Add metrics to record TCP/UDP connections made from Flash

BUG=472256 Review URL: https://codereview.chromium.org/1132093003 Cr-Commit-Position: refs/heads/master@{#329895}

Add metrics to record TCP/UDP connections made from Flash
BUG=472256 Review URL: https://codereview.chromium.org/1132093003 Cr-Commit-Position: refs/heads/master@{#329895}
568fbcac · raymes · Commit bot · ce56d9d7 · 568fbcac · 568fbcac
Commit 568fbcac authored May 14, 2015 by raymes Committed by Commit bot May 14, 2015
11 changed files
--- a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc
+++ b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc
@@ -141,6 +141,14 @@ void BrowserPpapiHostImpl::SetOnKeepaliveCallback(
  on_keepalive_callback_ = callback;
 }
+bool BrowserPpapiHostImpl::IsPotentiallySecurePluginContext(
+    PP_Instance instance) {
+  auto* data = instance_map_.get(instance);
+  if (data == nullptr)
+    return false;
+  return data->renderer_data.is_potentially_secure_plugin_context;
+}
 void BrowserPpapiHostImpl::AddInstance(
    PP_Instance instance,
    const PepperRendererInstanceData& renderer_instance_data) {

--- a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.h
+++ b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.h
@@ -72,6 +72,11 @@ class CONTENT_EXPORT BrowserPpapiHostImpl : public BrowserPpapiHost {
  void SetOnKeepaliveCallback(
      const BrowserPpapiHost::OnKeepaliveCallback& callback) override;
+  // Whether the plugin context is secure. That is, it is served from a secure
+  // origin and it is embedded within a hierarchy of secure frames. This value
+  // comes from the renderer so should not be trusted. It is used for metrics.
+  bool IsPotentiallySecurePluginContext(PP_Instance instance);
  void set_plugin_process(base::Process process) {
    plugin_process_ = process.Pass();
  }

--- a/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc
+++ b/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc
@@ -9,6 +9,7 @@
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "build/build_config.h"
 #include "content/browser/renderer_host/pepper/content_browser_pepper_host_factory.h"
@@ -1000,6 +1001,9 @@ void PepperTCPSocketMessageFilter::SendConnectReply(
    int32_t pp_result,
    const PP_NetAddress_Private& local_addr,
    const PP_NetAddress_Private& remote_addr) {
+  UMA_HISTOGRAM_BOOLEAN("Pepper.PluginContextSecurity.TCPConnect",
+                        host_->IsPotentiallySecurePluginContext(instance_));
  ppapi::host::ReplyMessageContext reply_context(context);
  reply_context.params.set_result(pp_result);
  SendReply(reply_context,

--- a/content/browser/renderer_host/pepper/pepper_udp_socket_message_filter.cc
+++ b/content/browser/renderer_host/pepper/pepper_udp_socket_message_filter.cc
@@ -8,6 +8,7 @@
 #include "base/compiler_specific.h"
 #include "base/logging.h"
+#include "base/metrics/histogram_macros.h"
 #include "content/browser/renderer_host/pepper/browser_ppapi_host_impl.h"
 #include "content/browser/renderer_host/pepper/pepper_socket_utils.h"
 #include "content/public/browser/browser_thread.h"
@@ -60,7 +61,8 @@ PepperUDPSocketMessageFilter::PepperUDPSocketMessageFilter(
    BrowserPpapiHostImpl* host,
    PP_Instance instance,
    bool private_api)
-    : socket_options_(0),
+    : host_(host),
+      socket_options_(0),
      rcvbuf_size_(0),
      sndbuf_size_(0),
      multicast_ttl_(0),
@@ -645,6 +647,10 @@ void PepperUDPSocketMessageFilter::SendBindReply(
    const ppapi::host::ReplyMessageContext& context,
    int32_t result,
    const PP_NetAddress_Private& addr) {
+  UMA_HISTOGRAM_BOOLEAN(
+      "Pepper.PluginContextSecurity.UDPBind",
+      host_->IsPotentiallySecurePluginContext(resource_host()->pp_instance()));
  ppapi::host::ReplyMessageContext reply_context(context);
  reply_context.params.set_result(result);
  SendReply(reply_context, PpapiPluginMsg_UDPSocket_BindReply(addr));

