Home | History | Annotate | Download | only in security_RendererSandbox 
      1 # Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 # Use of this source code is governed by a BSD-style license that can be
      3 # found in the LICENSE file.
      4 
      5 
      6 import os
      7 import subprocess
      8 
      9 from autotest_lib.client.bin import test, utils
     10 from autotest_lib.client.common_lib import error
     11 
     12 class security_RendererSandbox(test.test):
     13     version = 1
     14     renderer_pid = -1
     15 
     16 
     17     def _get_renderer_pid(self):
     18         """Query pgrep for the pid of the renderer. Since this function is
     19         passed as an argument to |utils.poll_for_condition()|, the return values
     20         are set to True/False depending on whether a pid has been found."""
     21 
     22         pgrep = subprocess.Popen(['pgrep', '-f', '-l', 'type=renderer'],
     23                                  stdout=subprocess.PIPE)
     24         procs = pgrep.communicate()[0].splitlines()
     25         pids = []
     26         # The fix for http://code.google.com/p/chromium/issues/detail?id=129884
     27         # adds '--ignored= --type=renderer' to the GPU process cmdline.
     28         # This makes 'pgrep' above return the pid of the GPU process,
     29         # which is not setuid sandboxed, as the pid of a renderer,
     30         # breaking the test.
     31         # Work around by removing processes with '--ignored= --type=renderer'
     32         # flags.
     33         for proc in procs:
     34             if '--ignored= --type=renderer' not in proc:
     35                 pids.append(proc.split()[0])
     36 
     37         if pids:
     38             self.renderer_pid = pids[0]
     39             return True
     40         else:
     41             return False
     42 
     43 
     44     def _check_for_suid_sandbox(self, renderer_pid):
     45         """For the setuid sandbox, make sure there is no content in the CWD
     46         directory."""
     47 
     48         cwd_contents = os.listdir('/proc/%s/cwd' % self.renderer_pid)
     49         if len(cwd_contents) > 0:
     50             raise error.TestFail('Contents present in the CWD directory')
     51 
     52 
     53     def run_once(self, time_to_wait=20):
     54         """Wait until the page is loaded and poll for the renderer pid.
     55         If renderer pid is found, it is stored in |self.renderer_pid|."""
     56 
     57         utils.poll_for_condition(
     58             self._get_renderer_pid,
     59             error.TestFail('Timed out waiting to obtain pid of renderer'),
     60             time_to_wait)
     61 
     62         # Check if renderer is sandboxed.
     63         self._check_for_suid_sandbox(self.renderer_pid)
     64