2 * Copyright (c) 2012 The Native Client Authors. All rights reserved.
3 * Use of this source code is governed by a BSD-style license that can be
4 * found in the LICENSE file.
7 #ifndef NATIVE_CLIENT_SRC_TRUSTED_SERVICE_RUNTIME_SEL_MAIN_CHROME_H_
8 #define NATIVE_CLIENT_SRC_TRUSTED_SERVICE_RUNTIME_SEL_MAIN_CHROME_H_ 1
10 #include "native_client/src/include/nacl_base.h"
11 #include "native_client/src/include/portability.h"
12 #include "native_client/src/shared/imc/nacl_imc_c.h"
16 struct NaClValidationCache;
20 * Descriptor number for initial_ipc_desc. This is chosen so as not
21 * to conflict with NACL_SERVICE_PORT_DESCRIPTOR,
22 * NACL_SERVICE_ADDRESS_DESCRIPTOR and export_addr_to inside
23 * NaClChromeMainStart().
25 #define NACL_CHROME_INITIAL_IPC_DESC 6
28 struct NaClChromeMainArgs {
30 * Handle for bootstrapping a NaCl IMC connection to the trusted
31 * PPAPI plugin. Required.
33 NaClHandle imc_bootstrap_handle;
36 * File descriptor for the NaCl integrated runtime (IRT) library.
37 * Note that this is a file descriptor even on Windows (where file
38 * descriptors are emulated by the C runtime library).
39 * Optional; may be -1. Optional when loading nexes that don't follow
40 * NaCl's stable ABI, such as the PNaCl translator.
45 * Descriptor to provide to untrusted code as descriptor number
46 * NACL_CHROME_INITIAL_IPC_DESC. For use by the Chrome-IPC-based
47 * PPAPI proxy. Optional; may be NULL.
49 struct NaClDesc *initial_ipc_desc;
51 /* Whether to enable untrusted hardware exception handling. Boolean. */
52 int enable_exception_handling;
54 /* Whether to enable NaCl's built-in GDB RSP debug stub. Boolean. */
55 int enable_debug_stub;
57 /* Whether to enable NaCl's dynamic code system calls. Boolean. */
58 int enable_dyncode_syscalls;
61 * Maximum size of the initially loaded nexe's code segment, in
62 * bytes. 0 for no limit, which is the default.
64 * This is intended for security hardening. It reduces the
65 * proportion of address space that can contain attacker-controlled
66 * executable code. It reduces the chance of a spraying attack
67 * succeeding if there is a vulnerability that allows jumping into
68 * the middle of an instruction. Note that setting a limit here is
69 * only useful if enable_dyncode_syscalls is false.
71 uint32_t initial_nexe_max_code_bytes;
73 #if NACL_LINUX || NACL_OSX
75 * Server socket that will be used by debug stub to accept connections
76 * from NaCl GDB. This socket descriptor has already had bind() and listen()
77 * called on it. Optional; may be -1.
79 int debug_stub_server_bound_socket_fd;
83 * Callback to use for creating shared memory objects. Optional;
86 NaClCreateMemoryObjectFunc create_memory_object_func;
88 /* Cache for NaCl validation judgements. Optional; may be NULL. */
89 struct NaClValidationCache *validation_cache;
93 * Callback to use instead of DuplicateHandle() for copying a
94 * Windows handle to another process. Optional; may be NULL.
96 NaClBrokerDuplicateHandleFunc broker_duplicate_handle_func;
99 * Callback to use for requesting that a debug exception handler be
100 * attached to this process for handling hardware exceptions via the
101 * Windows debug API. The data in info/info_size must be passed to
102 * NaClDebugExceptionHandlerRun(). Optional; may be NULL.
104 int (*attach_debug_exception_handler_func)(const void *info,
108 #if NACL_LINUX || NACL_OSX
110 * File descriptor for /dev/urandom for reading random data. This
111 * takes ownership of the file descriptor. In principle this is
112 * optional and may be -1, although startup may fail if this is not
118 * The result of sysconf(_SC_NPROCESSORS_ONLN). The Chrome
119 * outer-sandbox prevents the glibc implementation of sysconf from
120 * working -- which just reads /proc/cpuinfo or similar file -- so
121 * instead, the launcher should fill this in. In principle this is
122 * optional and may be -1, but this will make
123 * sysconf(_SC_NPROCESSORS_ONLN) fail and result in some NaCl
126 * NB: sysconf(_SC_NPROCESSORS_ONLN) is the number of processors
127 * on-line and not the same as sysconf(_SC_NPROCESSORS_CONF) -- the
128 * former is possibly dynamic on systems with hotpluggable CPUs,
129 * whereas the configured number of processors -- what the kernel is
130 * configured to be able to handle or the number of processors
131 * potentially available. Setting number_of_cores below would
132 * result in reporting a static value, rather than a potentially
133 * changing, dynamic value.
135 * We are unlikely to ever run on hotpluggable multiprocessor
143 * Size of address space reserved at address zero onwards for the
144 * sandbox. This is optional and may be 0 if no address space has
145 * been reserved, though some sandboxes (such as ARM) might fail in
148 size_t prereserved_sandbox_size;
152 /* Create a new args struct containing default values. */
153 struct NaClChromeMainArgs *NaClChromeMainArgsCreate(void);
156 void NaClChromeMainStart(struct NaClChromeMainArgs *args);