0

Updater: Fix tagged metainstaller not elevating/deelevating correctly

This CL fixes issues where a tagged metainstaller does not:
* elevate when run with needsadmin=true|prefers from medium integrity.
* deelevate when run with needsadmin=false from high integrity.

This CL also adds detailed steps to create a tagged metainstaller in
the design document.

Bug: 1370538
Change-Id: I1f00846a080158e21805ef88e15e133feb35f095
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3936957
Commit-Queue: S Ganesh <ganesh@chromium.org>
Reviewed-by: Xiaoling Bao <xiaolingbao@chromium.org>
Commit-Queue: Xiaoling Bao <xiaolingbao@chromium.org>
Auto-Submit: S Ganesh <ganesh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1055593}
This commit is contained in:
S. Ganesh
2022-10-06 03:54:22 +00:00
committed by Chromium LUCI CQ
parent 2790f315f1
commit 53ff3a716e
2 changed files with 46 additions and 5 deletions
chrome/updater/win/installer
docs/updater

@ -26,6 +26,7 @@
#include "base/files/scoped_temp_dir.h"
#include "base/logging.h"
#include "base/path_service.h"
#include "base/strings/strcat.h"
#include "base/strings/sys_string_conversions.h"
#include "base/threading/platform_thread.h"
#include "base/time/time.h"
@ -325,14 +326,13 @@ ProcessExitResult WMain(HMODULE module) {
return args_result;
// Both `RunElevated` and `RunDeElevated` use shell APIs to run the process,
// which can have issues with relative paths. So we get the full exe path and
// substitute it for the program in the command line.
// which can have issues with relative paths. So we use the full exe path for
// the program in the command line.
base::FilePath exe_path;
if (!base::PathService::Get(base::FILE_EXE, &exe_path))
return ProcessExitResult(UNABLE_TO_GET_EXE_PATH);
base::CommandLine command_line =
base::CommandLine::FromString(::GetCommandLineW());
command_line.SetProgram(exe_path);
const base::CommandLine command_line = base::CommandLine::FromString(
base::StrCat({L"\"", exe_path.value(), L"\" ", cmd_line_args.get()}));
const UpdaterScope scope = GetUpdaterScopeForCommandLine(command_line);

@ -416,6 +416,47 @@ installer. See [installdataindex](#installdataindex) below for details.
#### Dynamic Install Parameters
##### Steps to create a tagged metainstaller
A tagged metainstaller can be created using the signing tool
[sign.py](https://source.chromium.org/chromium/chromium/src/+/main:chrome/updater/win/signing/sign.py)
and the metainstaller tagging tool
[tag.py](https://source.chromium.org/chromium/chromium/src/+/main:chrome/updater/tools/tag.py).
Here are the steps to create a tagged metainstaller for the following tag:
`--tag="appguid=FOO_BAR_APP_ID&appname=SomeName&needsadmin=prefers"`
The source file is the untagged metainstaller `out\Default\UpdaterSetup.exe`,
and the final tagged file will be `out\Default\Tagged_UpdaterSetup.signed.exe`.
* One-time step: from an elevated powershell prompt:
```
New-SelfSignedCertificate -DnsName id@domain.tld -Type CodeSigning
-CertStoreLocation cert:\CurrentUser\My
```
* Note: all the steps below are run from a medium cmd prompt.
* One-time step: `python3 -m pip install pypiwin32`
* One-time step:
`set PYTHONPATH=C:\src\chromium\src\chrome\tools\build\win`
*
```
python3 C:\src\chromium\src\chrome\updater\win\signing\sign.py --in_file
C:\src\chromium\src\out\Default\UpdaterSetup.exe
--out_file C:\src\chromium\src\out\Default\UpdaterSetup.signed.exe
--lzma_7z "C:\Program Files\7-Zip\7z.exe"
--signtool c:\windows_sdk_10\files\bin\10.0.22000.0\x64\signtool.exe
--identity id@domain.tld
--certificate_tag C:\src\chromium\src\out\Default\certificate_tag.exe
```
*
```
python3 C:\src\chromium\src\chrome\updater\tools\tag.py
--certificate_tag=C:\src\chromium\src\out\Default\certificate_tag.exe
--in_file=C:\src\chromium\src\out\Default\UpdaterSetup.signed.exe
--out_file=out\Default\Tagged_UpdaterSetup.signed.exe
--tag="appguid=FOO_BAR_APP_ID&appname=SomeName&needsadmin=prefers"
```
##### `needsadmin`
`needsadmin` is one of the install parameters that can be specified for