diff options
| author | robertshield@chromium.org <robertshield@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-16 14:25:03 +0000 |
|---|---|---|
| committer | robertshield@chromium.org <robertshield@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-16 14:25:03 +0000 |
| commit | 421551607bdee875b9502d8fd74bdcf69e009fe2 (patch) | |
| tree | 238f862d09341e578cf701ac418898ccd482f83c /chrome_frame/test/module_utils_test.cc | |
| parent | ce0afe43c8cfaef0d642f77a625ec63eca5b6a3d (diff) | |
| download | chromium_src-421551607bdee875b9502d8fd74bdcf69e009fe2.zip chromium_src-421551607bdee875b9502d8fd74bdcf69e009fe2.tar.gz chromium_src-421551607bdee875b9502d8fd74bdcf69e009fe2.tar.bz2 | |
Chrome Frame: Add explicit object security attributes to the Chrome Frame version beacon. This will allow low integrity processes to access shared memory segment and lock and make shared memory segment read only after creation.
Also use lock names that include the hosting process.
BUG=61609
TEST=Start medium integrity Chrome Frame host running CF version X. Update CF to version Y > X. Start low integrity Chrome Frame host, observe that version X is loaded.
Review URL: http://codereview.chromium.org/5012001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@66270 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome_frame/test/module_utils_test.cc')
| -rw-r--r-- | chrome_frame/test/module_utils_test.cc | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/chrome_frame/test/module_utils_test.cc b/chrome_frame/test/module_utils_test.cc index 4bb16ce..26a0ac7 100644 --- a/chrome_frame/test/module_utils_test.cc +++ b/chrome_frame/test/module_utils_test.cc @@ -6,8 +6,10 @@ #include "base/scoped_handle.h" #include "base/shared_memory.h" +#include "base/sys_info.h" #include "base/utf_string_conversions.h" #include "base/version.h" +#include "chrome_frame/test/chrome_frame_test_utils.h" #include "gtest/gtest.h" extern "C" IMAGE_DOS_HEADER __ImageBase; @@ -68,6 +70,21 @@ class MockDllRedirector2 : public MockDllRedirector { } }; +class MockDllRedirectorNoPermissions : public MockDllRedirector { + public: + explicit MockDllRedirectorNoPermissions(const char* beacon_name) + : MockDllRedirector(beacon_name) {} + + virtual bool BuildSecurityAttributesForLock( + ATL::CSecurityAttributes* sec_attr) { + return false; + } + + virtual bool SetFileMappingToReadOnly(base::SharedMemoryHandle mapping) { + return true; + } +}; + class DllRedirectorTest : public testing::Test { public: virtual void SetUp() { @@ -290,3 +307,97 @@ TEST_F(DllRedirectorTest, BadVersionNumber) { EXPECT_EQ(reinterpret_cast<HMODULE>(&__ImageBase), first_module); } +// TODO(robertshield): These tests rely on simulating access checks from a low +// integrity process using impersonation. This may not be exactly identical to +// actually having a separate low integrity process. +TEST_F(DllRedirectorTest, LowIntegrityAccess) { + scoped_ptr<MockDllRedirector> first_redirector( + new MockDllRedirector(kTestVersionBeaconName)); + EXPECT_TRUE(first_redirector->RegisterAsFirstCFModule()); + + // Ensure that we can acquire the mutex from medium integrity: + { + base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName)); + bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL); + EXPECT_TRUE(mutex_locked); + + // Ensure that the shared memory is read-only: + EXPECT_FALSE(shared_memory.Open(kTestVersionBeaconName, false)); + shared_memory.Close(); + EXPECT_TRUE(shared_memory.Open(kTestVersionBeaconName, true)); + shared_memory.Close(); + + if (mutex_locked) + shared_memory.Unlock(); + } + + int32 major_version, minor_version, fix_version; + base::SysInfo::OperatingSystemVersionNumbers(&major_version, + &minor_version, + &fix_version); + if (major_version >= 6) { + // Now move to low integrity + chrome_frame_test::LowIntegrityToken low_integrity_token; + ASSERT_TRUE(low_integrity_token.Impersonate()); + + // Ensure that we can also acquire the mutex from low integrity. + base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName)); + bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL); + EXPECT_TRUE(mutex_locked); + + // Ensure that the shared memory is read-only: + EXPECT_FALSE(shared_memory.Open(kTestVersionBeaconName, false)); + shared_memory.Close(); + EXPECT_TRUE(shared_memory.Open(kTestVersionBeaconName, true)); + shared_memory.Close(); + + if (mutex_locked) + shared_memory.Unlock(); + } +} + +TEST_F(DllRedirectorTest, LowIntegrityAccessDenied) { + // Run this test with a mock DllRedirector that doesn't set permissions + // on the shared memory. + scoped_ptr<MockDllRedirectorNoPermissions> first_redirector( + new MockDllRedirectorNoPermissions(kTestVersionBeaconName)); + EXPECT_TRUE(first_redirector->RegisterAsFirstCFModule()); + + // Ensure that we can acquire the mutex from medium integrity: + { + base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName)); + bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL); + EXPECT_TRUE(mutex_locked); + + // We should be able to open the memory as read/write. + EXPECT_TRUE(shared_memory.Open(kTestVersionBeaconName, false)); + shared_memory.Close(); + + if (mutex_locked) + shared_memory.Unlock(); + } + + int32 major_version, minor_version, fix_version; + base::SysInfo::OperatingSystemVersionNumbers(&major_version, + &minor_version, + &fix_version); + if (major_version >= 6) { + // Now move to low integrity + chrome_frame_test::LowIntegrityToken low_integrity_token; + low_integrity_token.Impersonate(); + + // Ensure that we can't acquire the mutex without having set the + // Low Integrity ACE in the SACL. + base::SharedMemory shared_memory(ASCIIToWide(kTestVersionBeaconName)); + bool mutex_locked = shared_memory.Lock(kWaitTestTimeout, NULL); + EXPECT_FALSE(mutex_locked); + + // We shouldn't be able to open the memory. + EXPECT_FALSE(shared_memory.Open(kTestVersionBeaconName, false)); + shared_memory.Close(); + + if (mutex_locked) + shared_memory.Unlock(); + } +} + |