• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5
6import os
7import subprocess
8
9from autotest_lib.client.bin import test, utils
10from autotest_lib.client.common_lib import error
11
12class security_RendererSandbox(test.test):
13    version = 1
14    renderer_pid = -1
15
16
17    def _get_renderer_pid(self):
18        """Query pgrep for the pid of the renderer. Since this function is
19        passed as an argument to |utils.poll_for_condition()|, the return values
20        are set to True/False depending on whether a pid has been found."""
21
22        pgrep = subprocess.Popen(['pgrep', '-f', '-l', 'type=renderer'],
23                                 stdout=subprocess.PIPE)
24        procs = pgrep.communicate()[0].splitlines()
25        pids = []
26        # The fix for http://code.google.com/p/chromium/issues/detail?id=129884
27        # adds '--ignored= --type=renderer' to the GPU process cmdline.
28        # This makes 'pgrep' above return the pid of the GPU process,
29        # which is not setuid sandboxed, as the pid of a renderer,
30        # breaking the test.
31        # Work around by removing processes with '--ignored= --type=renderer'
32        # flags.
33        for proc in procs:
34            if '--ignored= --type=renderer' not in proc:
35                pids.append(proc.split()[0])
36
37        if pids:
38            self.renderer_pid = pids[0]
39            return True
40        else:
41            return False
42
43
44    def _check_for_suid_sandbox(self, renderer_pid):
45        """For the setuid sandbox, make sure there is no content in the CWD
46        directory."""
47
48        cwd_contents = os.listdir('/proc/%s/cwd' % self.renderer_pid)
49        if len(cwd_contents) > 0:
50            raise error.TestFail('Contents present in the CWD directory')
51
52
53    def run_once(self, time_to_wait=20):
54        """Wait until the page is loaded and poll for the renderer pid.
55        If renderer pid is found, it is stored in |self.renderer_pid|."""
56
57        utils.poll_for_condition(
58            self._get_renderer_pid,
59            error.TestFail('Timed out waiting to obtain pid of renderer'),
60            time_to_wait)
61
62        # Check if renderer is sandboxed.
63        self._check_for_suid_sandbox(self.renderer_pid)
64