Chromium Code Reviews Chromium Code Reviews
Issue 27265002:
Implement SharedMemory::NewAnonymousReadOnly(contents). (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/basictypes.h" | 5 #include "base/basictypes.h" |
| 6 #include "base/memory/scoped_ptr.h" | 6 #include "base/memory/scoped_ptr.h" |
| 7 #include "base/memory/shared_memory.h" | 7 #include "base/memory/shared_memory.h" |
| 8 #include "base/process/kill.h" | 8 #include "base/process/kill.h" |
| 9 #include "base/rand_util.h" | 9 #include "base/rand_util.h" |
| 10 #include "base/safe_numerics.h" | |
| 10 #include "base/strings/string_number_conversions.h" | 11 #include "base/strings/string_number_conversions.h" |
| 12 #include "base/strings/stringprintf.h" | |
| 11 #include "base/sys_info.h" | 13 #include "base/sys_info.h" |
| 12 #include "base/test/multiprocess_test.h" | 14 #include "base/test/multiprocess_test.h" |
| 13 #include "base/threading/platform_thread.h" | 15 #include "base/threading/platform_thread.h" |
| 14 #include "base/time/time.h" | 16 #include "base/time/time.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" | 17 #include "testing/gtest/include/gtest/gtest.h" |
| 16 #include "testing/multiprocess_func_list.h" | 18 #include "testing/multiprocess_func_list.h" |
| 17 | 19 |
| 18 #if defined(OS_MACOSX) | 20 #if defined(OS_MACOSX) |
| 19 #include "base/mac/scoped_nsautorelease_pool.h" | 21 #include "base/mac/scoped_nsautorelease_pool.h" |
| 20 #endif | 22 #endif |
| 21 | 23 |
| 22 #if defined(OS_POSIX) | 24 #if defined(OS_POSIX) |
| 25 #include <errno.h> | |
| 26 #include <fcntl.h> | |
| 23 #include <sys/mman.h> | 27 #include <sys/mman.h> |
| 24 #include <sys/stat.h> | 28 #include <sys/stat.h> |
| 25 #include <sys/types.h> | 29 #include <sys/types.h> |
| 26 #include <unistd.h> | 30 #include <unistd.h> |
| 27 #endif | 31 #endif |
| 28 | 32 |
| 29 static const int kNumThreads = 5; | 33 static const int kNumThreads = 5; |
| 30 static const int kNumTasks = 5; | 34 static const int kNumTasks = 5; |
| 31 | 35 |
| 32 namespace base { | 36 namespace base { |
| (...skipping 321 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 354 else | 358 else |
| 355 EXPECT_EQ(0, pointers[j][0]); | 359 EXPECT_EQ(0, pointers[j][0]); |
| 356 } | 360 } |
| 357 } | 361 } |
| 358 | 362 |
| 359 for (int i = 0; i < count; i++) { | 363 for (int i = 0; i < count; i++) { |
| 360 memories[i].Close(); | 364 memories[i].Close(); |
| 361 } | 365 } |
| 362 } | 366 } |
| 363 | 367 |
| 368 TEST(SharedMemoryTest, AnonymousReadOnly) { | |
| 369 StringPiece contents = "Hello World"; | |
| 370 scoped_ptr<SharedMemory> shmem( | |
| 371 SharedMemory::NewAnonymousReadOnly("Hello World")); | |
| 372 | |
| 373 ASSERT_TRUE(shmem->Map(contents.size())); | |
| 374 EXPECT_EQ( | |
| 375 contents, | |
| 376 StringPiece(static_cast<const char*>(shmem->memory()), contents.size())); | |
| 377 | |
| 378 // We'd like to check that if we send the read-only segment to another | |
| 379 // process, then that other process can't reopen it read/write. (Since that | |
| 380 // would be a security hole.) Setting up multiple processes is hard in a | |
| 381 // unittest, so this test checks that the *current* process can't reopen the | |
| 382 // segment read/write. I think the test here is stronger than we actually | |
| 383 // care about, but there's a remote possibility that sending a file over a | |
| 384 // pipe would transform it into read/write. | |
| 385 SharedMemoryHandle handle = shmem->handle(); | |
| 386 #if defined(OS_POSIX) | |
| 387 | |
| 388 EXPECT_EQ(O_RDONLY, fcntl(handle.fd, F_GETFL) & O_ACCMODE) | |
| 389 << "The descriptor itself should be read-only."; | |
| 390 | |
| 391 errno = 0; | |
| 392 void* writable = mmap(NULL, | |
| 393 shmem->mapped_size(), | |
| 394 PROT_READ | PROT_WRITE, | |
| 395 MAP_SHARED, | |
| 396 handle.fd, | |
| 397 0); | |
| 398 int mmap_errno = errno; | |
| 399 EXPECT_EQ(MAP_FAILED, writable) | |
| 400 << "It shouldn't be possible to re-mmap the descriptor writable."; | |
| 401 EXPECT_EQ(EACCES, mmap_errno); | |
| 402 | |
| 403 struct stat fd_stat; | |
| 404 errno = 0; | |
| 405 EXPECT_EQ(0, fstat(handle.fd, &fd_stat)) << strerror(errno); | |
| 406 EXPECT_EQ(0400, checked_numeric_cast<int>(fd_stat.st_mode & 0777)) | |
| 407 << "inode should be read-only"; | |
| 408 EXPECT_EQ(0U, fd_stat.st_nlink) << "inode should be unlinked"; | |
