diff options
Diffstat (limited to 'chrome')
| -rw-r--r-- | chrome/browser_tests.isolate | 1 | ||||
| -rw-r--r-- | chrome/chrome_tests.gypi | 46 | ||||
| -rw-r--r-- | chrome/test/security_tests/ipc_security_tests.cc | 192 | ||||
| -rw-r--r-- | chrome/test/security_tests/ipc_security_tests.h | 14 | ||||
| -rw-r--r-- | chrome/test/security_tests/renderer_sandbox_tests_mac.mm | 85 | ||||
| -rw-r--r-- | chrome/test/security_tests/sandbox_browsertest_linux.cc | 34 | ||||
| -rw-r--r-- | chrome/test/security_tests/sandbox_browsertest_win.cc | 25 | ||||
| -rw-r--r-- | chrome/test/security_tests/sandbox_tests_mac-Info.plist | 22 | ||||
| -rw-r--r-- | chrome/test/security_tests/security_tests.cc | 64 | ||||
| -rw-r--r-- | chrome/test/security_tests/security_tests.gyp | 22 |
10 files changed, 0 insertions, 505 deletions
diff --git a/chrome/browser_tests.isolate b/chrome/browser_tests.isolate index 237d48e..61b46f6 100644 --- a/chrome/browser_tests.isolate +++ b/chrome/browser_tests.isolate @@ -139,7 +139,6 @@ '<(PRODUCT_DIR)/clearkeycdm.dll', '<(PRODUCT_DIR)/clearkeycdmadapter.dll', '<(PRODUCT_DIR)/ppapi_tests.dll', - '<(PRODUCT_DIR)/security_tests.dll', 'tools/build/repack_locales.py', ], 'isolate_dependency_untracked': [ diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi index 58fd42c..d62b459 100644 --- a/chrome/chrome_tests.gypi +++ b/chrome/chrome_tests.gypi @@ -1598,8 +1598,6 @@ 'test/remoting/remote_desktop_browsertest.h', 'test/remoting/waiter.cc', 'test/remoting/waiter.h', - 'test/security_tests/sandbox_browsertest_linux.cc', - 'test/security_tests/sandbox_browsertest_win.cc', # TODO(craig): Rename this and run from base_unittests when the test # is safe to run there. See http://crbug.com/78722 for details. '../base/files/file_path_watcher_browsertest.cc', @@ -1828,7 +1826,6 @@ ], 'dependencies': [ 'chrome_version_resources', - 'security_tests', # run time dependency ], 'conditions': [ ['win_use_allocator_shim==1', { @@ -2612,31 +2609,6 @@ ['OS=="mac"', { 'targets': [ { - # This is the mac equivalent of the security_tests target below. It - # generates a framework bundle which bundles tests to be run in a - # renderer process. The test code is built as a framework so it can be - # run in the context of a renderer without shipping the code to end - # users. - 'target_name': 'renderer_sandbox_tests', - 'type': 'shared_library', - 'product_name': 'Renderer Sandbox Tests', - 'mac_bundle': 1, - 'xcode_settings': { - 'INFOPLIST_FILE': 'test/security_tests/sandbox_tests_mac-Info.plist', - }, - 'sources': [ - 'test/security_tests/renderer_sandbox_tests_mac.mm', - ], - 'include_dirs': [ - '..', - ], - 'link_settings': { - 'libraries': [ - '$(SDKROOT)/System/Library/Frameworks/Cocoa.framework', - ], - }, - }, # target renderer_sandbox_tests - { # Tests for Mac app launcher. 'target_name': 'app_mode_app_tests', 'type': 'executable', @@ -2735,24 +2707,6 @@ }, ], },], # OS!="mac" - ['OS=="win"', { - 'targets': [ - { - 'target_name': 'security_tests', - 'type': 'shared_library', - 'include_dirs': [ - '..', - ], - 'sources': [ - 'test/security_tests/ipc_security_tests.cc', - 'test/security_tests/ipc_security_tests.h', - 'test/security_tests/security_tests.cc', - '../sandbox/win/tests/validation_tests/commands.cc', - '../sandbox/win/tests/validation_tests/commands.h', - ], - }, - ]}, # 'targets' - ], # OS=="win" ['OS == "android"', { 'targets': [ { diff --git a/chrome/test/security_tests/ipc_security_tests.cc b/chrome/test/security_tests/ipc_security_tests.cc deleted file mode 100644 index 3b026b3..0000000 --- a/chrome/test/security_tests/ipc_security_tests.cc +++ /dev/null @@ -1,192 +0,0 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <windows.h> -#include <string> -#include <sstream> - -#include "chrome/test/security_tests/ipc_security_tests.h" - -namespace { - -// Debug output messages prefix. -const char kODSMgPrefix[] = "[security] "; -// Format of the Chrome browser pipe for plugins. -const wchar_t kChromePluginPipeFmt[] = L"\\\\.