chrome/browser/safe_browsing/signature_evaluator_mac.mm - Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents.

Side by Side Diff: chrome/browser/safe_browsing/signature_evaluator_mac.mm

Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc ('K') | « chrome/browser/safe_browsing/signature_evaluator_mac.h ('k') | chrome/browser/safe_browsing/signature_evaluator_mac_unittest.cc » ('j') | chrome/common/safe_browsing/csd.proto » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/safe_browsing/signature_evaluator_mac.h"

	6

	7 #include <CoreFoundation/CoreFoundation.h>

	8 #include <Foundation/Foundation.h>

	9 #include <Security/Security.h>

	10 #include <sys/xattr.h>

	11

	12 #include "base/mac/foundation_util.h"

	13 #include "base/mac/mac_util.h"

	14 #include "base/mac/scoped_cftyperef.h"

	15 #include "base/mac/scoped_nsobject.h"

	16 #include "base/strings/sys_string_conversions.h"

	17 #include "chrome/common/safe_browsing/binary_feature_extractor.h"

	18 #include "chrome/common/safe_browsing/csd.pb.h"

	19 #include "chrome/common/safe_browsing/mach_o_image_reader_mac.h"

	20

	21 namespace safe_browsing {

	22

	23 namespace {

	24

	25 // OS X code signing data can be stored in extended attributes as well. This is

	26 // a list of the extended attributes slots currently used in Security.framework,

	27 // from codesign.h (see the kSecCS_* constants).

	28 const char* const xattrs[] = {

	29 "com.apple.cs.CodeDirectory",

	30 "com.apple.cs.CodeSignature",

	31 "com.apple.cs.CodeRequirements",

	32 "com.apple.cs.CodeResources",

	33 "com.apple.cs.CodeApplication",

	34 "com.apple.cs.CodeEntitlements",

	35 };

	36

	37 // Convenience function to get the appropriate path from a variety of NSObject

	38 // types.

	39 bool GetPathFromNSObject(id obj, std::string* output) {

	40 if (NSString* str = base::mac::ObjCCast<NSString>(obj)) {

	41 output->assign([str UTF8String]);
	Mark Mentovai 2015/10/16 23:04:22 To get paths from NSStrings, use -fileSystemRepre To get paths from NSStrings, use -fileSystemRepresentation instead of -UTF8String. Same in the other branches. Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > To get paths from NSString*s, use -fileSystemRepresentation instead of > -UTF8String. Same in the other branches. Done.
	42 return true;

	43 } else if (NSURL* url = base::mac::ObjCCast<NSURL>(obj)) {

	44 output->assign([[url path] UTF8String]);

	45 return true;

	46 } else if (NSBundle* bundle = base::mac::ObjCCast<NSBundle>(obj)) {

	47 output->assign([[bundle bundlePath] UTF8String]);

	48 return true;

	49 }

	50 return false;

	51 }

	52

	53 } // namespace

	54

	55 MacSignatureEvaluator::MacSignatureEvaluator(

	56 const base::FilePath& signed_object_path)

	57 : path_(signed_object_path),

	58 has_requirement_(false),
	Mark Mentovai 2015/10/16 23:04:22 requirement_str_() to be explicit about it (since requirement_str_() to be explicit about it (since that’s how it’s going to be initialized anyway). Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > requirement_str_() to be explicit about it (since that’s how it’s going to be > initialized anyway). Done.
	59 code_(nullptr),

	60 requirement_(nullptr) {}

	61

	62 MacSignatureEvaluator::MacSignatureEvaluator(

	63 const base::FilePath& signed_object_path,

	64 const std::string& requirement)

	65 : path_(signed_object_path),

	66 requirement_str_(requirement),

	67 has_requirement_(true),

	68 code_(nullptr),

	69 requirement_(nullptr) {}

	70

	71 MacSignatureEvaluator::~MacSignatureEvaluator() {}

	72

	73 void MacSignatureEvaluator::ReportAlteredFiles(
	Mark Mentovai 2015/10/16 23:04:22 This method doesn’t access any member variables or This method doesn’t access any member variables or call any member functions. You can make it static. private + static = often a good candidate for taking out of the class altogether and making it into a helper function in an unnamed namespace right in the implementation file. I think you can do that here. The real advantage in this case is that you take any mention of “id” out of the header, so that the non-Objective-C void* trick isn’t necessary. Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > This method doesn’t access any member variables or call any member functions. > You can make it static. > > private + static = often a good candidate for taking out of the class altogether > and making it into a helper function in an unnamed namespace right in the > implementation file. I think you can do that here. > > The real advantage in this case is that you take any mention of “id” out of the > header, so that the non-Objective-C void* trick isn’t necessary. Done.
	74 id detail,

	75 int32_t err_code,

	76 std::vector<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>*

	77 results) {

	78 if (NSArray* arr = base::mac::ObjCCast<NSArray>(detail)) {

	79 for (id obj in arr)

	80 ReportAlteredFiles(obj, err_code, results);

	81 } else {

	82 std::string path_str;

	83 if (!GetPathFromNSObject(detail, &path_str))

	84 return;

	85

	86 base::FilePath path(path_str);

	87 ClientIncidentReport_IncidentData_BinaryIntegrityIncident incident;

	88 incident.set_file_basename(path.BaseName().AsUTF8Unsafe());
	Robert Sesek 2015/10/15 00:11:20 .value() instead of .AsUTF8Unsafe() .value() instead of .AsUTF8Unsafe() Greg K 2015/10/16 19:17:58 Done. Show quoted text On 2015/10/15 00:11:20, Robert Sesek wrote: > .value() instead of .AsUTF8Unsafe() Done.
	89 incident.set_sec_error(err_code);

	90 scoped_refptr<BinaryFeatureExtractor> bfe = new BinaryFeatureExtractor();

	91 // TODO(kerrnel): if Chrome ever opts into the OS X "kill" semantics, this
	Mark Mentovai 2015/10/16 23:04:22 Blank line before this, otherwise the comment gets Blank line before this, otherwise the comment gets lost when you’re reading a wall of mixed code and comments. Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > Blank line before this, otherwise the comment gets lost when you’re reading a > wall of mixed code and comments. Done.
	92 // call has to change. `ExtractImageFeatures` maps the file, which will

	93 // cause Chrome to be killed before it can report on the invalid file.

