Documentation ¶
Overview ¶
Package sandboxing provides functions for obtaining sandboxing-related information about running processes.
Index ¶
- Variables
- func ProcHasAncestor(pid int32, ancestorPIDs map[int32]struct{}, infos map[int32]*ProcSandboxInfo) (bool, error)
- func ReadProcMountpoints(pid int32) ([]string, error)
- func ReadProcNamespace(pid int32, name string) (int64, error)
- func ReadProcStatus(pid int32) (map[string]string, error)
- func TruncateProcName(s string) string
- type ProcMountinfo
- type ProcSandboxInfo
Constants ¶
This section is empty.
Variables ¶
var Exclusions = []string{
"agetty",
"aplay",
"autotest",
"autotestd",
"autotestd_monitor",
"check_ethernet.hook",
"chrome",
"chrome-sandbox",
"cras_test_client",
"crash_reporter",
"endpoint",
"evemu-device",
"flock",
"grep",
"init",
"logger",
"login",
"mosys",
"nacl_helper",
"nacl_helper_bootstrap",
"nacl_helper_nonsfi",
"ping",
"ply-image",
"ps",
"recover_duts",
"sleep",
"sshd",
"sudo",
"tail",
"timeout",
"x11vnc",
"bash",
"dash",
"python",
"python2",
"python3",
"python3.4",
"python3.5",
"python3.6",
"python3.7",
"run_oci",
"sh",
"minijail0",
"minijail-init",
"(agetty)",
"adb",
"postinst",
}
Exclusions contains names (from the "Name:" field in /proc/<pid>/status) of processes to ignore in sandboxing-related test. These processes are either transient, not present on production images, or not sandboxing-relevant.
var IgnoredAncestors = []string{
"kthreadd",
"local_test_runner",
"periodic_scheduler",
"arc-setup",
"cros_installer",
"python2.7",
"dev_debug_vboot",
}
IgnoredAncestors contains names of processes whose children we should ignore in sandboxing-related tests. These processes are either not relevant (like kernel processes), transient, or test-related.
var IgnoredMoblabAncestors = []string{
"apache2",
"dockerd",
"containerd-shim",
"containerd",
}
IgnoredMoblabAncestors contains names of processes whose children we should ignore in sandboxing-related tests. They are used to implement the Moblab test harness.
Functions ¶
func ProcHasAncestor ¶
func ProcHasAncestor(pid int32, ancestorPIDs map[int32]struct{}, infos map[int32]*ProcSandboxInfo) (bool, error)
ProcHasAncestor returns true if pid has any of ancestorPIDs as an ancestor process. infos should contain the full set of processes and is used to look up data.
func ReadProcMountpoints ¶
ReadProcMountpoints returns all mountpoints listed in /proc/<pid>/mounts. This may return os.ErrNotExist or syscall.EINVAL for zombie processes: https://crbug.com/936703
func ReadProcNamespace ¶
ReadProcNamespace returns pid's namespace ID for name (e.g. "pid" or "mnt"), per /proc/<pid>/ns/<name>. This may return os.ErrNotExist: https://crbug.com/936703
func ReadProcStatus ¶
ReadProcStatus parses /proc/<pid>/status and returns its key/value pairs.
func TruncateProcName ¶
TruncateProcName returns a shortened version of the process' name, matching what the kernel does.
Per TASK_COMM_LEN, the kernel only uses 16 null-terminated bytes to hold process names (which we later read from /proc/<pid>/status), so we shorten names in all sandboxing-related tests. See https://stackoverflow.com/questions/23534263 for more discussion.
Using "Name:" from /status matches what the Autotest code was doing, but it can lead to unexpected collisions. /exe is undesirable since executables like /usr/bin/coreutils implement many commands. /cmdline may be modified by the process.
Types ¶
type ProcMountinfo ¶
type ProcMountinfo struct { MountID uint32 ParentID uint32 Major uint32 Minor uint32 Root string MountPoint string MountOptions string OptFields []string FsType string MountSource string SuperBlockOptions string }
ProcMountinfo holds information about /proc/<pid>/mountinfo entries.
func ReadProcMountinfo ¶
func ReadProcMountinfo(pid int32) ([]ProcMountinfo, error)
ReadProcMountinfo returns all mountpoints listed in /proc/<pid>/mountinfo. This may return os.ErrNotExist or syscall.EINVAL for zombie processes: https://crbug.com/936703
Example line: 347 254 8:1 /home /home rw,nosuid,nodev,noexec,noatime shared:96 - ext4 /dev/sda1 rw,seclabel,resgid=20119,commit=600,data=ordered
(1) mount ID: unique identifier of the mount (may be reused after umount) (2) parent ID: ID of parent (or of self for the top of the mount tree) (3) major:minor: value of st_dev for files on filesystem (4) root: root of the mount within the filesystem (5) mount point: mount point relative to the process's root (6) mount options: per mount options (7) optional fields: zero or more fields of the form "tag[:value]" (8) separator: marks the end of the optional fields (9) filesystem type: name of filesystem of the form "type[.subtype]" (10) mount source: filesystem specific information or "none" (11) super options: per super block options
Parsers should ignore all unrecognised optional fields. Currently the possible optional fields are: shared:X mount is shared in peer group X master:X mount is slave to peer group X propagate_from:X mount is slave and receives propagation from peer group X (*) unbindable mount is unbindable
type ProcSandboxInfo ¶
type ProcSandboxInfo struct { Name string // "Name:" value from /proc/<pid>/status Exe string // full executable path Cmdline string // space-separated command line Ppid int32 // parent PID Euid, Egid uint32 // effective UID and GID PidNS, MntNS int64 // PID and mount namespace IDs (-1 if unknown) Ecaps uint64 // effective capabilities NoNewPrivs bool // no_new_privs is set (see "minijail -N") Seccomp bool // seccomp filter is active HasTestImageMounts bool // has test-image-only mounts MountInfos []ProcMountinfo // entries from /proc/<pid>/mountinfo }
ProcSandboxInfo holds sandboxing-related information about a running process.
func GetProcSandboxInfo ¶
func GetProcSandboxInfo(proc *process.Process) (*ProcSandboxInfo, error)
GetProcSandboxInfo returns sandboxing-related information about proc. An error is returned if any files cannot be read or if malformed data is encountered, but the partially-filled info is still returned.