\\pipe\\chrome.%ls.p%d"; -// Size for the in/out pipe buffers. -const int kBufferSize = 1024; - -// Define the next symbol if you want to have tracing of errors. -#ifdef PIPE_SECURITY_DBG -// Generic debug output function. -void ODSMessageGLE(const char* txt) { - DWORD gle = ::GetLastError(); - std::ostringstream oss; - oss << kODSMgPrefix << txt << " 0x" << std::hex << gle; - ::OutputDebugStringA(oss.str().c_str()); -} -#else -void ODSMessageGLE(const char* txt) { -} -#endif - -// Retrieves the renderer pipe name from the command line. Returns true if the -// name was found. -bool PipeNameFromCommandLine(std::wstring* pipe_name) { - std::wstring cl(::GetCommandLineW()); - const wchar_t key_name[] = L"--channel"; - std::wstring::size_type pos = cl.find(key_name, 0); - if (std::wstring::npos == pos) { - return false; - } - pos = cl.find(L"=", pos); - if (std::wstring::npos == pos) { - return false; - } - ++pos; - size_t dst = cl.length() - pos; - if (dst <4) { - return false; - } - for (; dst != 0; --dst) { - if (!isspace(cl[pos])) { - break; - } - ++pos; - } - if (0 == dst) { - return false; - } - std::wstring::size_type pos2 = pos; - for (; dst != 0; --dst) { - if (isspace(cl[pos2])) { - break; - } - ++pos2; - } - *pipe_name = cl.substr(pos, pos2); - return true; -} - -// Extracts the browser process id and the channel id given the renderer -// pipe name. -bool InfoFromPipeName(const std::wstring& pipe_name, std::wstring* parent_id, - std::wstring* channel_id) { - std::wstring::size_type pos = pipe_name.find(L".", 0); - if (std::wstring::npos == pos) { - return false; - } - *parent_id = pipe_name.substr(0, pos); - *channel_id = pipe_name.substr(pos + 1); - return true; -} - -// Creates a server pipe, in byte mode. -HANDLE MakeServerPipeBase(const wchar_t* pipe_name) { - HANDLE pipe = ::CreateNamedPipeW(pipe_name, PIPE_ACCESS_DUPLEX, - PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 3, - kBufferSize, kBufferSize, 5000, NULL); - if (INVALID_HANDLE_VALUE == pipe) { - ODSMessageGLE("pipe creation failed"); - } - return pipe; -} - -// Creates a chrome plugin server pipe. -HANDLE MakeServerPluginPipe(const std::wstring& prefix, int channel) { - wchar_t pipe_name[MAX_PATH]; - swprintf_s(pipe_name, kChromePluginPipeFmt, prefix.c_str(), channel); - return MakeServerPipeBase(pipe_name); -} - -struct Context { - HANDLE pipe; - explicit Context(HANDLE arg_pipe) : pipe(arg_pipe) { - } -}; - -// This function is called from a thread that has a security context that is -// higher than the renderer security context. This can be the plugin security -// context or the browser security context. -void DoEvilThings(Context* context) { - // To make the test fail we simply trigger a breakpoint in the renderer. - ::DisconnectNamedPipe(context->pipe); - __debugbreak(); -} - -// This is a pipe server thread routine. -DWORD WINAPI PipeServerProc(void* thread_param) { - if (NULL == thread_param) { - return 0; - } - Context* context = static_cast<Context*>(thread_param); - HANDLE server_pipe = context->pipe; - - char buffer[4]; - DWORD bytes_read = 0; - - for (;;) { - // The next call blocks until a connection is made. - if (!::ConnectNamedPipe(server_pipe, NULL)) { - if (GetLastError() != ERROR_PIPE_CONNECTED) { - ODSMessageGLE("== connect named pipe failed =="); - continue; - } - } - // return value of ReadFile is unimportant. - ::ReadFile(server_pipe, buffer, 1, &bytes_read, NULL); - if (::ImpersonateNamedPipeClient(server_pipe)) { - ODSMessageGLE("impersonation obtained"); - DoEvilThings(context); - break; - } else { - ODSMessageGLE("impersonation failed"); - } - ::DisconnectNamedPipe(server_pipe); - } - delete context; - return 0; -} -} // namespace - -// Implements a pipe impersonation attack resulting on a privilege elevation on -// the chrome pipe-based IPC. -// When a web-page that has a plug-in is loaded, chrome will do the following -// steps: -// 1) Creates a server pipe with name 'chrome.