IPC: a way for security exploit browsertests to simulate the appearance of a malicious IPC.

Use this to add a SecurityExploitBrowserTest for http://crbug.com/429922

Fix SecurityExploitBrowserTests on Android. Re-enable SecurityExploitBrowserTests on Android, except for two issues (1) the new test, which is actually disabled because of http://crbug.com/432737, discovered while developing this CL and (2) SetWebUIProperty, which is disabled because of http://crbug.com/433068, also discovered while developing this CL. Moral of the story being: never try.

BUG=429922,432737,338023,433068
TEST=content_browsertests

Review URL: https://codereview.chromium.org/712713002

Cr-Commit-Position: refs/heads/master@{#304170}

4 files changed, 69 insertions, 2 deletions

diff --git a/ipc/ipc.gyp b/ipc/ipc.gyp
index 28c112b..cd63b54 100644
--- a/ipc/ipc.gyp
+++ b/ipc/ipc.gyp
@@ -132,6 +132,8 @@
         'ipc_multiprocess_test.h',
         'ipc_perftest_support.cc',
         'ipc_perftest_support.h',
+        'ipc_security_test_util.cc',
+        'ipc_security_test_util.h',
         'ipc_test_base.cc',
         'ipc_test_base.h',
         'ipc_test_channel_listener.cc',
diff --git a/ipc/ipc_channel_proxy.h b/ipc/ipc_channel_proxy.h
index dda5fa5..9ef8bf3 100644
--- a/ipc/ipc_channel_proxy.h
+++ b/ipc/ipc_channel_proxy.h
@@ -177,7 +177,7 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe {
 
    private:
     friend class ChannelProxy;
-    friend class SendCallbackHelper;
+    friend class IpcSecurityTestUtil;
 
     // Create the Channel
     void CreateChannel(scoped_ptr<ChannelFactory> factory);
@@ -225,7 +225,7 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe {
   Context* context() { return context_.get(); }
 
  private:
-  friend class SendCallbackHelper;
+  friend class IpcSecurityTestUtil;
 
   // By maintaining this indirection (ref-counted) to our internal state, we
   // can safely be destroyed while the background thread continues to do stuff
diff --git a/ipc/ipc_security_test_util.cc b/ipc/ipc_security_test_util.cc
new file mode 100644
index 0000000..4ae5a06
--- /dev/null
+++ b/ipc/ipc_security_test_util.cc
@@ -0,0 +1,25 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "ipc/ipc_security_test_util.h"
+
+#include "base/bind.h"
+#include "base/bind_helpers.h"
+#include "base/run_loop.h"
+#include "ipc/ipc_channel_proxy.h"
+
+namespace IPC {
+
+void IpcSecurityTestUtil::PwnMessageReceived(ChannelProxy* channel,
+                                             const IPC::Message& message) {
+  base::RunLoop run_loop;
+  base::Closure inject_message = base::Bind(
+      base::IgnoreResult(&IPC::ChannelProxy::Context::OnMessageReceived),
+      channel->context(), message);
+  channel->context()->ipc_task_runner()->PostTaskAndReply(
+      FROM_HERE, inject_message, run_loop.QuitClosure());
+  run_loop.Run();
+}
+
+}  // namespace IPC
diff --git a/ipc/ipc_security_test_util.h b/ipc/ipc_security_test_util.h
new file mode 100644
index 0000000..1ec2555
--- /dev/null
+++ b/ipc/ipc_security_test_util.h
@@ -0,0 +1,40 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef IPC_IPC_SECURITY_TEST_UTIL_H_
+#define IPC_IPC_SECURITY_TEST_UTIL_H_
+
+#include "base/basictypes.h"
+
+namespace IPC {
+
+class ChannelProxy;
+class Message;
+
+class IpcSecurityTestUtil {
+ public:
+  // Enables testing of security exploit scenarios where a compromised child
+  // process can send a malicious message of an arbitrary type.
+  //
+  // This function will post the message to the IPC channel's thread, where it
+  // is offered to the channel's listeners. Afterwards, a reply task is posted
+  // back to the current thread. This function blocks until the reply task is
+  // received. For messages forwarded back to the current thread, we won't
+  // return until after the message has been handled here.
+  //
+  // Use this only for testing security bugs in a browsertest; other uses are
+  // likely perilous. Unit tests should be using IPC::TestSink which has an
+  // OnMessageReceived method you can call directly. Non-security browsertests
+  // should just exercise the child process's normal codepaths to send messages.
+  static void PwnMessageReceived(ChannelProxy* channel, const Message& message);
+
+ private:
+  IpcSecurityTestUtil();  // Not instantiable.
+
+  DISALLOW_COPY_AND_ASSIGN(IpcSecurityTestUtil);
+};
+
+}  // namespace IPC
+
+#endif  // IPC_IPC_SECURITY_TEST_UTIL_H_