Chromium Code Reviews Chromium Code Reviews
Issue 1656453002:
[Chrome ELF] Early browser security support. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome_elf/chrome_elf_util.h" | 5 #include "chrome_elf/chrome_elf_util.h" |
| 6 | 6 |
| 7 #include <tuple> | 7 #include <tuple> |
| 8 #include <windows.h> | |
| 9 #include <versionhelpers.h> // windows.h must be before. | |
| 8 | 10 |
| 9 #include "base/test/test_reg_util_win.h" | 11 #include "base/test/test_reg_util_win.h" |
| 10 #include "base/win/registry.h" | 12 #include "base/win/registry.h" |
| 13 #include "chrome_elf/chrome_elf_constants.h" | |
| 11 #include "testing/gtest/include/gtest/gtest.h" | 14 #include "testing/gtest/include/gtest/gtest.h" |
| 12 #include "testing/platform_test.h" | 15 #include "testing/platform_test.h" |
| 13 | 16 |
| 14 namespace { | 17 namespace { |
| 15 | 18 |
| 16 const wchar_t kRegPathClientState[] = L"Software\\Google\\Update\\ClientState"; | 19 const wchar_t kRegPathClientState[] = L"Software\\Google\\Update\\ClientState"; |
| 17 const wchar_t kRegPathClientStateMedium[] = | 20 const wchar_t kRegPathClientStateMedium[] = |
| 18 L"Software\\Google\\Update\\ClientStateMedium"; | 21 L"Software\\Google\\Update\\ClientStateMedium"; |
| 19 const wchar_t kRegValueUsageStats[] = L"usagestats"; | 22 const wchar_t kRegValueUsageStats[] = L"usagestats"; |
| 20 const wchar_t kUninstallArgumentsField[] = L"UninstallArguments"; | 23 const wchar_t kUninstallArgumentsField[] = L"UninstallArguments"; |
| 21 | 24 |
| 22 const wchar_t kAppGuidCanary[] = | 25 const wchar_t kAppGuidCanary[] = |
| 23 L"{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}"; | 26 L"{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}"; |
| 24 const wchar_t kAppGuidGoogleChrome[] = | 27 const wchar_t kAppGuidGoogleChrome[] = |
| 25 L"{8A69D345-D564-463c-AFF1-A69D9E530F96}"; | 28 L"{8A69D345-D564-463c-AFF1-A69D9E530F96}"; |
| 26 const wchar_t kAppGuidGoogleBinaries[] = | 29 const wchar_t kAppGuidGoogleBinaries[] = |
| 27 L"{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}"; | 30 L"{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}"; |
| 28 | 31 |
| 29 const wchar_t kCanaryExePath[] = | 32 const wchar_t kCanaryExePath[] = |
| 30 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome SxS\\Application" | 33 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome SxS\\Application" |
| 31 L"\\chrome.exe"; | 34 L"\\chrome.exe"; |
| 32 const wchar_t kChromeSystemExePath[] = | 35 const wchar_t kChromeSystemExePath[] = |
| 33 L"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"; | 36 L"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"; |
| 34 const wchar_t kChromeUserExePath[] = | 37 const wchar_t kChromeUserExePath[] = |
| 35 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"; | 38 L"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"; |
| 36 const wchar_t kChromiumExePath[] = | 39 const wchar_t kChromiumExePath[] = |
| 37 L"C:\\Users\\user\\AppData\\Local\\Chromium\\Application\\chrome.exe"; | 40 L"C:\\Users\\user\\AppData\\Local\\Chromium\\Application\\chrome.exe"; |
| 38 | 41 |
| 42 bool SetSecurityFinchFlag(bool creation) { | |
| 43 bool success = true; | |
| 44 base::win::RegKey security_key(HKEY_CURRENT_USER, L"", KEY_ALL_ACCESS); | |
| 45 | |
| 46 if (creation) { | |
| 47 if (ERROR_SUCCESS != | |
| 48 security_key.CreateKey(elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE)) | |
| 49 success = false; | |
| 50 } else { | |
| 51 if (ERROR_SUCCESS != security_key.DeleteKey(elf_sec::kRegSecurityFinchPath)) | |
| 52 success = false; | |
| 53 } | |
| 54 | |
| 55 security_key.Close(); | |
| 56 return success; | |
| 57 } | |
| 58 | |
| 59 typedef decltype(GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunc; | |
|
robertshield
2016/04/12 20:53:12
same question about moving this into the function
penny
2016/04/15 18:03:51
Done.
