Add sandbox support for Windows process mitigations

sandbox/win/src/process_mitigations_test.cc

Index: sandbox/win/src/process_mitigations_test.cc
===================================================================
--- sandbox/win/src/process_mitigations_test.cc	(revision 0)
+++ sandbox/win/src/process_mitigations_test.cc	(revision 0)
@@ -0,0 +1,203 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/stringprintf.h"
+#include "base/win/scoped_handle.h"
+
+#include "base/win/windows_version.h"
+#include "sandbox/win/src/nt_internals.h"
+#include "sandbox/win/src/process_mitigations.h"
+#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/sandbox_factory.h"
+#include "sandbox/win/src/sandbox_utils.h"
+#include "sandbox/win/src/target_services.h"
+#include "sandbox/win/src/win_utils.h"
+#include "sandbox/win/tests/common/controller.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace {
+
+typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)(
+    HANDLE process,
+    LPDWORD flags,
+    PBOOL permanent);
+
+typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)(
+    HANDLE process,
+    PROCESS_MITIGATION_POLICY mitigation_policy,
+    PVOID buffer,
+    SIZE_T length);
+
+GetProcessMitigationPolicyFunction get_process_mitigation_policy;
+
+bool CheckWin8DepPolicy() {
+  PROCESS_MITIGATION_DEP_POLICY policy;
+  if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy,
+                                     &policy, sizeof(policy))) {
+    return false;
+  }
+  return policy.Enable && policy.Permanent;
+}
+
+bool CheckWin8AslrPolicy() {
+  PROCESS_MITIGATION_ASLR_POLICY policy;
+  if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy,
+                                     &policy, sizeof(policy))) {
+     return false;
+  }
+  return policy.EnableForceRelocateImages && policy.DisallowStrippedImages;
+}
+
+bool CheckWin8StrictHandlePolicy() {
+  PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy;
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessStrictHandleCheckPolicy,
+                                     &policy, sizeof(policy))) {
+     return false;
+  }
+  return policy.RaiseExceptionOnInvalidHandleReference &&
+         policy.HandleExceptionsPermanentlyEnabled;
+}
+
+bool CheckWin8Win32CallPolicy() {
+  PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy;
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessSystemCallDisablePolicy,
+                                     &policy, sizeof(policy))) {
+     return false;
+  }
+  return policy.DisallowWin32kSystemCalls;
+}
+
+bool CheckWin8DllExtensionPolicy() {
+  PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy;
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessExtensionPointDisablePolicy,
+                                     &policy, sizeof(policy))) {
+     return false;
+  }
+  return policy.DisableExtensionPoints;
+}
+
+}  // namespace
+
+namespace sandbox {
+
+SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(
+          ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
+                           "GetProcessMitigationPolicy"));
+
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin8DepPolicy())
+    return SBOX_TEST_FIRST_ERROR;
+
+  if (!CheckWin8AslrPolicy())

[rvargas (doing something else), 2012/09/08 02:23:32]

Did you considered just writing independent tests? As an added bonus, failures
will be clear on the bots.

[jschuh, 2012/09/10 23:58:48]

Yeah, but given the ever-increasing flakiness of the bots I feel better about
spawning fewer processes if they're not needed.

[rvargas (doing something else), 2012/09/13 19:15:26]

That's the wrong way to look at it. The cause of flakiness should be addressed
by itself... and a single flake on this test will disable all test at the same
time :(

As a general rule, test should be as small and specific as reasonable.

+    return SBOX_TEST_SECOND_ERROR;
+
+  if (!CheckWin8StrictHandlePolicy())
+    return SBOX_TEST_THIRD_ERROR;
+
+  if (!CheckWin8Win32CallPolicy())
+    return SBOX_TEST_FOURTH_ERROR;
+
+  if (!CheckWin8DllExtensionPolicy())
+    return SBOX_TEST_FIFTH_ERROR;
+
+  return SBOX_TEST_SUCCEEDED;
+}
+
+TEST(ProcessMitigationsTest, CheckWin8) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(policy->SetProcessMitigations(
+                TargetPolicy::MITIGATION_DEP |
+                TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK |
+                TargetPolicy::MITIGATION_RELOCATE_IMAGE |
+                TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED |
+                TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE),
+            SBOX_ALL_OK);
+
+  EXPECT_EQ(policy->SetDelayedProcessMitigations(
+                TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS |
+                TargetPolicy::MITIGATION_WIN32K_DISABLE),
+            SBOX_ALL_OK);
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
+}
+
+
+SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
+#ifndef _WIN64  // DEP is always enabled on 64-bit.

[rvargas (doing something else), 2012/09/08 02:23:32]

ditto

[jschuh, 2012/09/10 23:58:48]

Done.

+  GetProcessDEPPolicyFunction get_process_dep_policy =
+      reinterpret_cast<GetProcessDEPPolicyFunction>(
+          ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
+                           "GetProcessDEPPolicy"));
+  if (get_process_dep_policy) {
+    BOOL is_permanent = FALSE;
+    DWORD dep_flags = 0;
+
+    if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags,
+        &is_permanent)) {
+      return SBOX_TEST_FIRST_ERROR;
+    }
+
+    if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent)
+      return SBOX_TEST_SECOND_ERROR;
+
+  } else {
+    NtQueryInformationProcessFunction query_information_process = NULL;
+    ResolveNTFunctionPtr("NtQueryInformationProcess",
+                          &query_information_process);
+    if (!query_information_process)
+      return SBOX_TEST_NOT_FOUND;
+
+    ULONG size = 0;
+    ULONG dep_flags = 0;
+    if (!SUCCEEDED(query_information_process(::GetCurrentProcess(),
+                                             ProcessExecuteFlags, &dep_flags,
+                                             sizeof(dep_flags), &size))) {
+      return SBOX_TEST_THIRD_ERROR;
+    }
+
+    const int MEM_EXECUTE_OPTION_ENABLE = 1;
+    const int MEM_EXECUTE_OPTION_DISABLE = 2;
+    const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4;
+    const int MEM_EXECUTE_OPTION_PERMANENT = 8;
+    dep_flags &= 0xff;
+
+    if (dep_flags != (MEM_EXECUTE_OPTION_DISABLE |
+                      MEM_EXECUTE_OPTION_PERMANENT)) {
+      return SBOX_TEST_FOURTH_ERROR;
+    }
+  }
+#endif
+
+  return SBOX_TEST_SUCCEEDED;
+}
+
+TEST(ProcessMitigationsTest, CheckDep) {
+  if (!IsXPSP2OrLater() || base::win::GetVersion() > base::win::VERSION_WIN7)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(policy->SetProcessMitigations(
+                TargetPolicy::MITIGATION_DEP |
+                TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK |
+                TargetPolicy::MITIGATION_SEHOP),
+            SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
+}
+
+}  // namespace sandbox
+