--- a/content/browser/renderer_host/pepper/pepper_udp_socket_message_filter.h
+++ b/content/browser/renderer_host/pepper/pepper_udp_socket_message_filter.h
@@ -133,6 +133,8 @@ class CONTENT_EXPORT PepperUDPSocketMessageFilter
  int32_t CanUseMulticastAPI(const PP_NetAddress_Private& addr);
+  BrowserPpapiHostImpl* host_;
  // Bitwise-or of SocketOption flags. This stores the state about whether
  // each option is set before Bind() is called.
  int socket_options_;

--- a/content/common/pepper_renderer_instance_data.cc
+++ b/content/common/pepper_renderer_instance_data.cc
@@ -7,17 +7,21 @@
 namespace content {
 PepperRendererInstanceData::PepperRendererInstanceData()
-    : render_process_id(0), render_frame_id(0) {
+    : render_process_id(0),
+      render_frame_id(0),
+      is_potentially_secure_plugin_context(false) {
 }
 PepperRendererInstanceData::PepperRendererInstanceData(int render_process,
                                                       int render_frame,
                                                       const GURL& document,
-                                                       const GURL& plugin)
+                                                       const GURL& plugin,
+                                                       bool secure)
    : render_process_id(render_process),
      render_frame_id(render_frame),
      document_url(document),
-      plugin_url(plugin) {
+      plugin_url(plugin),
+      is_potentially_secure_plugin_context(secure) {
 }
 PepperRendererInstanceData::~PepperRendererInstanceData() {

--- a/content/common/pepper_renderer_instance_data.h
+++ b/content/common/pepper_renderer_instance_data.h
@@ -22,12 +22,17 @@ struct PepperRendererInstanceData {
  PepperRendererInstanceData(int render_process,
                             int render_frame_id,
                             const GURL& document,
-                             const GURL& plugin);
+                             const GURL& plugin,
+                             bool secure);
  ~PepperRendererInstanceData();
  int render_process_id;
  int render_frame_id;
  GURL document_url;
  GURL plugin_url;
+  // Whether the plugin context is secure. That is, it is served from a secure
+  // origin and it is embedded within a hierarchy of secure frames. This value
+  // comes from the renderer so should not be trusted. It is used for metrics.
+  bool is_potentially_secure_plugin_context;
 };
 }  // namespace content

--- a/content/common/view_messages.h
+++ b/content/common/view_messages.h
@@ -226,6 +226,7 @@ IPC_STRUCT_TRAITS_BEGIN(content::PepperRendererInstanceData)
  IPC_STRUCT_TRAITS_MEMBER(render_frame_id)
  IPC_STRUCT_TRAITS_MEMBER(document_url)
  IPC_STRUCT_TRAITS_MEMBER(plugin_url)
+  IPC_STRUCT_TRAITS_MEMBER(is_potentially_secure_plugin_context)
 IPC_STRUCT_TRAITS_END()
 #endif

