CreateThread interception, to use CreateRemoteThread

sandbox/win/src/process_policy_test.cc

Index: sandbox/win/src/process_policy_test.cc
diff --git a/sandbox/win/src/process_policy_test.cc b/sandbox/win/src/process_policy_test.cc
index 44effa36354b247bd84a339343c5aa8131a927f3..fc0669d2540d136c256fdca8a140be6e886daaf4 100644
--- a/sandbox/win/src/process_policy_test.cc
+++ b/sandbox/win/src/process_policy_test.cc
@@ -10,6 +10,7 @@
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
 #include "base/win/windows_version.h"
+#include "sandbox/win/src/process_thread_interception.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_policy.h"
@@ -258,6 +259,36 @@ SBOX_TESTS_COMMAND int Process_OpenToken(int argc, wchar_t **argv) {
   return SBOX_TEST_FAILED;
 }
 
+DWORD TestThreadFunc(LPVOID lpdwThreadParam) {
+  // This is the function that is called when testing thread creation.
+  return 0;

[Will Harris, 2015/09/04 02:41:01]

I wonder if this should signal an event or something, to make sure it's actually
running?

[liamjm (20p), 2015/09/04 21:30:39]

Yeah, good idea.
Added an event, that the caller creates and waits on and the new thread sets.

+}
+
+SBOX_TESTS_COMMAND int Process_CreateThread(int argc, wchar_t **argv) {
+  DWORD thread_id = 0;
+  HANDLE hThread = NULL;
+  hThread = ::CreateThread(
+    NULL,
+    0,
+    (LPTHREAD_START_ROUTINE)&TestThreadFunc,
+    NULL,
+    0,
+    &thread_id);
+
+  if (!hThread) {
+    return SBOX_TEST_FAILED;
+  }
+  if (!thread_id) {
+    return SBOX_TEST_FAILED;
+  }
+
+  if (WaitForSingleObject(hThread, INFINITE) != WAIT_OBJECT_0) {
+    return SBOX_TEST_FAILED;
+  }
+  return SBOX_TEST_SUCCEEDED;
+}
+
+
 TEST(ProcessPolicyTest, TestAllAccess) {
   // Check if the "all access" rule fails to be added when the token is too
   // powerful.
@@ -382,4 +413,46 @@ TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccessNoJob) {
             runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
 }
 
+TEST(ProcessPolicyTest, TestCreateThread) {
+  TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
+
+  EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
+                             TargetPolicy::PROCESS_MIN_EXEC,
+                             L"this is not important"));
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED,
+    runner.RunTest(L"Process_CreateThread"));
+}
+
+TEST(ProcessPolicyTest, TestCreateThreadWithoutCsrss) {
+  TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
+
+  EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
+    TargetPolicy::PROCESS_MIN_EXEC,
+    L"this is not important"));
+
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+  // Sever the CSRSS connection by closing ALPC ports inside the sandbox.
+  ASSERT_EQ(SBOX_ALL_OK, policy->AddKernelObjectToClose(L"ALPC Port", NULL));
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread"));
+}
+
+TEST(ProcessPolicyTest, TestCreateThreadOutsideSandbox) {
+  DWORD thread_id = 0;
+  HANDLE hThread = NULL;
+  hThread = TargetCreateThread(
+    ::CreateThread,
+    NULL,
+    0,
+    (LPTHREAD_START_ROUTINE)&TestThreadFunc,
+    NULL,
+    0,
+    &thread_id);
+
+  EXPECT_NE(int(hThread), NULL);
+  EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(hThread, INFINITE));
+}
+
+
 }  // namespace sandbox