Index: sandbox/win/src/process_policy_test.cc |
diff --git a/sandbox/win/src/process_policy_test.cc b/sandbox/win/src/process_policy_test.cc |
index 44effa36354b247bd84a339343c5aa8131a927f3..fc0669d2540d136c256fdca8a140be6e886daaf4 100644 |
--- a/sandbox/win/src/process_policy_test.cc |
+++ b/sandbox/win/src/process_policy_test.cc |
@@ -10,6 +10,7 @@ |
#include "base/win/scoped_handle.h" |
#include "base/win/scoped_process_information.h" |
#include "base/win/windows_version.h" |
+#include "sandbox/win/src/process_thread_interception.h" |
#include "sandbox/win/src/sandbox.h" |
#include "sandbox/win/src/sandbox_factory.h" |
#include "sandbox/win/src/sandbox_policy.h" |
@@ -258,6 +259,36 @@ SBOX_TESTS_COMMAND int Process_OpenToken(int argc, wchar_t **argv) { |
return SBOX_TEST_FAILED; |
} |
+DWORD TestThreadFunc(LPVOID lpdwThreadParam) { |
+ // This is the function that is called when testing thread creation. |
+ return 0; |
Will Harris
2015/09/04 02:41:01
I wonder if this should signal an event or somethi
liamjm (20p)
2015/09/04 21:30:39
Yeah, good idea.
Added an event, that the caller c
|
+} |
+ |
+SBOX_TESTS_COMMAND int Process_CreateThread(int argc, wchar_t **argv) { |
+ DWORD thread_id = 0; |
+ HANDLE hThread = NULL; |
+ hThread = ::CreateThread( |
+ NULL, |
+ 0, |
+ (LPTHREAD_START_ROUTINE)&TestThreadFunc, |
+ NULL, |
+ 0, |
+ &thread_id); |
+ |
+ if (!hThread) { |
+ return SBOX_TEST_FAILED; |
+ } |
+ if (!thread_id) { |
+ return SBOX_TEST_FAILED; |
+ } |
+ |
+ if (WaitForSingleObject(hThread, INFINITE) != WAIT_OBJECT_0) { |
+ return SBOX_TEST_FAILED; |
+ } |
+ return SBOX_TEST_SUCCEEDED; |
+} |
+ |
+ |
TEST(ProcessPolicyTest, TestAllAccess) { |
// Check if the "all access" rule fails to be added when the token is too |
// powerful. |
@@ -382,4 +413,46 @@ TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccessNoJob) { |
runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); |
} |
+TEST(ProcessPolicyTest, TestCreateThread) { |
+ TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE); |
+ |
+ EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, |
+ TargetPolicy::PROCESS_MIN_EXEC, |
+ L"this is not important")); |
+ |
+ EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
+ runner.RunTest(L"Process_CreateThread")); |
+} |
+ |
+TEST(ProcessPolicyTest, TestCreateThreadWithoutCsrss) { |
+ TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE); |
+ |
+ EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, |
+ TargetPolicy::PROCESS_MIN_EXEC, |
+ L"this is not important")); |
+ |
+ sandbox::TargetPolicy* policy = runner.GetPolicy(); |
+ // Sever the CSRSS connection by closing ALPC ports inside the sandbox. |
+ ASSERT_EQ(SBOX_ALL_OK, policy->AddKernelObjectToClose(L"ALPC Port", NULL)); |
+ |
+ EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread")); |
+} |
+ |
+TEST(ProcessPolicyTest, TestCreateThreadOutsideSandbox) { |
+ DWORD thread_id = 0; |
+ HANDLE hThread = NULL; |
+ hThread = TargetCreateThread( |
+ ::CreateThread, |
+ NULL, |
+ 0, |
+ (LPTHREAD_START_ROUTINE)&TestThreadFunc, |
+ NULL, |
+ 0, |
+ &thread_id); |
+ |
+ EXPECT_NE(int(hThread), NULL); |
+ EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(hThread, INFINITE)); |
+} |
+ |
+ |
} // namespace sandbox |