diff options
| author | markus@chromium.org <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-26 19:48:37 +0000 |
|---|---|---|
| committer | markus@chromium.org <markus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-26 19:48:37 +0000 |
| commit | 2c39a8b574013340dd6ae2c2587b273f3d1d4c48 (patch) | |
| tree | ed1d6c053acc99c4cf56c316aec7e520c28dde0b /chrome/tools | |
| parent | 7f537a10140277911002830f0c991a45f31ad0a5 (diff) | |
| download | chromium_src-2c39a8b574013340dd6ae2c2587b273f3d1d4c48.zip chromium_src-2c39a8b574013340dd6ae2c2587b273f3d1d4c48.tar.gz chromium_src-2c39a8b574013340dd6ae2c2587b273f3d1d4c48.tar.bz2 | |
Make the script more robust when using the zygote inside of the setuid sandbox.
We now explicitly reject an process that has a "--type=" command line argument
when scanning for the main browser process.
Also, for the seccomp sandbox print the pid of the trusted process. This might
be helpful information in some cases.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/3184026
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57565 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/tools')
| -rwxr-xr-x | chrome/tools/chrome-process-identifier.sh | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/chrome/tools/chrome-process-identifier.sh b/chrome/tools/chrome-process-identifier.sh index 770529b..c12aedb 100755 --- a/chrome/tools/chrome-process-identifier.sh +++ b/chrome/tools/chrome-process-identifier.sh @@ -11,17 +11,26 @@ # This script is likely to only work on Linux or systems that closely mimick # Linux's /proc filesystem. -[ -d /proc ] || { +[ -x /proc/self/exe ] || { echo "This script cannot be run on your system" >&2 exit 1 } # Find the browser's process id. If there are multiple active instances of -# Chrome, the caller can provide a pid on the command line. Otherwise, the -# script will randomly pick one of the instances. +# Chrome, the caller can provide a pid on the command line. The provided pid +# must match a process in the browser's process hierarchy. When using the +# zygote inside of the setuid sandbox, renderers are in a process tree separate +# from the browser process. You cannot use any of their pids. +# If no pid is provided on the command line, the script will randomly pick +# one of the running instances. if [ $# -eq 0 ]; then pid=$(ls -l /proc/*/exe 2>/dev/null | - sed '/\/chrome$/s,.*/proc/\([^/]*\)/exe.*,\1,;t1;d;:1;q') + sed '/\/chrome$/s,.*/proc/\([^/]*\)/exe.*,\1,;t;d' | + while read p; do + xargs -0 </proc/$p/cmdline 2>/dev/null|grep -q -- --type= && continue + echo "$p" + break + done) else pid="$1" fi @@ -31,8 +40,11 @@ while :; do ppid="$(ps h --format ppid --pid "$pid" 2>/dev/null)" [ -n "$ppid" ] || { echo "Cannot find any running instance of Chrome" >&2; exit 1; } - ls "/proc/$ppid/exe" 2>/dev/null|egrep -q '/chrome$' && pid="$ppid" || break + ls -l "/proc/$ppid/exe" 2>/dev/null|egrep -q '/chrome$' && + pid="$ppid" || break done +xargs -0 </proc/$p/cmdline 2>/dev/null|grep -q -- --type= && { + echo "Cannot find any running instance of Chrome" >&2; exit 1; } # Iterate over child processes and try to identify them identify() { @@ -62,7 +74,8 @@ identify() { if [ $(echo "$seccomp" | wc -w) -eq 1 ] && [ $(ls /proc/$seccomp/task 2>/dev/null | wc -w) -eq 1 ] && ls -l /proc/$seccomp/exe 2>/dev/null | egrep -q '/chrome$'; then - echo -n "Process $child is a renderer inside of the seccomp sandbox" + echo -n "Process $child is a sandboxed renderer (seccomp helper:" \ + "$seccomp)" [ -d /proc/$child/cwd/. ] || echo -n "; setuid sandbox is active" echo else |