Coverage for main.py : 64%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
############################################################################# # # Surrogate Manager. # # Copyright (C) 2015-2017 Menlo Security, Inc. # #############################################################################
string = "FATAL: " + ' '.join([str(arg) for arg in pargs]) print >> sys.stderr, ( string ) sys.exit(-1)
super(SMRequestHandler, self).__init__(*args, **kwargs) self.custom_error = False
if not app.producer.freeze(): raise tornado.web.HTTPError(httplib.BAD_REQUEST, 'Cannot freeze')
self.write(json.dumps(app.producer.get_status()))
# pylint: disable=arguments-differ try: surrogate = app.producer._local_pool[safe_rid] except KeyError: self.set_status(404) self.finish('<html><body>Unknown surrogate</body></html>') return try: surrogate.kill('rest-api') except Exception as e: raise tornado.web.HTTPError(httplib.INTERNAL_SERVER_ERROR, str(e))
# pylint: disable=arguments-differ def post(self, safe_rid, tab_id): try: surrogate = app.producer._local_pool[safe_rid] except KeyError: self.set_status(404) self.finish('<html><body>Unknown surrogate</body></html>') return try: yield surrogate.detach_tab(tab_id) except KeyError: self.set_status(404) self.finish('<html><body>Unknown tab</body></html>') return except Exception as e: raise tornado.web.HTTPError(httplib.INTERNAL_SERVER_ERROR, str(e))
# pylint: disable=arguments-differ def get(self, safe_rid): try: surrogate = app.producer._local_pool[safe_rid] except KeyError: self.set_status(404) self.finish('<html><body>Unknown surrogate</body></html>') return try: details = yield surrogate.get_details() except IOError: self.set_status(500) self.finish( '<html><body>Communication with surrogate failed</body></html>') return self.write(json.dumps(details))
if not app.producer.unfreeze(): raise tornado.web.HTTPError(httplib.BAD_REQUEST, 'Cannot unfreeze')
(r'/detach/([^/]+)/(.+)', TabDetachRequest), (r'/freeze', FreezeRequest), (r'/kill/(.+)', SurrogateKillRequest), (r'/status', StatusRequest), (r'/status/(.+)', SurrogateStatusRequest), (r'/unfreeze', UnfreezeRequest), ]
"""Initialize NSS certificate db for use by surrogates.
These are user-installed CAs (presumably configured by an MSIP admin) as well as built-in CAs that are in addition to the CAs that ship with NSS (libnssckbi.so). """
return
event='cas-load')
# Always rebuild the db. except Exception as e: self.log.error({'error': e, 'details': 'ca-delete-failed'}, event='unexpected-error') exit(1)
'sql:%s' % db_path]) except Exception as e: self.log.error({'error': e, 'details': 'ca-db-create-failed'}, event='unexpected-error') exit(1)
# Add magic prefix to the name for built-in CAs. The surrogate checks # for this when deciding whether this is a known root. ['/usr/bin/certutil', '-A', '-n', ca_name, '-t', 'TC', '-i', ca_cert, '-d', 'sql:%s' % db_path]) except Exception as e: self.log.error({'error': e}, event='ca-import-failed')
'sandboxed_namespaces').split(',')) # We maintain pools of pre-initialized resources to speed up container # launch.
'max_ram_per_surrogate_soft_limit_kb')) 'max_ram_per_surrogate_kb')) 'max_ram_plus_swap_per_surrogate_kb')) # Lack of swap is not necessarily an error, since it may be created # concurrently with service startup. self.log.warning({'stats': psutil.swap_memory(), 'cause': 'swap created concurrently?'}, event='insufficient-swap-space')
'ns_init_pool_size')
# If calculating the initial size of the namespace pool, # estimate the max number of surrogates based on RAM and # upsize by 1.2 times 1.2 * psutil.virtual_memory().total / (config.getint('surrogate_manager', 'avg_ram_per_surrogate_kb') * 1024)) sandboxed_namespaces, mem_soft_limit_in_bytes=mem_soft_limit, mem_limit_in_bytes=mem_limit, memsw_limit_in_bytes=memsw_limit, swappiness=config.getint('surrogate_manager', 'swappiness'), enable_cgroups=config.getboolean('surrogate_manager', 'enable_cgroups'), init_pool_size=ns_init_pool_size) except Exception: self.log.exception('pool start failed') self._clean_exit(1)
# FIXME: we really should wait until all Surrogates have entered DEAD # state before exiting. Or else we may leave behind stale entries in # the global pool (in Redis).
"""Die if the Chrome sandbox is not present and usable.""" return die('missing chrome sandbox at %s' % sv_cr_sandbox_path) die('chrome-sandbox binary is missing the setuid bit: %s' % sv_cr_sandbox_path)
# Only root can create/destroy containers. # TODO: Relax this to those with CAP_SYS_ADMIN. die("must be run as root.") # Check acceptable limits. 'file size': (resource.RLIMIT_FSIZE, 1024*1024*1024), 'core file size': (resource.RLIMIT_CORE, 0), } die('%s limit is too high (max is %d, current is %d)---did you ' 'set the right ulimits?' % (name, max_limit, soft_limit))
|