| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <tuple> | 5 #include <tuple> |
| 6 #include <windows.h> | 6 #include <windows.h> |
| 7 #include <versionhelpers.h> // windows.h must be before. | 7 #include <versionhelpers.h> // windows.h must be before. |
| 8 | 8 |
| 9 #include "base/test/test_reg_util_win.h" | 9 #include "base/test/test_reg_util_win.h" |
| 10 #include "base/win/registry.h" | 10 #include "base/win/registry.h" |
| 11 #include "chrome/install_static/install_util.h" | 11 #include "chrome/install_static/install_util.h" |
| 12 #include "chrome_elf/chrome_elf_constants.h" | 12 #include "chrome_elf/chrome_elf_constants.h" |
| 13 #include "chrome_elf/chrome_elf_security.h" |
| 13 #include "chrome_elf/nt_registry/nt_registry.h" | 14 #include "chrome_elf/nt_registry/nt_registry.h" |
| 14 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
| 15 #include "testing/platform_test.h" | 16 #include "testing/platform_test.h" |
| 16 | 17 |
| 17 using namespace install_static; | 18 using namespace install_static; |
| 18 | 19 |
| 19 namespace { | 20 namespace { |
| 20 | 21 |
| 21 const wchar_t kCanaryExePath[] = | 22 const wchar_t kCanaryExePath[] = |
| 22 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome SxS\\Application" | 23 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome SxS\\Application" |
| 23 L"\\chrome.exe"; | 24 L"\\chrome.exe"; |
| 24 const wchar_t kChromeSystemExePath[] = | 25 const wchar_t kChromeSystemExePath[] = |
| 25 L"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"; | 26 L"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"; |
| 26 const wchar_t kChromeUserExePath[] = | 27 const wchar_t kChromeUserExePath[] = |
| 27 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"; | 28 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"; |
| 28 const wchar_t kChromiumExePath[] = | 29 const wchar_t kChromiumExePath[] = |
| 29 L"C:\\Users\\user\\AppData\\Local\\Chromium\\Application\\chrome.exe"; | 30 L"C:\\Users\\user\\AppData\\Local\\Chromium\\Application\\chrome.exe"; |
| 30 | 31 |
| 32 bool SetSecurityFinchFlag(bool creation) { |
| 33 bool success = true; |
| 34 base::win::RegKey security_key(HKEY_CURRENT_USER, L"", KEY_ALL_ACCESS); |
| 35 |
| 36 if (creation) { |
| 37 if (ERROR_SUCCESS != |
| 38 security_key.CreateKey(elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE)) |
| 39 success = false; |
| 40 } else { |
| 41 if (ERROR_SUCCESS != security_key.DeleteKey(elf_sec::kRegSecurityFinchPath)) |
| 42 success = false; |
| 43 } |
| 44 |
| 45 security_key.Close(); |
| 46 return success; |
| 47 } |
| 48 |
| 49 bool IsSecuritySet() { |
| 50 typedef decltype(GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunc; |
| 51 |
| 52 // Check the settings from EarlyBrowserSecurity(). |
| 53 if (::IsWindows8OrGreater()) { |
| 54 GetProcessMitigationPolicyFunc get_process_mitigation_policy = |
| 55 reinterpret_cast<GetProcessMitigationPolicyFunc>(::GetProcAddress( |
| 56 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| 57 if (!get_process_mitigation_policy) |
| 58 return false; |
| 59 |
| 60 // Check that extension points are disabled. |
