSTANCE_INITIALIZER;
void AddJsonManifest(PP_Instance instance, scoped_ptr<JsonManifest> manifest) {
g_manifest_map.Get().add(instance, manifest.Pass());
}
JsonManifest* GetJsonManifest(PP_Instance instance) {
return g_manifest_map.Get().get(instance);
}
void DeleteJsonManifest(PP_Instance instance) {
g_manifest_map.Get().erase(instance);
}
JsonManifest::JsonManifest(const std::string& manifest_base_url,
const std::string& sandbox_isa,
bool nonsfi_enabled,
bool pnacl_debug)
: manifest_base_url_(manifest_base_url),
sandbox_isa_(sandbox_isa),
nonsfi_enabled_(nonsfi_enabled),
pnacl_debug_(pnacl_debug) { }
bool JsonManifest::Init(const std::string& manifest_json,
ErrorInfo* error_info) {
CHECK(error_info);
Json::Reader reader;
if (!reader.parse(manifest_json, dictionary_)) {
std::string json_error = reader.getFormattedErrorMessages();
error_info->error = PP_NACL_ERROR_MANIFEST_PARSING;
error_info->string = "manifest JSON parsing failed: " + json_error;
return false;
}
// Parse has ensured the string was valid JSON. Check that it matches the
// manifest schema.
return MatchesSchema(error_info);
}
bool JsonManifest::GetProgramURL(std::string* full_url,
PP_PNaClOptions* pnacl_options,
bool* uses_nonsfi_mode,
ErrorInfo* error_info) const {
if (!full_url)
return false;
CHECK(pnacl_options);
CHECK(uses_nonsfi_mode);
CHECK(error_info);
const Json::Value& program = dictionary_[kProgramKey];
std::string nexe_url;
if (!GetURLFromISADictionary(program,
kProgramKey,
&nexe_url,
pnacl_options,
uses_nonsfi_mode,
error_info)) {
return false;
}
// The contents of the manifest are resolved relative to the manifest URL.
GURL base_gurl(manifest_base_url_);
if (!base_gurl.is_valid())
return false;
GURL resolved_gurl = base_gurl.Resolve(nexe_url);
if (!resolved_gurl.is_valid()) {
error_info->error = PP_NACL_ERROR_MANIFEST_RESOLVE_URL;
error_info->string =
"could not resolve url '" + nexe_url +
"' relative to manifest base url '" + manifest_base_url_.c_str() +
"'.";
return false;
}
*full_url = resolved_gurl.possibly_invalid_spec();
return true;
}
bool JsonManifest::ResolveKey(const std::string& key,
std::string* full_url,
PP_PNaClOptions* pnacl_options) const {
// key must be one of kProgramKey or kFileKey '/' file-section-key
if (full_url == NULL || pnacl_options == NULL)
return false;
if (key == kProgramKey)
return GetKeyUrl(dictionary_, key, full_url, pnacl_options);
std::string::const_iterator p = std::find(key.begin(), key.end(), '/');
if (p == key.end()) {
VLOG(1) << "ResolveKey failed: invalid key, no slash: " << key;
return false;
}
// generalize to permit other sections?
std::string prefix(key.begin(), p);
if (prefix != kFilesKey) {
VLOG(1) << "ResolveKey failed: invalid key, no \"files\" prefix: " << key;
return false;
}
const Json::Value& files = dictionary_[kFilesKey];
if (!files.isObject()) {
VLOG(1) << "ResolveKey failed: no \"files\" dictionary";
return false;
}
std::string rest(p + 1, key.end());
if (!files.isMember(rest)) {
VLOG(1) << "ResolveKey failed: no such \"files\" entry: " << key;
return false;
}
return GetKeyUrl(files, rest, full_url, pnacl_options);
}
bool JsonManifest::MatchesSchema(ErrorInfo* error_info) {
if (!dictionary_.isObject()) {
error_info->error = PP_NACL_ERROR_MANIFEST_SCHEMA_VALIDATE;
error_info->string = "manifest: is not a json dictionary.";
return false;
}
Json::Value::Members members = dictionary_.getMemberNames();
for (size_t i = 0; i < members.size(); ++i) {
// The top level dictionary entries valid in the manifest file.
static const char* kManifestTopLevelProperties[] = { kProgramKey,
kInterpreterKey,
kFilesKey };
std::string property_name = members[i];
if (!FindMatchingProperty(property_name,
kManifestTopLevelProperties,
arraysize(kManifestTopLevelProperties))) {
VLOG(1) << "JsonManifest::MatchesSchema: WARNING: unknown top-level "
<< "section '" << property_name << "' in manifest.";
}
}
// A manifest file must have a program section.
if (!dictionary_.isMember(kProgramKey)) {
error_info->error = PP_NACL_ERROR_MANIFEST_SCHEMA_VALIDATE;
error_info->string = std::string("manifest: missing '") + kProgramKey +
"' section.";
return false;
}
// Validate the program section.
