1# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import logging
6import os
7import re
8import stat
9import subprocess
10
11from autotest_lib.client.bin import test
12from autotest_lib.client.common_lib import error
13from autotest_lib.client.cros import asan
14
15class security_OpenFDs(test.test):
16    """Checks a number of sensitive processes on Chrome OS for unexpected open
17    file descriptors.
18    """
19
20    version = 1
21
22    @staticmethod
23    def _S_ISANONFD(mode):
24        """
25        Returns whether |mode| represents an "anonymous inode" file descriptor.
26        Python does not expose a type-checking macro for anonymous inode fds.
27        Implements the same interface as stat.S_ISREG(x).
28
29        @param mode: mode bits, usually from 'stat(path).st_mode'
30        """
31        return 0 == (mode & 0770000)
32
33
34    def get_fds(self, pid, typechecker):
35        """
36        Returns the set of open file descriptors for |pid|.
37        Each open fd is represented as 'mode path', e.g.: '0500 /dev/random'.
38
39        @param pid: pid of process
40        @param typechecker: callback restricting allowed fd types
41        """
42        proc_fd_dir = os.path.join('/proc/', pid, 'fd')
43        fd_perms = set([])
44        for link in os.listdir(proc_fd_dir):
45            link_path = os.path.join(proc_fd_dir, link)
46            target = os.readlink(link_path)
47            # The "mode" on the link tells us if the file is
48            # opened for read/write. We are more interested
49            # in that than the permissions of the file on the fs.
50            link_st_mode = os.lstat(link_path).st_mode
51            # On the other hand, we need the type information
52            # off the real file, otherwise we're going to get
53            # S_ISLNK for everything.
54            real_st_mode = os.stat(link_path).st_mode
55            if not typechecker(real_st_mode):
56                raise error.TestFail('Pid %s has fd for %s, disallowed type' %
57                                     (pid, target))
58            mode = stat.S_IMODE(link_st_mode)
59            fd_perms.add('%s %s' % (oct(mode), target))
60        return fd_perms
61
62
63    def snapshot_system(self):
64        """
65        Dumps a systemwide snapshot of open-fd and process table
66        information into the results directory, to assist with any
67        triage/debug later.
68        """
69        subprocess.call('ps -ef > "%s/ps-ef.txt"' % self.resultsdir,
70                        shell=True)
71        subprocess.call('ls -l /proc/*[0-9]*/fd > "%s/proc-fd.txt"' %
72                        self.resultsdir, shell=True)
73
74
75    def apply_filters(self, fds, filters):
76        """
77        Removes every item in |fds| matching any of the regexes in |filters|.
78        This modifies the set in-place, and returns a list containing
79        any regexes which did not match anything.
80
81        @param fds: set of 'mode path' strings representing open fds
82        @param filters: list of regexes to filter open fds with
83        """
84        failed_filters = set()
85        for filter_re in filters:
86            expected_fds = set([fd_perm for fd_perm in fds
87                                if re.match(filter_re, fd_perm)])
88            if not expected_fds:
89                failed_filters.add(filter_re)
90            fds -= expected_fds
91        return failed_filters
92
93
94    def find_pids(self, process, arg_regex):
95        """
96        Finds all pids for |process| whose command line arguments
97        match |arg_regex|. Returns a list of pids.
98
99        @param process: process name
100        @param arg_regex: regex to match command line arguments
101        """
102        p1 = subprocess.Popen(['ps', '-C', process, '-o', 'pid,command'],
103                              stdout=subprocess.PIPE)
104        # We're adding '--ignored= --type=renderer' to the GPU process cmdline
105        # to fix crbug.com/129884.
106        # This process has different characteristics, so we need to avoid
107        # finding it when we find --type=renderer tests processes.
108        p2 = subprocess.Popen(['grep', '-v', '--',
109                               '--ignored=.*%s' % arg_regex],
110                              stdin=p1.stdout, stdout=subprocess.PIPE)
111        p3 = subprocess.Popen(['grep', arg_regex], stdin=p2.stdout,
112                              stdout=subprocess.PIPE)
113        p4 = subprocess.Popen(['awk', '{print $1}'], stdin=p3.stdout,
114                              stdout=subprocess.PIPE)
115        output = p4.communicate()[0]
116        return output.splitlines()
117
118
119    def check_process(self, process, args, filters, typechecker):
120        """
121        Checks a process for unexpected open file descriptors:
122        * Identifies all instances (pids) of |process|.