	94 // This call will need to read(2) the binary into a buffer.

	95 if (!bfe->ExtractImageFeatures(

	96 path, BinaryFeatureExtractor::kDefaultOptions,
	Mark Mentovai 2015/10/16 23:04:22 I’d put kDefaultOptions on its own line, because a I’d put kDefaultOptions on its own line, because all of the other arguments have their own lines, and that makes this more obviously look like the 4-argument call that it is. Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > I’d put kDefaultOptions on its own line, because all of the other arguments have > their own lines, and that makes this more obviously look like the 4-argument > call that it is. Done.
	97 incident.mutable_image_headers(),

	98 incident.mutable_signature()->mutable_signed_data())) {

	99 // If this is not a mach-o file, search inside the extended attributes.

	100 for (const char* attr : xattrs) {

	101 ssize_t rc = getxattr(path.value().c_str(), attr, nullptr, 0, 0, 0);

	102 if (rc >= 0) {

	103 std::vector<uint8_t> xattr_data(rc);

	104 if (getxattr(path.value().c_str(), attr, &xattr_data[0],

	105 xattr_data.size(), 0, 0) >= 0) {

	106 ClientDownloadRequest_ExtendedAttr* xattr_msg =

	107 incident.mutable_signature()->add_xattr();

	108 xattr_msg->set_key(attr);

	109 xattr_msg->set_value(xattr_data.data(), xattr_data.size());
	Mark Mentovai 2015/10/16 23:04:22 The xattr length may have changed in between the t The xattr length may have changed in between the two getxattr() call. You should save the return value from the second getxattr() and .resize() the vector with that number. That deals with it shrinking. You probably don’t care about dealing with it growing. Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > The xattr length may have changed in between the two getxattr() call. You should > save the return value from the second getxattr() and .resize() the vector with > that number. That deals with it shrinking. You probably don’t care about dealing > with it growing. Done.
	110 }

	111 }

	112 }

	113 }

	114 results->push_back(incident);

	115 }

	116 }

	117

	118 bool MacSignatureEvaluator::Initialize() {

	119 base::scoped_nsobject<NSURL> code_url([[NSURL alloc]

	120 initFileURLWithPath:base::SysUTF8ToNSString(path_.value())]);

	121 if (!code_url)

	122 return false;

	123

	124 if (SecStaticCodeCreateWithPath(base::mac::NSToCFCast(code_url.get()),

	125 kSecCSDefaultFlags,

	126 code_.InitializeInto()) != errSecSuccess) {

	127 return false;

	128 }

	129

	130 if (has_requirement_) {

	131 if (SecRequirementCreateWithString(

	132 base::mac::NSToCFCast(base::SysUTF8ToNSString(requirement_str_)),

	133 kSecCSDefaultFlags, requirement_.InitializeInto()) !=

	134 errSecSuccess) {

	135 return false;

	136 }

	137 }

	138

	139 return true;

	140 }

	141

	142 bool MacSignatureEvaluator::PerformEvaluation(

	143 std::vector<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>*
	Mark Mentovai 2015/10/16 23:04:22 DCHECK vector emptiness on entry. DCHECK vector emptiness on entry. Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > DCHECK vector emptiness on entry. Done.
	144 results) {

	145 base::ScopedCFTypeRef<CFErrorRef> errors(nullptr);
	Robert Sesek 2015/10/15 00:11:20 You don't need to say \|nullptr\| here. You don't need to say \|nullptr\| here. Greg K 2015/10/16 19:17:58 Done. Show quoted text On 2015/10/15 00:11:20, Robert Sesek wrote: > You don't need to say \|nullptr\| here. Done.
	146 OSStatus err = SecStaticCodeCheckValidityWithErrors(

	147 code_, kSecCSCheckAllArchitectures, requirement_,

	148 errors.InitializeInto());

	149 if (err == errSecSuccess)

	150 return true;

	151 // This adds the signature of the main binary to the incident reports.

	152 ReportAlteredFiles(base::SysUTF8ToNSString(path_.value()), err, results);

	153 if (errors) {

	154 NSDictionary* info = [base::mac::CFToNSCast(errors.get()) userInfo];

	155 CFStringRef keys[] = {
	Mark Mentovai 2015/10/16 23:04:22 const? const? Greg K 2015/10/19 20:42:58 Done. Show quoted text On 2015/10/16 23:04:22, Mark Mentovai wrote: > const? Done.
	156 kSecCFErrorResourceAltered, kSecCFErrorResourceMissing,

	157 };

	158 for (CFStringRef key : keys) {

	159 if (id detail = [info objectForKey:base::mac::CFToNSCast(key)])

	160 ReportAlteredFiles(detail, err, results);

	161 }

	162 }

	163 return false;

	164 }

	165

	166 } // namespace safe_browsing

OLD	NEW