| 61 // (Legacy hooking.) |
| 62 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
| 63 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 64 ProcessExtensionPointDisablePolicy, |
| 65 &policy, sizeof(policy))) |
| 66 return false; |
| 67 |
| 68 return policy.DisableExtensionPoints; |
| 69 } |
| 70 |
| 71 return true; |
| 72 } |
| 73 |
| 74 void RegRedirect(nt::ROOT_KEY key, |
| 75 registry_util::RegistryOverrideManager& rom) { |
| 76 base::string16 temp; |
| 77 |
| 78 if (key == nt::HKCU) { |
| 79 rom.OverrideRegistry(HKEY_CURRENT_USER, &temp); |
| 80 ::wcsncpy(nt::HKCU_override, temp.c_str(), nt::g_kRegMaxPathLen - 1); |
| 81 } else if (key == nt::HKLM) { |
| 82 rom.OverrideRegistry(HKEY_LOCAL_MACHINE, &temp); |
| 83 ::wcsncpy(nt::HKLM_override, temp.c_str(), nt::g_kRegMaxPathLen - 1); |
| 84 } |
| 85 // nt::AUTO should not be passed into this function. |
| 86 } |
| 87 |
| 31 TEST(ChromeElfUtilTest, CanaryTest) { | 88 TEST(ChromeElfUtilTest, CanaryTest) { |
| 32 EXPECT_TRUE(IsSxSChrome(kCanaryExePath)); | 89 EXPECT_TRUE(IsSxSChrome(kCanaryExePath)); |
| 33 EXPECT_FALSE(IsSxSChrome(kChromeUserExePath)); | 90 EXPECT_FALSE(IsSxSChrome(kChromeUserExePath)); |
| 34 EXPECT_FALSE(IsSxSChrome(kChromiumExePath)); | 91 EXPECT_FALSE(IsSxSChrome(kChromiumExePath)); |
| 35 } | 92 } |
| 36 | 93 |
| 37 TEST(ChromeElfUtilTest, SystemInstallTest) { | 94 TEST(ChromeElfUtilTest, SystemInstallTest) { |
| 38 EXPECT_TRUE(IsSystemInstall(kChromeSystemExePath)); | 95 EXPECT_TRUE(IsSystemInstall(kChromeSystemExePath)); |
| 39 EXPECT_FALSE(IsSystemInstall(kChromeUserExePath)); | 96 EXPECT_FALSE(IsSystemInstall(kChromeUserExePath)); |
| 40 } | 97 } |
| 41 | 98 |
| 42 TEST(ChromeElfUtilTest, BrowserProcessTest) { | 99 TEST(ChromeElfUtilTest, BrowserProcessTest) { |
| 43 EXPECT_EQ(ProcessType::UNINITIALIZED, g_process_type); | 100 EXPECT_EQ(ProcessType::UNINITIALIZED, g_process_type); |
| 44 InitializeProcessType(); | 101 InitializeProcessType(); |
| 45 EXPECT_FALSE(IsNonBrowserProcess()); | 102 EXPECT_FALSE(IsNonBrowserProcess()); |
| 46 } | 103 } |
| 47 | 104 |
| 105 TEST(ChromeElfUtilTest, BrowserProcessSecurityTest) { |
| 106 if (!::IsWindows8OrGreater()) |
| 107 return; |
| 108 |
| 109 // Set up registry override for this test. |
| 110 registry_util::RegistryOverrideManager override_manager; |
| 111 RegRedirect(nt::HKCU, override_manager); |
| 112 |
| 113 // First, ensure that the emergency-off finch signal works. |
| 114 EXPECT_TRUE(SetSecurityFinchFlag(true)); |
| 115 EarlyBrowserSecurity(); |
| 116 EXPECT_FALSE(IsSecuritySet()); |
| 117 EXPECT_TRUE(SetSecurityFinchFlag(false)); |
| 118 |
| 119 // Second, test that the process mitigation is set when no finch signal. |
| 120 EarlyBrowserSecurity(); |
| 121 EXPECT_TRUE(IsSecuritySet()); |
| 122 } |
| 123 |
| 48 //------------------------------------------------------------------------------ | 124 //------------------------------------------------------------------------------ |
| 49 // NT registry API tests (chrome_elf_reg) | 125 // NT registry API tests (chrome_elf_reg) |