// There must be a matching (portable or sandbox_isa_) entry for program for
// NaCl.
if (!IsValidISADictionary(dictionary_[kProgramKey],
kProgramKey,
sandbox_isa_,
true,
nonsfi_enabled_,
error_info)) {
return false;
}
// Validate the interpreter section (if given).
// There must be a matching (portable or sandbox_isa_) entry for interpreter
// for NaCl.
if (dictionary_.isMember(kInterpreterKey)) {
if (!IsValidISADictionary(dictionary_[kInterpreterKey],
kInterpreterKey,
sandbox_isa_,
true,
nonsfi_enabled_,
error_info)) {
return false;
}
}
// Validate the file dictionary (if given).
// The "files" key does not require a matching (portable or sandbox_isa_)
// entry at schema validation time for NaCl. This allows manifests to
// specify resources that are only loaded for a particular sandbox_isa.
if (dictionary_.isMember(kFilesKey)) {
const Json::Value& files = dictionary_[kFilesKey];
if (!files.isObject()) {
error_info->error = PP_NACL_ERROR_MANIFEST_SCHEMA_VALIDATE;
error_info->string = std::string("manifest: '") + kFilesKey +
"' is not a dictionary.";
}
Json::Value::Members members = files.getMemberNames();
for (size_t i = 0; i < members.size(); ++i) {
std::string file_name = members[i];
if (!IsValidISADictionary(files[file_name],
file_name,
sandbox_isa_,
false,
nonsfi_enabled_,
error_info)) {
return false;
}
}
}
return true;
}
bool JsonManifest::GetKeyUrl(const Json::Value& dictionary,
const std::string& key,
std::string* full_url,
PP_PNaClOptions* pnacl_options) const {
DCHECK(full_url && pnacl_options);
if (!dictionary.isMember(key)) {
VLOG(1) << "GetKeyUrl failed: file " << key << " not found in manifest.";
return false;
}
const Json::Value& isa_dict = dictionary[key];
std::string relative_url;
bool uses_nonsfi_mode;
ErrorInfo ignored_error_info;
if (!GetURLFromISADictionary(isa_dict, key, &relative_url,
pnacl_options, &uses_nonsfi_mode,
&ignored_error_info))
return false;
// The contents of the manifest are resolved relative to the manifest URL.
GURL base_gurl(manifest_base_url_);
if (!base_gurl.is_valid())
return false;
GURL resolved_gurl = base_gurl.Resolve(relative_url);
if (!resolved_gurl.is_valid())
return false;
*full_url = resolved_gurl.possibly_invalid_spec();
return true;
}
bool JsonManifest::GetURLFromISADictionary(const Json::Value& dictionary,
const std::string& parent_key,
std::string* url,
PP_PNaClOptions* pnacl_options,
bool* uses_nonsfi_mode,
ErrorInfo* error_info) const {
DCHECK(url && pnacl_options && error_info);
// When the application actually requests a resolved URL, we must have
// a matching entry (sandbox_isa_ or portable) for NaCl.
ErrorInfo ignored_error_info;
if (!IsValidISADictionary(dictionary, parent_key, sandbox_isa_, true,
nonsfi_enabled_, &ignored_error_info)) {
error_info->error = PP_NACL_ERROR_MANIFEST_RESOLVE_URL;
error_info->string = "architecture " + sandbox_isa_ +
" is not found for file " + parent_key;
return false;
}
// The call to IsValidISADictionary() above guarantees that either
// sandbox_isa_, its nonsfi mode, or kPortableKey is present in the
// dictionary.
*uses_nonsfi_mode = false;
std::string chosen_isa;
if (sandbox_isa_ == kPortableKey) {
chosen_isa = kPortableKey;
} else {
std::string nonsfi_isa = GetNonSFIKey(sandbox_isa_);
if (nonsfi_enabled_ && dictionary.isMember(nonsfi_isa)) {
chosen_isa = nonsfi_isa;
*uses_nonsfi_mode = true;
} else if (dictionary.isMember(sandbox_isa_)) {
chosen_isa = sandbox_isa_;
} else if (dictionary.isMember(kPortableKey)) {
chosen_isa = kPortableKey;
} else {
// Should not reach here, because the earlier IsValidISADictionary()
// call checked that the manifest covers the current architecture.
DCHECK(false);
return false;
}
}
const Json::Value& isa_spec = dictionary[chosen_isa];
// If the PNaCl debug flag is turned on, look for pnacl-debug entries first.
// If found, mark that it is a debug URL. Otherwise, fall back to
// checking for pnacl-translate URLs, etc. and don't mark it as a debug URL.
if (pnacl_debug_ && isa_spec.isMember(kPnaclDebugKey)) {
GrabUrlAndPnaclOptions(isa_spec[kPnaclDebugKey], url, pnacl_options);
pnacl_options->is_debug = PP_TRUE;
} else if (isa_spec.isMember(kPnaclTranslateKey)) {
GrabUrlAndPnaclOptions(isa_spec[kPnaclTranslateKey], url, pnacl_options);
} else {
// NaCl
*url = isa_spec[kUrlKey].asString();
pnacl_options->translate = PP_FALSE;
}
return true;
}
} // namespace nacl