Chromium Code Reviews Chromium Code Reviews
Issue 1363613004:
Implement anonymous, opt-in, collection of OS X binary integrity incidents. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_analy zer_mac.h" | |
| 6 | |
| 7 #include "base/files/file_util.h" | |
| 8 #include "base/mac/bundle_locations.h" | |
| 9 #include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_incid ent.h" | |
| 10 #include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h" | |
| 11 #include "chrome/browser/safe_browsing/signature_evaluator_mac.h" | |
| 12 #include "chrome/common/safe_browsing/csd.pb.h" | |
| 13 | |
| 14 #define DEVELOPER_ID_APPLICATION_OID "field.1.2.840.113635.100.6.1.13" | |
| 15 #define DEVELOPER_ID_INTERMEDIATE_OID "field.1.2.840.113635.100.6.2.6" | |
| 16 | |
| 17 namespace safe_browsing { | |
| 18 | |
| 19 namespace { | |
| 20 | |
| 21 void VerifyBinaryIntegrityHelper(IncidentReceiver* incident_receiver, | |
| 22 const base::FilePath& path, | |
| 23 const std::string& requirement) { | |
| 24 MacSignatureEvaluator evaluator(path, requirement); | |
| 25 if (!evaluator.Initialize()) { | |
| 26 LOG(ERROR) << "Could not initialize mac signature evaluator"; | |
| 27 return; | |
| 28 } | |
| 29 | |
| 30 scoped_ptr<ClientIncidentReport_IncidentData_BinaryIntegrityIncident> | |
| 31 incident(new ClientIncidentReport_IncidentData_BinaryIntegrityIncident()); | |
|
Robert Sesek
2015/11/02 19:42:12
nit: +2
| |
| 32 if (!evaluator.PerformEvaluation(incident.get())) { | |
| 33 incident_receiver->AddIncidentForProcess( | |
| 34 make_scoped_ptr(new BinaryIntegrityIncident(incident.Pass()))); | |
| 35 } else { | |
| 36 // Clear past incidents involving this bundle if the signature is | |
| 37 // now valid. | |
| 38 ClearBinaryIntegrityForFile(incident_receiver, path.BaseName().value()); | |
| 39 } | |
| 40 } | |
| 41 | |
| 42 } // namespace | |
| 43 | |
| 44 std::vector<PathAndRequirement> GetCriticalPathsAndRequirements() { | |
| 45 // Get the path to the main executable. | |
| 46 std::vector<PathAndRequirement> critical_binaries; | |
| 47 // This requirement describes a developer ID signed application, | |
| 48 // with Google's team identifier, and the com.Google.Chrome[.canary] | |
| 49 // identifier. | |
| 50 std::string requirement = | |
| 51 "anchor apple generic and certificate 1[" DEVELOPER_ID_INTERMEDIATE_OID | |
| 52 "] exists and certificate leaf[" DEVELOPER_ID_APPLICATION_OID | |
| 53 "] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and " | |
| 54 "(identifier=\"com.google.Chrome\" or " | |
| 55 "identifier=\"com.google.Chrome.canary\")"; | |
| 56 critical_binaries.push_back(PathAndRequirement(base::mac::OuterBundlePath(), | |
| 57 requirement)); | |
| 58 // TODO(kerrnel): eventually add Adobe Flash Player to this list. | |
| 59 return critical_binaries; | |
| 60 } | |
| 61 | |
| 62 void VerifyBinaryIntegrityForTesting(IncidentReceiver* incident_receiver, | |
| 63 const base::FilePath& path, | |
| 64 const std::string& requirement) { | |
| 65 VerifyBinaryIntegrityHelper(incident_receiver, path, requirement); | |
| 66 } | |
| 67 | |
| 68 void VerifyBinaryIntegrity(scoped_ptr<IncidentReceiver> incident_receiver) { | |
| 69 size_t i = 0; | |
| 70 for (const auto& p : GetCriticalPathsAndRequirements()) { | |
| 71 base::TimeTicks time_before = base::TimeTicks::Now(); | |
| 72 VerifyBinaryIntegrityHelper(incident_receiver.get(), p.path, p.requirement); | |
| 73 RecordSignatureVerificationTime(i++, base::TimeTicks::Now() - time_before); | |
| 74 } | |
| 75 } | |
| 76 | |
| 77 } // namespace | |
| OLD | NEW |