| 50 //------------------------------------------------------------------------------ | 126 //------------------------------------------------------------------------------ |
| 51 | 127 |
| 52 TEST(ChromeElfUtilTest, NTRegistry) { | 128 TEST(ChromeElfUtilTest, NTRegistry) { |
| 53 HANDLE key_handle; | 129 HANDLE key_handle; |
| 54 const wchar_t* dword_val_name = L"DwordTestValue"; | 130 const wchar_t* dword_val_name = L"DwordTestValue"; |
| 55 DWORD dword_val = 1234; | 131 DWORD dword_val = 1234; |
| 56 const wchar_t* sz_val_name = L"SzTestValue"; | 132 const wchar_t* sz_val_name = L"SzTestValue"; |
| 57 base::string16 sz_val = L"blah de blah de blahhhhh."; | 133 base::string16 sz_val = L"blah de blah de blahhhhh."; |
| 58 const wchar_t* sz_val_name2 = L"SzTestValueEmpty"; | 134 const wchar_t* sz_val_name2 = L"SzTestValueEmpty"; |
| 59 base::string16 sz_val2 = L""; | 135 base::string16 sz_val2 = L""; |
| 60 const wchar_t* multisz_val_name = L"SzmultiTestValue"; | 136 const wchar_t* multisz_val_name = L"SzmultiTestValue"; |
| 61 std::vector<base::string16> multisz_val; | 137 std::vector<base::string16> multisz_val; |
| 62 base::string16 multi1 = L"one"; | 138 base::string16 multi1 = L"one"; |
| 63 base::string16 multi2 = L"two"; | 139 base::string16 multi2 = L"two"; |
| 64 base::string16 multi3 = L"three"; | 140 base::string16 multi3 = L"three"; |
| 65 const wchar_t* multisz_val_name2 = L"SzmultiTestValueBad"; | 141 const wchar_t* multisz_val_name2 = L"SzmultiTestValueBad"; |
| 66 base::string16 multi_empty = L""; | 142 base::string16 multi_empty = L""; |
| 67 const wchar_t* sz_new_key_1 = L"test\\new\\subkey"; | 143 const wchar_t* sz_new_key_1 = L"test\\new\\subkey"; |
| 68 const wchar_t* sz_new_key_2 = L"test\\new\\subkey\\blah\\"; | 144 const wchar_t* sz_new_key_2 = L"test\\new\\subkey\\blah\\"; |
| 69 const wchar_t* sz_new_key_3 = L"\\test\\new\\subkey\\\\blah2"; | 145 const wchar_t* sz_new_key_3 = L"\\test\\new\\subkey\\\\blah2"; |
| 70 | 146 |
| 71 // Set up registry override for this test. | 147 // Set up registry override for this test. |
| 72 base::string16 temp; | |
| 73 registry_util::RegistryOverrideManager override_manager; | 148 registry_util::RegistryOverrideManager override_manager; |
| 74 override_manager.OverrideRegistry(HKEY_CURRENT_USER, &temp); | 149 RegRedirect(nt::HKCU, override_manager); |
| 75 ::wcsncpy(nt::HKCU_override, temp.c_str(), nt::g_kRegMaxPathLen - 1); | |
| 76 | 150 |
| 77 // Create a temp key to play under. | 151 // Create a temp key to play under. |
| 78 ASSERT_TRUE(nt::CreateRegKey(nt::HKCU, elf_sec::kRegSecurityPath, | 152 ASSERT_TRUE(nt::CreateRegKey(nt::HKCU, elf_sec::kRegSecurityPath, |
| 79 KEY_ALL_ACCESS, &key_handle)); | 153 KEY_ALL_ACCESS, &key_handle)); |
| 80 | 154 |
| 81 // Exercise the supported getter & setter functions. | 155 // Exercise the supported getter & setter functions. |
| 82 EXPECT_TRUE(nt::SetRegValueDWORD(key_handle, dword_val_name, dword_val)); | 156 EXPECT_TRUE(nt::SetRegValueDWORD(key_handle, dword_val_name, dword_val)); |
| 83 EXPECT_TRUE(nt::SetRegValueSZ(key_handle, sz_val_name, sz_val)); | 157 EXPECT_TRUE(nt::SetRegValueSZ(key_handle, sz_val_name, sz_val)); |
