# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import logging
import os
import re
import stat
import subprocess
from autotest_lib.client.bin import test
from autotest_lib.client.common_lib import error
from autotest_lib.client.cros import asan
class security_OpenFDs(test.test):
"""Checks a number of sensitive processes on Chrome OS for unexpected open
file descriptors.
"""
version = 1
@staticmethod
def _S_ISANONFD(mode):
"""
Returns whether |mode| represents an "anonymous inode" file descriptor.
Python does not expose a type-checking macro for anonymous inode fds.
Implements the same interface as stat.S_ISREG(x).
@param mode: mode bits, usually from 'stat(path).st_mode'
"""
return 0 == (mode & 0770000)
def get_fds(self, pid, typechecker):
"""
Returns the set of open file descriptors for |pid|.
Each open fd is represented as 'mode path', e.g.: '0500 /dev/random'.
@param pid: pid of process
@param typechecker: callback restricting allowed fd types
"""
proc_fd_dir = os.path.join('/proc/', pid, 'fd')
fd_perms = set([])
for link in os.listdir(proc_fd_dir):
link_path = os.path.join(proc_fd_dir, link)
target = os.readlink(link_path)
# The "mode" on the link tells us if the file is
# opened for read/write. We are more interested
# in that than the permissions of the file on the fs.
link_st_mode = os.lstat(link_path).st_mode
# On the other hand, we need the type information
# off the real file, otherwise we're going to get
# S_ISLNK for everything.
real_st_mode = os.stat(link_path).st_mode
if not typechecker(real_st_mode):
raise error.TestFail('Pid %s has fd for %s, disallowed type' %
(pid, target))
mode = stat.S_IMODE(link_st_mode)
fd_perms.add('%s %s' % (oct(mode), target))
return fd_perms
def snapshot_system(self):
"""
Dumps a systemwide snapshot of open-fd and process table
information into the results directory, to assist with any
triage/debug later.
"""
subprocess.call('ps -ef > "%s/ps-ef.txt"' % self.resultsdir,
shell=True)
subprocess.call('ls -l /proc/*[0-9]*/fd > "%s/proc-fd.txt"' %
self.resultsdir, shell=True)
def apply_filters(self, fds, filters):
"""
Removes every item in |fds| matching any of the regexes in |filters|.
This modifies the set in-place, and returns a list containing
any regexes which did not match anything.
@param fds: set of 'mode path' strings representing open fds
@param filters: list of regexes to filter open fds with
"""
failed_filters = set()
for filter_re in filters:
expected_fds = set([fd_perm for fd_perm in fds
if re.match(filter_re, fd_perm)])
if not expected_fds:
failed_filters.add(filter_re)
fds -= expected_fds
return failed_filters
def find_pids(self, process, arg_regex):
"""
Finds all pids for |process| whose command line arguments
match |arg_regex|. Returns a list of pids.
@param process: process name
@param arg_regex: regex to match command line arguments
"""
p1 = subprocess.Popen(['ps', '-C', process, '-o', 'pid,command'],
stdout=subprocess.PIPE)
# We're adding '--ignored= --type=renderer' to the GPU process cmdline
# to fix crbug.com/129884.
# This process has different characteristics, so we need to avoid
# finding it when we find --type=renderer tests processes.
p2 = subprocess.Popen(['grep', '-v', '--',
'--ignored=.*%s' % arg_regex],
stdin=p1.stdout, stdout=subprocess.PIPE)
p3 = subprocess.Popen(['grep', arg_regex], stdin=p2.stdout,
stdout=subprocess.PIPE)
p4 = subprocess.Popen(['awk', '{print $1}'], stdin=p3.stdout,
stdout=subprocess.PIPE)
output = p4.communicate()[0]
return output.splitlines()
def check_process(self, process, args, filters, typechecker):
"""
Checks a process for unexpected open file descriptors:
* Identifies all instances (pids) of |process|.
* Identifies all file descriptors open by those pids.
* Reports any fds not accounted for by regexes in |filters|.
* Reports any filters which fail to match any open fds.
If there were any fds unaccounted for, or failed filters,
mark the test failed.
@param process: process name
@param args: regex to match command line arguments
@param filters: list of regexes to filter open fds with
@param typechecker: callback restricting allowed fd types
"""
logging.debug('Checking %s %s', process, args)
test_pass = True
for pid in self.find_pids(process, args):
logging.debug('Found pid %s for %s', pid, process)
fds = self.get_fds(pid, typechecker)
failed_filters = self.apply_filters(fds, filters)
# Log failed filters to allow pruning the list.
if failed_filters:
logging.error('Some filter(s) failed to match any fds: %s',
repr(failed_filters))
if fds:
logging.error('Found unexpected fds in %s %s: %s',
process, args, repr(fds))
test_pass = False
return test_pass
def run_once(self):
"""
Checks a number of sensitive processes on Chrome OS for
unexpected open file descriptors.
"""
self.snapshot_system()
passes = []
filters = [r'0700 anon_inode:\[event.*\]',
r'0[35]00 pipe:.*',
r'0[57]00 socket:.*',
r'0500 /dev/null',
r'0[57]00 /dev/urandom',
r'0300 /var/log/chrome/chrome_.*',
r'0[37]00 /var/log/ui/ui.*',
]
# Whitelist fd-type check, suitable for Chrome processes.
# Notably, this omits S_ISDIR.
allowed_fd_type_check = lambda x: (stat.S_ISREG(x) or
stat.S_ISCHR(x) or
stat.S_ISSOCK(x) or
stat.S_ISFIFO(x) or
security_OpenFDs._S_ISANONFD(x))
# TODO(jorgelo): revisit this and potentially remove.
if asan.running_on_asan():
# On ASan, allow all fd types and opening /proc
logging.info("Running on ASan, allowing /proc")
allowed_fd_type_check = lambda x: True
filters.append(r'0500 /proc')
passes.append(self.check_process('chrome', 'type=plugin', filters,
allowed_fd_type_check))
filters.extend([r'0[57]00 /dev/shm/..*',
r'0500 /opt/google/chrome/.*.pak',
r'0500 /opt/google/chrome/icudtl.dat',
# These used to be bundled with the Chrome binary.
# See crbug.com/475170.
r'0500 /opt/google/chrome/natives_blob.bin',
r'0500 /opt/google/chrome/snapshot_blob.bin',
# Font files can be kept open in renderers
# for performance reasons.
# See crbug.com/452227.
r'0500 /usr/share/fonts/.*',
# Zero-copy texture uploads. crbug.com/607632.
r'0700 anon_inode:dmabuf',
# Ad blocking ruleset mmapped in for performance.
r'0500 /home/chronos/Subresource Filter/Indexed Rules/[0-9]*/[0-9\.]*/Ruleset Data'
])
try:
# Renderers have access to DRM vgem device for graphics tile upload.
# See crbug.com/537474.
filters.append(r'0700 /dev/dri/%s' % os.readlink('/dev/dri/vgem'))
except OSError:
# /dev/dri/vgem doesn't exist.
pass
passes.append(self.check_process('chrome', 'type=renderer', filters,
allowed_fd_type_check))
if False in passes:
raise error.TestFail("Unexpected open file descriptors.")