--- a/content/renderer/pepper/host_dispatcher_wrapper.cc
+++ b/content/renderer/pepper/host_dispatcher_wrapper.cc
@@ -5,6 +5,7 @@
 #include "content/renderer/pepper/host_dispatcher_wrapper.h"
 #include "content/common/view_messages.h"
+#include "content/public/common/origin_util.h"
 #include "content/renderer/pepper/pepper_hung_plugin_filter.h"
 #include "content/renderer/pepper/pepper_plugin_instance_impl.h"
 #include "content/renderer/pepper/pepper_proxy_channel_delegate_impl.h"
@@ -12,6 +13,9 @@
 #include "content/renderer/pepper/renderer_ppapi_host_impl.h"
 #include "content/renderer/pepper/renderer_restrict_dispatch_group.h"
 #include "content/renderer/render_frame_impl.h"
+#include "third_party/WebKit/public/web/WebDocument.h"
+#include "third_party/WebKit/public/web/WebElement.h"
+#include "third_party/WebKit/public/web/WebPluginContainer.h"
 namespace content {
@@ -85,14 +89,19 @@ void HostDispatcherWrapper::AddInstance(PP_Instance instance) {
  if (host) {
    RenderFrame* render_frame = host->GetRenderFrameForInstance(instance);
    PepperPluginInstance* plugin_instance = host->GetPluginInstance(instance);
+    blink::WebString unused;
+    bool is_privileged_context =
+        plugin_instance->GetContainer()
+            ->element()
+            .document()
+            .isPrivilegedContext(unused) &&
+        content::IsOriginSecure(plugin_instance->GetPluginURL());
    render_frame->Send(new ViewHostMsg_DidCreateOutOfProcessPepperInstance(
-        plugin_child_id_,
+        plugin_child_id_, instance,
-        instance,
        PepperRendererInstanceData(
            0,  // The render process id will be supplied in the browser.
-            render_frame->GetRoutingID(),
+            render_frame->GetRoutingID(), host->GetDocumentURL(instance),
-            host->GetDocumentURL(instance),
+            plugin_instance->GetPluginURL(), is_privileged_context),
-            plugin_instance->GetPluginURL()),
        is_external_));
  }
 }

--- a/content/renderer/pepper/pepper_browser_connection.cc
+++ b/content/renderer/pepper/pepper_browser_connection.cc
@@ -42,11 +42,15 @@ void PepperBrowserConnection::DidCreateInProcessInstance(
    int render_frame_id,
    const GURL& document_url,
    const GURL& plugin_url) {
+  // We don't need to know if it's a privileged context for in-process plugins.
+  // In process plugins are deprecated and the only in-process plugin that
+  // exists is the "NaCl plugin" which will never need to know this.
+  bool is_privileged_context = false;
  Send(new ViewHostMsg_DidCreateInProcessInstance(
      instance,
      // Browser provides the render process id.
-      PepperRendererInstanceData(
+      PepperRendererInstanceData(0, render_frame_id, document_url, plugin_url,
-          0, render_frame_id, document_url, plugin_url)));
+                                 is_privileged_context)));
 }
 void PepperBrowserConnection::DidDeleteInProcessInstance(PP_Instance instance) {

--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -26649,6 +26649,26 @@ Therefore, the affected-histogram name has to have at least one dot in it.
  </summary>
 </histogram>
+<histogram name="Pepper.PluginContextSecurity.TCPConnect" enum="BooleanSecure">
+  <owner>raymes@chromium.org</owner>
+  <owner>jww@chromium.org</owner>
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether a Pepper TCP connect attempt comes from a plugin in a secure or an
+    insecure origin.
+  </summary>
+</histogram>
+<histogram name="Pepper.PluginContextSecurity.UDPBind" enum="BooleanSecure">
+  <owner>raymes@chromium.org</owner>
+  <owner>jww@chromium.org</owner>
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether a Pepper UDP bind attempt comes from a plugin in a secure or an
+    insecure origin.
+  </summary>
+</histogram>
 <histogram name="PerformanceMonitor.AverageCPU" units="PercentCPUUsage">
  <owner>oysteine@chromium.org</owner>
  <summary>
@@ -48182,6 +48202,11 @@ Therefore, the affected-histogram name has to have at least one dot in it.
  <int value="1" label="Revoked"/>
 </enum>
+<enum name="BooleanSecure" type="int">
+  <int value="0" label="Insecure"/>
+  <int value="1" label="Secure"/>
+</enum>
 <enum name="BooleanSelected" type="int">
  <int value="0" label="No selection"/>
  <int value="1" label="Selected"/>