Chromium Code Reviews Chromium Code Reviews
Issue 1656453002:
[Chrome ELF] Early browser security support. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome_elf/chrome_elf_util.h" | 5 #include "chrome_elf/chrome_elf_util.h" |
| 6 | 6 |
| 7 #include <assert.h> | 7 #include <assert.h> |
| 8 #include <stddef.h> | |
| 8 #include <windows.h> | 9 #include <windows.h> |
| 9 #include <stddef.h> | 10 #include <versionhelpers.h> // windows.h must be before |
| 10 | 11 |
| 11 #include "base/macros.h" | 12 #include "base/macros.h" |
| 12 #include "base/strings/string16.h" | 13 #include "base/strings/string16.h" |
| 13 | 14 |
| 14 ProcessType g_process_type = ProcessType::UNINITIALIZED; | 15 ProcessType g_process_type = ProcessType::UNINITIALIZED; |
| 15 | 16 |
| 16 namespace { | 17 namespace { |
| 17 | 18 |
| 18 const wchar_t kRegPathClientState[] = L"Software\\Google\\Update\\ClientState"; | 19 const wchar_t kRegPathClientState[] = L"Software\\Google\\Update\\ClientState"; |
| 19 const wchar_t kRegPathClientStateMedium[] = | 20 const wchar_t kRegPathClientStateMedium[] = |
| (...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 215 return; | 216 return; |
| 216 } | 217 } |
| 217 | 218 |
| 218 g_process_type = ProcessType::BROWSER_PROCESS; | 219 g_process_type = ProcessType::BROWSER_PROCESS; |
| 219 } | 220 } |
| 220 | 221 |
| 221 bool IsNonBrowserProcess() { | 222 bool IsNonBrowserProcess() { |
| 222 assert(g_process_type != ProcessType::UNINITIALIZED); | 223 assert(g_process_type != ProcessType::UNINITIALIZED); |
| 223 return g_process_type == ProcessType::NON_BROWSER_PROCESS; | 224 return g_process_type == ProcessType::NON_BROWSER_PROCESS; |
| 224 } | 225 } |
| 226 | |
| 227 typedef decltype(SetProcessMitigationPolicy)* SetProcessMitigationPolicyFunc; | |
|
robertshield
2016/04/12 20:53:12
Any reason not to keep this typedef inside the sco
penny
2016/04/15 18:03:51
Done.
| |
| 228 | |
| 229 void EarlyBrowserSecurity() { | |
| 230 // This function is called from within DllMain. | |
| 231 // Don't do anything naughty while we have the loader lock. | |
| 232 NTSTATUS ret_val; | |
|
robertshield
2016/04/12 20:53:12
initialize to STATUS_SUCCESS
penny
2016/04/15 18:03:51
Done.
| |
| 233 HANDLE handle; | |
|
robertshield
2016/04/12 20:53:12
initialize this to NULL
penny
2016/04/15 18:03:51
Done.
| |
| 234 | |
| 235 // Check for kRegistrySecurityFinchPath. If it exists, | |
| 236 // we do NOT disable extension points. (Emergency off flag.) | |
| 237 if (nt::OpenRegKey(nt::HKCU, elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE, | |
| 238 &handle, &ret_val)) { | |
| 239 nt::CloseRegKey(handle); | |
| 240 return; | |
| 241 } | |
| 242 #ifdef _DEBUG | |
| 243 // The only failure expected is for the path not existing. | |
| 244 if (ret_val != STATUS_OBJECT_NAME_NOT_FOUND) | |
| 245 assert(false); | |
| 246 #endif | |
| 247 | |
| 248 if (::IsWindows8OrGreater()) { | |
| 249 SetProcessMitigationPolicyFunc set_process_mitigation_policy = | |
| 250 reinterpret_cast<SetProcessMitigationPolicyFunc>(::GetProcAddress( | |
| 251 ::GetModuleHandleW(L"kernel32.dll"), "SetProcessMitigationPolicy")); | |
| 252 if (set_process_mitigation_policy) { | |
| 253 // Disable extension points in this process. | |
| 254 // (Legacy hooking.) | |
| 255 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | |
| 256 policy.DisableExtensionPoints = true; | |
| 257 | |
| 258 set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, &policy, | |
| 259 sizeof(policy)); | |
| 260 } | |
| 261 } | |
| 262 | |
| 263 return; | |
| 264 } | |
| OLD | NEW |
