[Chrome ELF] Early browser security support.

chrome_elf/chrome_elf_util_unittest.cc

Index: chrome_elf/chrome_elf_util_unittest.cc
diff --git a/chrome_elf/chrome_elf_util_unittest.cc b/chrome_elf/chrome_elf_util_unittest.cc
index 565785f95d6cd9020a5379d625118cdf0d15cbe1..73114a2d169cfd08dff48d7cc2603eb7f9b5ae3e 100644
--- a/chrome_elf/chrome_elf_util_unittest.cc
+++ b/chrome_elf/chrome_elf_util_unittest.cc
@@ -5,9 +5,12 @@
 #include "chrome_elf/chrome_elf_util.h"
 
 #include <tuple>
+#include <windows.h>
+#include <versionhelpers.h>  // windows.h must be before.
 
 #include "base/test/test_reg_util_win.h"
 #include "base/win/registry.h"
+#include "chrome_elf/chrome_elf_constants.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
 
@@ -36,6 +39,47 @@ const wchar_t kChromeUserExePath[] =
 const wchar_t kChromiumExePath[] =
     L"C:\\Users\\user\\AppData\\Local\\Chromium\\Application\\chrome.exe";
 
+bool SetSecurityFinchFlag(bool creation) {
+  bool success = true;
+  base::win::RegKey security_key(HKEY_CURRENT_USER, L"", KEY_ALL_ACCESS);
+
+  if (creation) {
+    if (ERROR_SUCCESS !=
+        security_key.CreateKey(elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE))
+      success = false;
+  } else {
+    if (ERROR_SUCCESS != security_key.DeleteKey(elf_sec::kRegSecurityFinchPath))
+      success = false;
+  }
+
+  security_key.Close();
+  return success;
+}
+
+typedef decltype(GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunc;

[robertshield, 2016/04/12 20:53:12]

same question about moving this into the function scope below

[penny, 2016/04/15 18:03:51]

Done.

+
+bool IsSecuritySet() {
+  // Check the settings from EarlyBrowserSecurity().
+  if (::IsWindows8OrGreater()) {
+    GetProcessMitigationPolicyFunc get_process_mitigation_policy =
+        reinterpret_cast<GetProcessMitigationPolicyFunc>(::GetProcAddress(
+            ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+    if (!get_process_mitigation_policy)
+      return false;
+
+    // Check that extension points are disabled.
+    // (Legacy hooking.)
+    PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
+    if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                       ProcessExtensionPointDisablePolicy,
+                                       &policy, sizeof(policy)))
+      return false;
+
+    return policy.DisableExtensionPoints;
+  }
+
+  return true;
+}
 
 TEST(ChromeElfUtilTest, CanaryTest) {
   EXPECT_TRUE(IsCanary(kCanaryExePath));
@@ -54,6 +98,20 @@ TEST(ChromeElfUtilTest, BrowserProcessTest) {
   EXPECT_FALSE(IsNonBrowserProcess());
 }
 
+TEST(ChromeElfUtilTest, BrowserProcessSecurityTest) {
+  EarlyBrowserSecurity();
+  EXPECT_TRUE(IsSecuritySet());
+}
+
+TEST(ChromeElfUtilTest, BrowserProcessSecurityTest_FinchOff) {
+  EXPECT_TRUE(SetSecurityFinchFlag(true));
+  EarlyBrowserSecurity();
+  EXPECT_FALSE(IsSecuritySet());
+  EXPECT_TRUE(SetSecurityFinchFlag(false));
+}
+
+}  // namespace
+
 // Parameterized test with paramters:
 // 1: product: "canary" or "google"
 // 2: install level: "user" or "system"