rule-of-2 - add protobuf shared memory note and ProtoWrapper
Change-Id: Ic49a4eb0ea3a5a2d07b2e071d08ca112ff1778b4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5406234 Reviewed-by: danakj <danakj@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/main@{#1279968}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
dc98643c9f
commit
df5ea3c566
@@ -303,13 +303,28 @@ Ultimately this process results in parsing significantly simpler grammars. (PNG
|
|||||||
> language and still have such high performance, that'd be ideal. But that's
|
> language and still have such high performance, that'd be ideal. But that's
|
||||||
> unlikely to happen soon.)
|
> unlikely to happen soon.)
|
||||||
|
|
||||||
|
### Exception: Protobuf
|
||||||
|
|
||||||
While less preferable to Mojo, we also similarly trust Protobuf for
|
While less preferable to Mojo, we also similarly trust Protobuf for
|
||||||
deserializing messages at high privilege from potentially untrustworthy senders.
|
deserializing messages at high privilege from potentially untrustworthy senders.
|
||||||
For example, Protobufs are sometimes embedded in Mojo IPC messages. It is
|
For example, Protobufs are sometimes embedded in Mojo IPC messages. It is
|
||||||
always preferable to use a Mojo message where possible, though sometimes
|
always preferable to use a Mojo message where possible, though sometimes
|
||||||
external constraints require the use of Protobuf. Note that this only applies to
|
external constraints require the use of Protobuf.
|
||||||
Protobuf as a container format; the data contained within a Protobuf must be
|
|
||||||
handled according to this rule as well.
|
Protobuf's threat model does not include parsing a protobuf from shared
|
||||||
|
memory. Always copy the proto buffer bytes from untrustworthy shared
|
||||||
|
memory regions before deserializing to a Message.
|
||||||
|
|
||||||
|
If you must pass protobuf bytes over mojo use
|
||||||
|
[mojo_base::ProtoWrapper](https://chromium.googlesource.com/chromium/src/+/main/mojo/public/cpp/base/proto_wrapper.h)
|
||||||
|
as this provides limited type safety for the top-level protobuf message and
|
||||||
|
ensures copies are taken before deserializing.
|
||||||
|
|
||||||
|
Note that this exception only applies to Protobuf as a container format;
|
||||||
|
complex data contained within a Protobuf must be handled according to this
|
||||||
|
rule as well.
|
||||||
|
|
||||||
|
### Exception: RE2
|
||||||
|
|
||||||
As another special case, we trust the
|
As another special case, we trust the
|
||||||
[RE2](https://cs.chromium.org/chromium/src/third_party/re2/README.chromium)
|
[RE2](https://cs.chromium.org/chromium/src/third_party/re2/README.chromium)
|
||||||
|
Reference in New Issue
Block a user