| 84 EXPECT_TRUE(nt::SetRegValueSZ(key_handle, sz_val_name2, sz_val2)); | 158 EXPECT_TRUE(nt::SetRegValueSZ(key_handle, sz_val_name2, sz_val2)); |
| 85 | 159 |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 155 | 229 |
| 156 // Parameterized test with paramters: | 230 // Parameterized test with paramters: |
| 157 // 1: product: "canary" or "google" | 231 // 1: product: "canary" or "google" |
| 158 // 2: install level: "user" or "system" | 232 // 2: install level: "user" or "system" |
| 159 // 3: install mode: "single" or "multi" | 233 // 3: install mode: "single" or "multi" |
| 160 class ChromeElfUtilTest | 234 class ChromeElfUtilTest |
| 161 : public testing::TestWithParam< | 235 : public testing::TestWithParam< |
| 162 std::tuple<const char*, const char*, const char*>> { | 236 std::tuple<const char*, const char*, const char*>> { |
| 163 protected: | 237 protected: |
| 164 void SetUp() override { | 238 void SetUp() override { |
| 165 base::string16 temp; | 239 // Set up registry override for these tests. |
| 166 override_manager_.OverrideRegistry(HKEY_LOCAL_MACHINE, &temp); | 240 RegRedirect(nt::HKLM, override_manager_); |
| 167 ::wcsncpy(nt::HKLM_override, temp.c_str(), nt::g_kRegMaxPathLen - 1); | 241 RegRedirect(nt::HKCU, override_manager_); |
| 168 temp.clear(); | |
| 169 override_manager_.OverrideRegistry(HKEY_CURRENT_USER, &temp); | |
| 170 ::wcsncpy(nt::HKCU_override, temp.c_str(), nt::g_kRegMaxPathLen - 1); | |
| 171 | 242 |
| 172 const char* app; | 243 const char* app; |
| 173 const char* level; | 244 const char* level; |
| 174 const char* mode; | 245 const char* mode; |
| 175 std::tie(app, level, mode) = GetParam(); | 246 std::tie(app, level, mode) = GetParam(); |
| 176 is_canary_ = (std::string(app) == "canary"); | 247 is_canary_ = (std::string(app) == "canary"); |
| 177 system_level_ = (std::string(level) != "user"); | 248 system_level_ = (std::string(level) != "user"); |
| 178 multi_install_ = (std::string(mode) != "single"); | 249 multi_install_ = (std::string(mode) != "single"); |
| 179 if (is_canary_) { | 250 if (is_canary_) { |
| 180 ASSERT_FALSE(system_level_); | 251 ASSERT_FALSE(system_level_); |
| (...skipping 334 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 515 testing::Combine(testing::Values("canary"), | 586 testing::Combine(testing::Values("canary"), |
| 516 testing::Values("user"), | 587 testing::Values("user"), |
| 517 testing::Values("single"))); | 588 testing::Values("single"))); |
| 518 INSTANTIATE_TEST_CASE_P(GoogleChrome, | 589 INSTANTIATE_TEST_CASE_P(GoogleChrome, |
| 519 ChromeElfUtilTest, | 590 ChromeElfUtilTest, |
| 520 testing::Combine(testing::Values("google"), | 591 testing::Combine(testing::Values("google"), |
| 521 testing::Values("user", "system"), | 592 testing::Values("user", "system"), |
| 522 testing::Values("single", "multi"))); | 593 testing::Values("single", "multi"))); |
| 523 | 594 |
| 524 } // namespace | 595 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1656453002:
[Chrome ELF] Early browser security support. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master