| |
| 60 | |
| 61 bool IsSecuritySet() { | |
| 62 // Check the settings from EarlyBrowserSecurity(). | |
| 63 if (::IsWindows8OrGreater()) { | |
| 64 GetProcessMitigationPolicyFunc get_process_mitigation_policy = | |
| 65 reinterpret_cast<GetProcessMitigationPolicyFunc>(::GetProcAddress( | |
| 66 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
| 67 if (!get_process_mitigation_policy) | |
| 68 return false; | |
| 69 | |
| 70 // Check that extension points are disabled. | |
| 71 // (Legacy hooking.) | |
| 72 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | |
| 73 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
| 74 ProcessExtensionPointDisablePolicy, | |
| 75 &policy, sizeof(policy))) | |
| 76 return false; | |
| 77 | |
| 78 return policy.DisableExtensionPoints; | |
| 79 } | |
| 80 | |
| 81 return true; | |
| 82 } | |
| 39 | 83 |
| 40 TEST(ChromeElfUtilTest, CanaryTest) { | 84 TEST(ChromeElfUtilTest, CanaryTest) { |
| 41 EXPECT_TRUE(IsCanary(kCanaryExePath)); | 85 EXPECT_TRUE(IsCanary(kCanaryExePath)); |
| 42 EXPECT_FALSE(IsCanary(kChromeUserExePath)); | 86 EXPECT_FALSE(IsCanary(kChromeUserExePath)); |
| 43 EXPECT_FALSE(IsCanary(kChromiumExePath)); | 87 EXPECT_FALSE(IsCanary(kChromiumExePath)); |
| 44 } | 88 } |
| 45 | 89 |
| 46 TEST(ChromeElfUtilTest, SystemInstallTest) { | 90 TEST(ChromeElfUtilTest, SystemInstallTest) { |
| 47 EXPECT_TRUE(IsSystemInstall(kChromeSystemExePath)); | 91 EXPECT_TRUE(IsSystemInstall(kChromeSystemExePath)); |
| 48 EXPECT_FALSE(IsSystemInstall(kChromeUserExePath)); | 92 EXPECT_FALSE(IsSystemInstall(kChromeUserExePath)); |
| 49 } | 93 } |
| 50 | 94 |
| 51 TEST(ChromeElfUtilTest, BrowserProcessTest) { | 95 TEST(ChromeElfUtilTest, BrowserProcessTest) { |
| 52 EXPECT_EQ(ProcessType::UNINITIALIZED, g_process_type); | 96 EXPECT_EQ(ProcessType::UNINITIALIZED, g_process_type); |
| 53 InitializeProcessType(); | 97 InitializeProcessType(); |
| 54 EXPECT_FALSE(IsNonBrowserProcess()); | 98 EXPECT_FALSE(IsNonBrowserProcess()); |
| 55 } | 99 } |
| 56 | 100 |
| 101 TEST(ChromeElfUtilTest, BrowserProcessSecurityTest) { | |
| 102 EarlyBrowserSecurity(); | |
| 103 EXPECT_TRUE(IsSecuritySet()); | |
| 104 } | |
| 105 | |
| 106 TEST(ChromeElfUtilTest, BrowserProcessSecurityTest_FinchOff) { | |
| 107 EXPECT_TRUE(SetSecurityFinchFlag(true)); | |
| 108 EarlyBrowserSecurity(); | |
| 109 EXPECT_FALSE(IsSecuritySet()); | |
| 110 EXPECT_TRUE(SetSecurityFinchFlag(false)); | |
| 111 } | |
| 112 | |
| 113 } // namespace | |
| 114 | |
| 57 // Parameterized test with paramters: | 115 // Parameterized test with paramters: |
| 58 // 1: product: "canary" or "google" | 116 // 1: product: "canary" or "google" |
| 59 // 2: install level: "user" or "system" | 117 // 2: install level: "user" or "system" |
| 60 // 3: install mode: "single" or "multi" | 118 // 3: install mode: "single" or "multi" |
| 61 class ChromeElfUtilTest : | 119 class ChromeElfUtilTest : |
| 62 public testing::TestWithParam<std::tuple<const char*, | 120 public testing::TestWithParam<std::tuple<const char*, |
| 63 const char*, | 121 const char*, |
| 64 const char*> > { | 122 const char*> > { |
| 65 protected: | 123 protected: |
| 66 void SetUp() override { | 124 void SetUp() override { |
| (...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 181 INSTANTIATE_TEST_CASE_P(Canary, ChromeElfUtilTest, | 239 INSTANTIATE_TEST_CASE_P(Canary, ChromeElfUtilTest, |
| 182 testing::Combine(testing::Values("canary"), | 240 testing::Combine(testing::Values("canary"), |
| 183 testing::Values("user"), | 241 testing::Values("user"), |
| 184 testing::Values("single"))); | 242 testing::Values("single"))); |
| 185 INSTANTIATE_TEST_CASE_P(GoogleChrome, ChromeElfUtilTest, | 243 INSTANTIATE_TEST_CASE_P(GoogleChrome, ChromeElfUtilTest, |
| 186 testing::Combine(testing::Values("google"), | 244 testing::Combine(testing::Values("google"), |
| 187 testing::Values("user", "system"), | 245 testing::Values("user", "system"), |
| 188 testing::Values("single", "multi"))); | 246 testing::Values("single", "multi"))); |
| 189 | 247 |
| 190 } // namespace | 248 } // namespace |
| OLD | NEW |