<pid>.p<n>'. Initially n = 1. -// 2) Launches chrome with command line --type=plugin --channel=<pid>.p<n> -// 3) The new (plugin) process connects to the pipe and sends a 'hello' -// message. -// The attack creates another server pipe with the same name before step one -// so when the plugin connects it connects to the renderer instead. Once the -// connection is acepted and at least a byte is read from the pipe, the -// renderer can impersonate the plugin process which has a more relaxed -// security context (privilege elevation). -// -// Note that the attack can also be peformed after step 1. In this case we need -// another thread which used to connect to the existing server pipe so the -// plugin does not connect to chrome but to our pipe. -bool PipeImpersonationAttack() { - std::wstring pipe_name; - if (!PipeNameFromCommandLine(&pipe_name)) { - return false; - } - std::wstring parent_id; - std::wstring channel_id; - if (!InfoFromPipeName(pipe_name, &parent_id, &channel_id)) { - return false; - } - HANDLE plugin_pipe = MakeServerPluginPipe(parent_id, 1); - if (INVALID_HANDLE_VALUE == plugin_pipe) { - return true; - } - - HANDLE thread = ::CreateThread(NULL, 0, PipeServerProc, - new Context(plugin_pipe), 0, NULL); - if (NULL == thread) { - return false; - } - ::CloseHandle(thread); - return true; -} diff --git a/chrome/test/security_tests/ipc_security_tests.h b/chrome/test/security_tests/ipc_security_tests.h deleted file mode 100644 index c036dc2..0000000 --- a/chrome/test/security_tests/ipc_security_tests.h +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef CHROME_TEST_SECURITY_TESTS_IPC_SECURITY_TESTS_H__ -#define CHROME_TEST_SECURITY_TESTS_IPC_SECURITY_TESTS_H__ - -// Impersonates a chrome server pipe. See the implementation for details. -// Returns false if the attack could not be set. If it returns true then -// it spawns a thread that will terminate the renderer if the attack is -// successful. -bool PipeImpersonationAttack(); - -#endif // CHROME_TEST_SECURITY_TESTS_IPC_SECURITY_TESTS_H__ diff --git a/chrome/test/security_tests/renderer_sandbox_tests_mac.mm b/chrome/test/security_tests/renderer_sandbox_tests_mac.mm deleted file mode 100644 index ea90a535..0000000 --- a/chrome/test/security_tests/renderer_sandbox_tests_mac.mm +++ /dev/null @@ -1,85 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#import "content/public/common/injection_test_mac.h" - -#import <Cocoa/Cocoa.h> - - -//--------------------- Sandbox Tests --------------------- -// Below is a list of test functions that check the renderer sandbox. -// In order for a test function to be executed, it must be added to the -// |sandbox_test_cases| array in +[RendererSandboxTestsRunner runTests] below. -// TODO(ofri): Consider moving these to another file once there are enough tests -// to justify. - -// Test case for checking sandboxing of clipboard access. -bool SandboxTestClipboardTestCase(void) { - return [NSPasteboard generalPasteboard] == nil; -} - -// Test case for checking sandboxing of filesystem apis. -bool SandboxTestFileAccessTestCase(void) { - int fdes = open("/etc/passwd", O_RDONLY); - if (fdes == -1) { - return true; - } else { - close(fdes); - return false; - } -} - -//--------------------- Test Execution --------------------- - -static LogRendererSandboxTestMessage log_function = NULL; - -static inline void LogInfoMessage(std::string message) { - log_function(message, false); -} - -static inline void LogErrorMessage(std::string message) { - log_function(message, true); -} - -@implementation RendererSandboxTestsRunner - -+ (void)setLogFunction:(LogRendererSandboxTestMessage)logFunction { - log_function = logFunction; -} - -+ (BOOL)runTests { - // A test case entry. One must exist for each test. - struct SandboxTestCase { - std::string name; - bool (*test_function)(void); - }; - const struct SandboxTestCase sandbox_test_cases[] = { -#define DEFINE_TEST_CASE(testFunction) { #testFunction, testFunction } - - // The list of registered tests - DEFINE_TEST_CASE(SandboxTestClipboardTestCase), - DEFINE_TEST_CASE(SandboxTestFileAccessTestCase), - -#undef DEFINE_TEST_CASE - // Termination entry - { "", NULL } - }; - - // Execute the tests - BOOL tests_passed = YES; - for (const struct SandboxTestCase* test_case = sandbox_test_cases; - test_case->test_function != NULL; - ++test_case) { - LogInfoMessage("Running sandbox test: " + test_case->name); - if (test_case->test_function()) { - LogInfoMessage("Test: " + test_case->name + " - PASSED"); - } else { - LogErrorMessage("Test: " + test_case->name + " - FAILED"); - tests_passed = NO; - } - } - return tests_passed; -} - -@end diff --git a/chrome/test/security_tests/sandbox_browsertest_linux.cc b/chrome/test/security_tests/sandbox_browsertest_linux.cc deleted file mode 100644 index f51db55..0000000 --- a/chrome/test/security_tests/sandbox_browsertest_linux.cc +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chrome/test/base/in_process_browser_test.h" -#include "content/public/browser/zygote_host_linux.h" -#include "content/public/common/sandbox_linux.h" - -typedef InProcessBrowserTest SandboxLinuxTest; - -// Both the SUID sandbox (http://crbug.com/137653) and the Seccomp-BPF sandbox -// are currently incompatible with ASan. -#if defined(OS_LINUX) && !defined(ADDRESS_SANITIZER) -#define MAYBE_SandboxStatus \ - SandboxStatus -#else -#define MAYBE_SandboxStatus \ - DISABLED_SandboxStatus -#endif - -IN_PROC_BROWSER_TEST_F(SandboxLinuxTest, MAYBE_SandboxStatus) { - // Get expected sandboxing status of renderers. - const int status = content::ZygoteHost::GetInstance()->GetSandboxStatus(); - - // The setuid sandbox is required as our first-layer sandbox. - bool good_layer1 = status & content::kSandboxLinuxSUID && - status & content::kSandboxLinuxPIDNS && - status & content::kSandboxLinuxNetNS; - // A second-layer sandbox is also required to be adequately sandboxed. - bool good_layer2 = status & content::kSandboxLinuxSeccompBPF; - - EXPECT_TRUE(good_layer1); - EXPECT_TRUE(good_layer2); -} diff --git a/chrome/test/security_tests/sandbox_browsertest_win.cc b/chrome/test/security_tests/sandbox_browsertest_win.cc deleted file mode 100644 index 05c10bb..0000000 --- a/chrome/test/security_tests/sandbox_browsertest_win.cc +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "base/command_line.h" -#include "chrome/browser/ui/browser.h" -#include "chrome/browser/ui/tabs/tab_strip_model.h" -#include "chrome/common/chrome_switches.h" -#include "chrome/test/base/in_process_browser_test.h" - -class SandboxWinTest : public InProcessBrowserTest { - protected: - SandboxWinTest() : InProcessBrowserTest() {} - - virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { - command_line->AppendSwitchASCII(switches::kTestSandbox, - "security_tests.dll"); - } -}; - -// Need a cross-platform test library: http://crbug.com/45771 -// Verifies that chrome is running properly. -IN_PROC_BROWSER_TEST_F(SandboxWinTest, ExecuteDll) { - EXPECT_EQ(1, browser()->tab_strip_model()->count()); -} diff --git a/chrome/test/security_tests/sandbox_tests_mac-Info.plist b/chrome/test/security_tests/sandbox_tests_mac-Info.plist deleted file mode 100644 index 20567ab..0000000 --- a/chrome/test/security_tests/sandbox_tests_mac-Info.plist +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>CFBundleDevelopmentRegion</key> - <string>English</string> - <key>CFBundleExecutable</key> - <string>${EXECUTABLE_NAME}</string> - <key>CFBundleIdentifier</key> - <string>org.chromium.renderer_sandbox_tests</string> - <key>CFBundleInfoDictionaryVersion</key> - <string>6.0</string> - <key>CFBundlePackageType</key> - <string>BNDL</string> - <key>CFBundleShortVersionString</key> - <string>1.0</string> - <key>CFBundleSignature</key> - <string>????