[Security] Brave's usage of elevation service should check it was called from a trusted source

[bsclifton]

Test plan

See plan in brave/brave-core#24900

Description

When Brave (or any Chromium browser) is installed with admin privileges (ex: it's a system install), the elevation service is registered (ex: with services.msc). Introduced in brave/brave-core#20754, there is a Brave-specific method InstallVPNServices
https://github.com/brave/brave-core/blob/1bc3b9e011c17e16a7aba895cac7e845b87ba5dc/chromium_src/chrome/elevation_service/elevator.cc#L30-L51

This is only used on Windows and it'll install the services required to either connect securely connect to IKEv2 or WireGuard.

This method should implement a check to see where it was called from and only allow trusted sources. For example, we can ensure that it was called from %programfiles%\BraveSoftware\Brave-Browser\Application\brave.exe.

[bridiver]

This can be done with app commands instead so we don't have to modify the elevation service at all

[bsclifton]

Thanks to wfh on Chromium Slack for helping suggest this

I believe it would involve this code:
https://source.chromium.org/chromium/chromium/src/+/main:chrome/installer/util/app_command.h

[bsclifton]

Created #39953 to track doing App Commands.

Will check out the trusted paths as-is

[LaurenWags]

Requires 1.69.137 or higher to test 👍🏻

[stephendonner]

Verification PASSED using

Brave | 1.69.137 Chromium: 127.0.6533.100 (Official Build) beta (64-bit)
-- | --
Revision | 40b6ccbd1eb76c8f575e83de8ad81c4349d3f32a
OS | Windows 10 Version 22H2 (Build 19045.4717)

Case 1: Before fix - PASSED

Steps:

1. installed 1.69.128 with Admin privs
2. launched Brave
3. verified no Vpn service is installed
4. ran the proof-of-concept executable from cmd
5. confirmed (services) are installed: pElevator->InstallVPNServices(): Successfully installed VPNServices. \n Invoking Vpn Installation is successful.
6. opened account.bravesoftware.com in a new tab
7. logged into Brave VPN using [email protected]
8. clicked Refresh button
9. did NOT connect to VPN
10. confirmed (services) still shown
11. connected and disconnected VPN successfully

step 1	step 3	steps 4 - 5	step 10	step 11

Case 2: After fix - PASSED

Steps:

1. installed 1.69.136 with Admin privs
2. launched Brave
3. verified no Vpn service is installed
4. ran the proof-of-concept executable from cmd
5. confirmed services are installed: pElevator->InstallVPNServices(): Successfully installed VPNServices. \n Invoking Vpn Installation is successful.
6. opened account.bravesoftware.com in a new tab
7. logged into Brave VPN using [email protected]
8. clicked Refresh VPN button
9. did NOT connect to VPN
10. confirmed {BraveVpn, BraveElevationService, etc...} services are NOT shown
11. connected and disconnected VPN successfully

step 1	step 3	steps 4-5	step 8	step 10	step 11

[stephendonner]

Verified on Win10-x64; if we have time this cycle, we'll do another Win11-x64 check and can mark it as QA Pass - Win64 then. If we run out of time, we'll use this verification and mark it.

cc @MadhaviSeelam

[MadhaviSeelam]

Verification PASSED using

Brave | 1.69.137 Chromium: 127.0.6533.100 (Official Build) beta (64-bit)
-- | --
Revision | 40b6ccbd1eb76c8f575e83de8ad81c4349d3f32a
OS | Windows 11 Version 23H2 (Build 22631.3958)

Before fix:

1. Installed 1.69.128 with admin privileges
2. launched Brave
3. verified BraveBetaElevationService service is installed in the services.msc
4. run the proof of concept executable from cmd.exe for Beta
5. confirmed proof of concept reported back
   - pElevator->InstallVPNServices(): Successfully installed VPNServices.
   - Invoking Vpn Installation is successful.
6. opened services.msc and confirmed BraveBetaVpnService and Brave Beta Vpn Wireguard Service (BraveBetaVpnWireguardService) are installed
7. opened account.bravesoftware.com in a new tab
8. logged into Brave VPN using [email protected]
9. clicked Refresh button
10. did not connect to VPN
11. opened services.msc and verified BraveNightlyVpnService and Brave Nightly Vpn Wireguard Service (BraveNightlyVpnWireguardService) still shown
12. connected and disconnected VPN successfully

step 1	step 3	step 4-5	step 6	step 10	step 11

After fix:

1. Installed 1.69.137 with admin privileges
2. launched Brave
3. verified BraveBetaElevationService service is installed
4. ran the proof-of-concept executable from cmd.exe for Beta
5. confirmed proof of concept reported back
   pElevator->InstallVPNServices(): Failed
   failed PROTECTION_PATH_VALIDATION
   Invoking Vpn Installation has failed.
6. opened services.msc and confirmed no BraveBetaVpnServices are installed
7. opened account.bravesoftware.com in a new tab
8. logged into Brave VPN using [email protected]
9. clicked Refresh button
10. did not connect to VPN
11. confirmed below services are not installed
    -BraveNightlyVpnService and Brave Nightly Vpn Wireguard Service (BraveNightlyVpnWireguardService)
12. clicked VPN button
13. confirmed below services are installed
    -BraveNightlyVpnService and Brave Nightly Vpn Wireguard Service (BraveNightlyVpnWireguardService)
14. Connected/disconnected VPN successfully

step 1	step 3	step 4-5	step 6	step 9-10	step 13	step 14