| #!/bin/bash |
| |
| # Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # This utility finds the different processes in a running instance of Chrome. |
| # It then attempts to identify their types (e.g. browser, extension, plugin, |
| # zygote, renderer). It also prints out information on whether a sandbox is |
| # active and what type of sandbox has been identified. |
| |
| # This script is likely to only work on Linux or systems that closely mimick |
| # Linux's /proc filesystem. |
| [ -x /proc/self/exe ] || { |
| echo "This script cannot be run on your system" >&2 |
| exit 1 |
| } |
| |
| # Find the browser's process id. If there are multiple active instances of |
| # Chrome, the caller can provide a pid on the command line. The provided pid |
| # must match a process in the browser's process hierarchy. When using the |
| # zygote inside of the setuid sandbox, renderers are in a process tree separate |
| # from the browser process. You cannot use any of their pids. |
| # If no pid is provided on the command line, the script will randomly pick |
| # one of the running instances. |
| if [ $# -eq 0 ]; then |
| pid=$(ls -l /proc/*/exe 2>/dev/null | |
| sed '/\/chrome\( .deleted.\)\?$/s,.*/proc/\([^/]*\)/exe.*,\1,;t;d' | |
| while read p; do |
| xargs -0 </proc/$p/cmdline 2>/dev/null|grep -q -- --type= && continue |
| echo "$p" |
| break |
| done) |
| else |
| pid="$1" |
| fi |
| ls -l "/proc/$pid/exe" 2>/dev/null|egrep -q '/chrome( .deleted.)?$' || { |
| echo "Cannot find any running instance of Chrome" >&2; exit 1; } |
| while :; do |
| ppid="$(ps h --format ppid --pid "$pid" 2>/dev/null)" |
| [ -n "$ppid" ] || { |
| echo "Cannot find any running instance of Chrome" >&2; exit 1; } |
| ls -l "/proc/$ppid/exe" 2>/dev/null|egrep -q '/chrome( .deleted.)?$' && |
| pid="$ppid" || break |
| done |
| xargs -0 </proc/$p/cmdline 2>/dev/null|grep -q -- --type= && { |
| echo "Cannot find any running instance of Chrome" >&2; exit 1; } |
| |
| # Iterate over child processes and try to identify them |
| identify() { |
| local child cmd foundzygote plugin seccomp type |
| foundzygote=0 |
| for child in $(ps h --format pid --ppid $1); do |
| cmd="$(xargs -0 </proc/$child/cmdline|sed 's/ -/\n-/g')" 2>/dev/null |
| type="$(echo "$cmd" | sed 's/--type=//;t1;d;:1;q')" |
| case $type in |
| '') |
| echo "Process $child is part of the browser" |
| identify "$child" |
| ;; |
| extension) |
| echo "Process $child is an extension" |
| ;; |
| plugin) |
| plugin="$(echo "$cmd" | |
| sed 's/--plugin-path=//;t1;d;:1 |
| s,.*/lib,,;s,.*/npwrapper[.]lib,,;s,^np,,;s,[.]so$,,;q')" |
| echo "Process $child is a \"$plugin\" plugin" |
| identify "$child" |
| ;; |
| renderer|worker|gpu-process) |
| # The seccomp sandbox has exactly one child process that has no other |
| # threads. This is the trusted helper process. |
| seccomp="$(ps h --format pid --ppid $child|xargs)" |
| if [ -d /proc/$child/cwd/. ]; then |
| if [ $(echo "$seccomp" | wc -w) -eq 1 ] && |
| [ $(ls /proc/$seccomp/task 2>/dev/null | wc -w) -eq 1 ] && |
| ls -l /proc/$seccomp/exe 2>/dev/null | |
| egrep -q '/chrome( .deleted.)?$'; then |
| echo "Process $child is a sandboxed $type (seccomp helper:" \ |
| "$seccomp)" |
| else |
| echo "Process $child is a $type" |
| identify "$child" |
| fi |
| else |
| if [ $(echo "$seccomp" | wc -w) -eq 1 ]; then |
| echo "Process $child is a setuid sandboxed $type (seccomp" \ |
| "helper: $seccomp)" |
| else |
| echo "Process $child is a $type; setuid sandbox is active" |
| identify "$child" |
| fi |
| fi |
| ;; |
| zygote) |
| foundzygote=1 |
| echo "Process $child is the zygote" |
| identify "$child" |
| ;; |
| *) |
| echo "Process $child is of unknown type \"$type\"" |
| identify "$child" |
| ;; |
| esac |
| done |
| return $foundzygote |
| } |
| |
| cmpcmdline() { |
| # Checks that the command line arguments for pid $1 are a superset of the |
| # commandline arguments for pid $2. |
| # Any additional function arguments $3, $4, ... list options that should |
| # be ignored for the purpose of this comparison. |
| local pida="$1" |
| local pidb="$2" |
| shift; shift |
| local super=("$@" $(xargs -0 </proc/"$pida"/cmdline)) 2>/dev/null |
| local sub=($(xargs -0 </proc/"$pidb"/cmdline)) 2>/dev/null |
| local i j |
| [ ${#sub[*]} -eq 0 -o ${#super[*]} -eq 0 ] && return 1 |
| for i in $(seq 0 $((${#sub[*]}-1))); do |
| for j in $(seq 0 $((${#super[*]}-1))); do |
| [ "x${sub[$i]}" = "x${super[$j]}" ] && continue 2 |
| done |
| return 1 |
| done |
| return 0 |
| } |
| |
| |
| echo "The browser's main pid is: $pid" |
| if identify "$pid"; then |
| # The zygote can make it difficult to locate renderers, as the setuid |
| # sandbox causes it to be reparented to "init". When this happens, we can |
| # no longer associate it with the browser with 100% certainty. We make a |
| # best effort by comparing command line strings. |
| for i in $(ps h --format pid --ppid 1); do |
| if cmpcmdline "$pid" "$i" "--type=zygote"; then |
| echo -n "Process $i is the zygote" |
| [ -d /proc/$i/cwd/. ] || echo -n "; setuid sandbox is active" |
| echo |
| identify "$i" |
| fi |
| done |
| fi |