| 409 EXPECT_EQ(geteuid(), fd_stat.st_uid) | |
| 410 << "inode should be owned by current user"; | |
| 411 | |
| 412 if (0 == access("/dev/fd", X_OK)) { | |
| 413 // Try to re-open through /dev/fd. This is an end-run around the notion of | |
| 414 // an FD as a capability. | |
| 415 const std::string shmem_path = StringPrintf("/dev/fd/%d", handle.fd); | |
| 416 errno = 0; | |
| 417 int readable_fd = open(shmem_path.c_str(), O_RDONLY); | |
| 418 EXPECT_NE(-1, readable_fd) << strerror(errno); | |
| 419 close(readable_fd); | |
| 420 | |
| 421 errno = 0; | |
| 422 int writable_fd = open(shmem_path.c_str(), O_WRONLY); | |
| 423 int open_writable_errno = errno; | |
| 424 EXPECT_EQ(-1, writable_fd); | |
| 425 EXPECT_EQ(EACCES, open_writable_errno) << strerror(open_writable_errno); | |
| 426 close(writable_fd); | |
| 427 | |
| 428 // However, if we explicitly make the entry in /dev/fd writable first, the | |
| 429 // open() call successfully creates a writable file on Linux. The sandbox | |
| 430 // has to prevent opening this path. TODO(jln): Write a test that attacks | |
| 431 // this from inside the sandbox. | |
| 432 errno = 0; | |
| 433 EXPECT_EQ(0, fchmod(handle.fd, S_IRUSR | S_IWUSR)) << strerror(errno); | |
| 434 | |
| 435 errno = 0; | |
| 436 writable_fd = open(shmem_path.c_str(), O_WRONLY); | |
| 437 open_writable_errno = errno; | |
| 438 // On Linux, opening the file /dev/fd/N where 'N' is a read-only file | |
| 439 // descriptor, can produce a writable file descriptor if the inode is | |
| 440 // writable (see the fchmod above). Mac appears to restrict the open() call | |
| 441 // appropriately. Other systems might let the open() succeed but still | |
| 442 // produce a read-only descriptor. | |
| 443 #if !defined(OS_LINUX) | |
| 444 EXPECT_EQ(-1, writable_fd); | |
| 445 EXPECT_EQ(EACCES, open_writable_errno) << strerror(open_writable_errno); | |
| 446 #endif | |
| 447 close(writable_fd); | |
| 448 } | |
| 449 | |
| 450 #elif defined(OS_WIN) | |
| 451 EXPECT_EQ(NULL, MapViewOfFile(handle, FILE_MAP_WRITE, 0, 0, 0)) | |
| 452 << "Shouldn't be able to map memory writable."; | |
| 453 | |
| 454 SharedMemoryHandle writable_handle = INVALID_HANDLE_VALUE; | |
| 455 EXPECT_EQ(0, | |
| 456 ::DuplicateHandle(GetCurrentProcess(), | |
|
Will Harris
2013/10/16 17:01:03
should probably CloseHandle after this succeeds, o
Jeffrey Yasskin
2013/10/16 22:27:53
Thanks, done with ScopedHandle.
| |
| 457 handle, | |
| 458 GetCurrentProcess, | |
| 459 &writable_handle, | |
| 460 FILE_MAP_ALL_ACCESS, | |
| 461 false, | |
| 462 0)) | |
| 463 << "Shouldn't be able to duplicate the handle into a writable one."; | |
| 464 #else | |
| 465 #error Unexpected platform; write a test that tries to make 'handle' writable. | |
| 466 #endif | |
| 467 } | |
| 468 | |
| 364 TEST(SharedMemoryTest, MapAt) { | 469 TEST(SharedMemoryTest, MapAt) { |
| 365 ASSERT_TRUE(SysInfo::VMAllocationGranularity() >= sizeof(uint32)); | 470 ASSERT_TRUE(SysInfo::VMAllocationGranularity() >= sizeof(uint32)); |
| 366 const size_t kCount = SysInfo::VMAllocationGranularity(); | 471 const size_t kCount = SysInfo::VMAllocationGranularity(); |
| 367 const size_t kDataSize = kCount * sizeof(uint32); | 472 const size_t kDataSize = kCount * sizeof(uint32); |
| 368 | 473 |
| 369 SharedMemory memory; | 474 SharedMemory memory; |
| 370 ASSERT_TRUE(memory.CreateAndMapAnonymous(kDataSize)); | 475 ASSERT_TRUE(memory.CreateAndMapAnonymous(kDataSize)); |
| 371 ASSERT_TRUE(memory.Map(kDataSize)); | 476 ASSERT_TRUE(memory.Map(kDataSize)); |
| 372 uint32* ptr = static_cast<uint32*>(memory.memory()); | 477 uint32* ptr = static_cast<uint32*>(memory.memory()); |
| 373 ASSERT_NE(ptr, static_cast<void*>(NULL)); | 478 ASSERT_NE(ptr, static_cast<void*>(NULL)); |
| (...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 552 SharedMemoryProcessTest::CleanUp(); | 657 SharedMemoryProcessTest::CleanUp(); |
| 553 } | 658 } |
| 554 | 659 |
| 555 MULTIPROCESS_TEST_MAIN(SharedMemoryTestMain) { | 660 MULTIPROCESS_TEST_MAIN(SharedMemoryTestMain) { |
| 556 return SharedMemoryProcessTest::TaskTestMain(); | 661 return SharedMemoryProcessTest::TaskTestMain(); |
| 557 } | 662 } |
| 558 | 663 |
| 559 #endif // !OS_IOS | 664 #endif // !OS_IOS |
| 560 | 665 |
| 561 } // namespace base | 666 } // namespace base |
| OLD | NEW |