</string> - <key>CFBundleVersion</key> - <string>1</string> -</dict> -</plist> diff --git a/chrome/test/security_tests/security_tests.cc b/chrome/test/security_tests/security_tests.cc deleted file mode 100644 index b124f76..0000000 --- a/chrome/test/security_tests/security_tests.cc +++ /dev/null @@ -1,64 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <windows.h> -#include <string> - -#define TEST_INJECTION_DLL -#include "chrome/test/security_tests/ipc_security_tests.h" -#include "content/public/common/injection_test_win.h" -#include "sandbox/win/tests/common/controller.h" -#include "sandbox/win/tests/validation_tests/commands.h" - -using sandbox::TestOpenKey; -using sandbox::TestOpenReadFile; -using sandbox::TestOpenWriteFile; - -#define SECURITY_CHECK(x) (*test_count)++; \ - if (sandbox::SBOX_TEST_DENIED != x) { \ - return FALSE; \ - }; - -BOOL APIENTRY DllMain(HMODULE module, DWORD ul_reason_for_call, - LPVOID lpReserved) { - return TRUE; -} - -// Runs the security tests of sandbox for the renderer process. -// If a test fails, the return value is FALSE and test_count contains the -// number of tests executed, including the failing test. -BOOL __declspec(dllexport) __cdecl RunRendererTests(int *test_count) { - *test_count = 0; - SECURITY_CHECK(TestOpenReadFile(L"%SystemDrive%")); - SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%")); - SECURITY_CHECK(TestOpenReadFile(L"%ProgramFiles%")); - SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%\\System32")); - SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%\\explorer.exe")); - SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%\\Cursors\\arrow_i.cur")); - SECURITY_CHECK(TestOpenReadFile(L"%AllUsersProfile%")); - SECURITY_CHECK(TestOpenReadFile(L"%Temp%")); - SECURITY_CHECK(TestOpenReadFile(L"%AppData%")); - SECURITY_CHECK(TestOpenKey(HKEY_LOCAL_MACHINE, L"")); - SECURITY_CHECK(TestOpenKey(HKEY_CURRENT_USER, L"")); - SECURITY_CHECK(TestOpenKey(HKEY_USERS, L"")); - SECURITY_CHECK(TestOpenKey(HKEY_LOCAL_MACHINE, - L"Software\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon")); - // Test below run on a separate thread because they cannot block the - // renderer process. Therefore they do not return a meaningful value. - PipeImpersonationAttack(); - return TRUE; -} - -// Runs the security tests of sandbox for the plugin process. -// If a test fails, the return value is FALSE and test_count contains the -// number of tests executed, including the failing test. -BOOL __declspec(dllexport) __cdecl RunPluginTests(int *test_count) { - *test_count = 0; - SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%")); - SECURITY_CHECK(TestOpenWriteFile(L"%ProgramFiles%")); - SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%\\System32")); - SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%\\explorer.exe")); - SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%\\Cursors\\arrow_i.cur")); - return TRUE; -} diff --git a/chrome/test/security_tests/security_tests.gyp b/chrome/test/security_tests/security_tests.gyp deleted file mode 100644 index 8362877..0000000 --- a/chrome/test/security_tests/security_tests.gyp +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright (c) 2009 The Chromium Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -{ - 'variables': { - 'chromium_code': 1, - }, - 'targets': [ - { - 'target_name': 'security_tests', - 'type': 'shared_library', - 'sources': [ - '../../../sandbox/win/tests/validation_tests/commands.cc', - '../../../sandbox/win/tests/validation_tests/commands.h', - 'ipc_security_tests.cc', - 'ipc_security_tests.h', - 'security_tests.cc', - ], - }, - ], -} |