Chrome Frame: Add explicit object security attributes to the Chrome Frame ver...

chrome_frame/test/module_utils_test.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome_frame/module_utils.h"
 
 #include "base/scoped_handle.h"
 #include "base/shared_memory.h"
+#include "base/sys_info.h"
 #include "base/utf_string_conversions.h"
 #include "base/version.h"
+#include "chrome_frame/test/chrome_frame_test_utils.h"
 #include "gtest/gtest.h"
 
 extern "C" IMAGE_DOS_HEADER __ImageBase;
 
 const char kMockVersionString[] = "42.42.42.42";
 const char kMockVersionString2[] = "133.33.33.7";
 
 const HMODULE kMockModuleHandle = reinterpret_cast<HMODULE>(42);
 const HMODULE kMockModuleHandle2 = reinterpret_cast<HMODULE>(43);
 
@@ skipping 40 matching lines @@
 
   virtual HMODULE LoadVersionedModule() {
     return kMockModuleHandle2;
   }
 
   virtual Version* GetCurrentModuleVersion() {
     return Version::GetVersionFromString(kMockVersionString2);
   }
 };
 
+class MockDllRedirectorNoPermissions : public MockDllRedirector {
+ public:
+  explicit MockDllRedirectorNoPermissions(const char* beacon_name)
+    : MockDllRedirector(beacon_name) {}
+
+  virtual bool BuildSecurityAttributesForLock(
+      ATL::CSecurityAttributes* sec_attr) {
+    return false;
+  }
+
+  virtual bool SetFileMappingToReadOnly(base::SharedMemoryHandle mapping) {
+    return true;
+  }
+};
+
 class DllRedirectorTest : public testing::Test {
  public:
   virtual void SetUp() {
     shared_memory_.reset(new base::SharedMemory);
     mock_version_.reset(Version::GetVersionFromString(kMockVersionString));
     mock_version2_.reset(Version::GetVersionFromString(kMockVersionString2));
   }
 
   virtual void TearDown() {
     CloseBeacon();
@@ skipping 202 matching lines @@
   // The redirector should fail to read the version number and defer to
   // its own version.
   scoped_ptr<MockDllRedirector> first_redirector(
       new MockDllRedirector(kTestVersionBeaconName));
   EXPECT_TRUE(first_redirector->RegisterAsFirstCFModule());
 
   HMODULE first_module = first_redirector->GetFirstModule();
   EXPECT_EQ(reinterpret_cast<HMODULE>(&__ImageBase), first_module);
 }
 
+// TODO(robertshield): These tests rely on simulating access checks from a low
+// integrity process using impersonation. This may not be exactly identical to
+// actually having a separate low integrity process.
+TEST_F(DllRedirectorTest, LowIntegrityAccess) {
+  scoped_ptr<MockDllRedirector> first_redirector(
+      new MockDllRedirector(kTestVersionBeaconName));
+  EXPECT_TRUE(first_redirector->RegisterAsFirstCFModule());
+
+  // Ensure that we can acquire the mutex from medium integrity:
+  {
+    base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName));
+    bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL);
+    EXPECT_TRUE(mutex_locked);
+
+    // Ensure that the shared memory is read-only:
+    EXPECT_FALSE(shared_memory.Open(kTestVersionBeaconName, false));
+    shared_memory.Close();
+    EXPECT_TRUE(shared_memory.Open(kTestVersionBeaconName, true));
+    shared_memory.Close();
+
+    if (mutex_locked)
+      shared_memory.Unlock();
+  }
+
+  int32 major_version, minor_version, fix_version;
+  base::SysInfo::OperatingSystemVersionNumbers(&major_version,
+                                               &minor_version,
+                                               &fix_version);
+  if (major_version >= 6) {
+    // Now move to low integrity
+    chrome_frame_test::LowIntegrityToken low_integrity_token;
+    ASSERT_TRUE(low_integrity_token.Impersonate());
+
+    // Ensure that we can also acquire the mutex from low integrity.
+    base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName));
+    bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL);
+    EXPECT_TRUE(mutex_locked);
+
+    // Ensure that the shared memory is read-only:
+    EXPECT_FALSE(shared_memory.Open(kTestVersionBeaconName, false));
+    shared_memory.Close();
+    EXPECT_TRUE(shared_memory.Open(kTestVersionBeaconName, true));
+    shared_memory.Close();
+
+    if (mutex_locked)
+      shared_memory.Unlock();
+  }
+}
+
+TEST_F(DllRedirectorTest, LowIntegrityAccessDenied) {
+  // Run this test with a mock DllRedirector that doesn't set permissions
+  // on the shared memory.
+  scoped_ptr<MockDllRedirectorNoPermissions> first_redirector(
+      new MockDllRedirectorNoPermissions(kTestVersionBeaconName));
+  EXPECT_TRUE(first_redirector->RegisterAsFirstCFModule());
+
+  // Ensure that we can acquire the mutex from medium integrity:
+  {
+    base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName));
+    bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL);
+    EXPECT_TRUE(mutex_locked);
+
+    // We should be able to open the memory as read/write.
+    EXPECT_TRUE(shared_memory.Open(kTestVersionBeaconName, false));
+    shared_memory.Close();
+
+    if (mutex_locked)
+      shared_memory.Unlock();
+  }
+
+  int32 major_version, minor_version, fix_version;
+  base::SysInfo::OperatingSystemVersionNumbers(&major_version,
+                                               &minor_version,
+                                               &fix_version);
+  if (major_version >= 6) {
+    // Now move to low integrity
+    chrome_frame_test::LowIntegrityToken low_integrity_token;
+    low_integrity_token.Impersonate();
+
+    // Ensure that we can't acquire the mutex without having set the
+    // Low Integrity ACE in the SACL.
+    base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName));
+    bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL);
+    EXPECT_FALSE(mutex_locked);
+
+    // We shouldn't be able to open the memory.
+    EXPECT_FALSE(shared_memory.Open(kTestVersionBeaconName, false));
+    shared_memory.Close();
+
+    if (mutex_locked)
+      shared_memory.Unlock();
+  }
+}
+