123        * Identifies all file descriptors open by those pids.
124        * Reports any fds not accounted for by regexes in |filters|.
125        * Reports any filters which fail to match any open fds.
126
127        If there were any fds unaccounted for, or failed filters,
128        mark the test failed.
129
130        @param process: process name
131        @param args: regex to match command line arguments
132        @param filters: list of regexes to filter open fds with
133        @param typechecker: callback restricting allowed fd types
134        """
135        logging.debug('Checking %s %s', process, args)
136        test_pass = True
137        for pid in self.find_pids(process, args):
138            logging.debug('Found pid %s for %s', pid, process)
139            fds = self.get_fds(pid, typechecker)
140            failed_filters = self.apply_filters(fds, filters)
141            # Log failed filters to allow pruning the list.
142            if failed_filters:
143                logging.error('Some filter(s) failed to match any fds: %s',
144                              repr(failed_filters))
145            if fds:
146                logging.error('Found unexpected fds in %s %s: %s',
147                              process, args, repr(fds))
148                test_pass = False
149        return test_pass
150
151
152    def run_once(self):
153        """
154        Checks a number of sensitive processes on Chrome OS for
155        unexpected open file descriptors.
156        """
157        self.snapshot_system()
158
159        passes = []
160        filters = [r'0700 anon_inode:\[event.*\]',
161                   r'0[35]00 pipe:.*',
162                   r'0[57]00 socket:.*',
163                   r'0500 /dev/null',
164                   r'0[57]00 /dev/urandom',
165                   r'0300 /var/log/chrome/chrome_.*',
166                   r'0[37]00 /var/log/ui/ui.*',
167                  ]
168
169        # Whitelist fd-type check, suitable for Chrome processes.
170        # Notably, this omits S_ISDIR.
171        allowed_fd_type_check = lambda x: (stat.S_ISREG(x) or
172                                           stat.S_ISCHR(x) or
173                                           stat.S_ISSOCK(x) or
174                                           stat.S_ISFIFO(x) or
175                                           security_OpenFDs._S_ISANONFD(x))
176
177        # TODO(jorgelo): revisit this and potentially remove.
178        if asan.running_on_asan():
179            # On ASan, allow all fd types and opening /proc
180            logging.info("Running on ASan, allowing /proc")
181            allowed_fd_type_check = lambda x: True
182            filters.append(r'0500 /proc')
183
184        passes.append(self.check_process('chrome', 'type=plugin', filters,
185                                         allowed_fd_type_check))
186
187        filters.extend([r'0[57]00 /dev/shm/..*',
188                        r'0500 /opt/google/chrome/.*.pak',
189                        r'0500 /opt/google/chrome/icudtl.dat',
190                        # These used to be bundled with the Chrome binary.
191                        # See crbug.com/475170.
192                        r'0500 /opt/google/chrome/natives_blob.bin',
193                        r'0500 /opt/google/chrome/snapshot_blob.bin',
194                        # Font files can be kept open in renderers
195                        # for performance reasons.
196                        # See crbug.com/452227.
197                        r'0500 /usr/share/fonts/.*',
198                        # Zero-copy texture uploads. crbug.com/607632.
199                        r'0700 anon_inode:dmabuf',
200                        # Ad blocking ruleset mmapped in for performance.
201                        r'0500 /home/chronos/Subresource Filter/Indexed Rules/[0-9]*/[0-9\.]*/Ruleset Data'
202                       ])
203        try:
204            # Renderers have access to DRM vgem device for graphics tile upload.
205            # See crbug.com/537474.
206            filters.append(r'0700 /dev/dri/%s' % os.readlink('/dev/dri/vgem'))
207        except OSError:
208            # /dev/dri/vgem doesn't exist.
209            pass
210
211        passes.append(self.check_process('chrome', 'type=renderer', filters,
212                                         allowed_fd_type_check))
213
214        if False in passes:
215            raise error.TestFail("Unexpected open file descriptors.")
216