| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "testing/gtest/include/gtest/gtest.h" | 5 #include "base/win/windows_version.h" |
| 6 #include "sandbox/win/src/handle_closer.h" |
| 6 #include "sandbox/win/src/sandbox.h" | 7 #include "sandbox/win/src/sandbox.h" |
| 7 #include "sandbox/win/src/sandbox_policy.h" | 8 #include "sandbox/win/src/sandbox_policy.h" |
| 8 #include "sandbox/win/src/sandbox_factory.h" | 9 #include "sandbox/win/src/sandbox_factory.h" |
| 9 #include "sandbox/win/tests/common/controller.h" | 10 #include "sandbox/win/tests/common/controller.h" |
| 11 #include "testing/gtest/include/gtest/gtest.h" |
| 10 | 12 |
| 11 namespace sandbox { | 13 namespace sandbox { |
| 12 | 14 |
| 13 | 15 |
| 14 SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) { | 16 SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) { |
| 15 if (argc != 1) { | 17 if (argc < 1 || argc > 2) { |
| 16 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | 18 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; |
| 17 } | 19 } |
| 18 if ((NULL == argv) || (NULL == argv[0])) { | 20 if ((NULL == argv) || (NULL == argv[0])) { |
| 19 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | 21 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; |
| 20 } | 22 } |
| 21 | 23 |
| 22 HANDLE pipe = ::CreateNamedPipeW(argv[0], | 24 HANDLE pipe = ::CreateNamedPipeW(argv[0], |
| 23 PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, | 25 PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, |
| 24 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096, | 26 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096, |
| 25 4096, 2000, NULL); | 27 4096, 2000, NULL); |
| 26 if (INVALID_HANDLE_VALUE == pipe) | 28 if (INVALID_HANDLE_VALUE == pipe) |
| 27 return SBOX_TEST_DENIED; | 29 return SBOX_TEST_DENIED; |
| 28 | 30 |
| 31 // The second parameter allows us to enforce a whitelist for where the |
| 32 // pipe should be in the object namespace after creation. |
| 33 if (argc == 2) { |
| 34 base::string16 handle_name; |
| 35 if (GetHandleName(pipe, &handle_name)) { |
| 36 if (handle_name.compare(0, wcslen(argv[1]), argv[1]) != 0) |
| 37 return SBOX_TEST_FAILED; |
| 38 } else { |
| 39 return SBOX_TEST_FAILED; |
| 40 } |
| 41 } |
| 42 |
| 29 OVERLAPPED overlapped = {0}; | 43 OVERLAPPED overlapped = {0}; |
| 30 overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL); | 44 overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL); |
| 31 BOOL result = ::ConnectNamedPipe(pipe, &overlapped); | 45 BOOL result = ::ConnectNamedPipe(pipe, &overlapped); |
| 32 | 46 |
| 33 if (!result) { | 47 if (!result) { |
| 34 DWORD error = ::GetLastError(); | 48 DWORD error = ::GetLastError(); |
| 35 if (ERROR_PIPE_CONNECTED != error && | 49 if (ERROR_PIPE_CONNECTED != error && |
| 36 ERROR_IO_PENDING != error) { | 50 ERROR_IO_PENDING != error) { |
| 37 return SBOX_TEST_FAILED; | 51 return SBOX_TEST_FAILED; |
| 38 } | 52 } |
| 39 } | 53 } |
| 40 | 54 |
| 41 if (!::CloseHandle(pipe)) | 55 if (!::CloseHandle(pipe)) |
| 42 return SBOX_TEST_FAILED; | 56 return SBOX_TEST_FAILED; |
| 43 | 57 |
| 44 ::CloseHandle(overlapped.hEvent); | 58 ::CloseHandle(overlapped.hEvent); |
| 45 return SBOX_TEST_SUCCEEDED; | 59 return SBOX_TEST_SUCCEEDED; |
| 46 } | 60 } |
| 47 | 61 |
| 48 // Tests if we can create a pipe in the sandbox. On XP, the sandbox can create | 62 // Tests if we can create a pipe in the sandbox. |
| 49 // a pipe without any help but it fails on Vista, this is why we do not test | |
| 50 // the "denied" case. | |
| 51 TEST(NamedPipePolicyTest, CreatePipe) { | 63 TEST(NamedPipePolicyTest, CreatePipe) { |
| 52 TestRunner runner; | 64 TestRunner runner; |
| 53 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a | 65 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a |
| 54 // namedpipe name. Here we apply it like a wildcard. http://b/893603 | 66 // namedpipe name. Here we apply it like a wildcard. http://b/893603 |
| 55 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, | 67 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, |
| 56 TargetPolicy::NAMEDPIPES_ALLOW_ANY, | 68 TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
| 57 L"\\\\.\\pipe\\test*")); | 69 L"\\\\.\\pipe\\test*")); |
| 58 | 70 |
| 59 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | 71 EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| 60 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); | 72 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); |
| 73 |
| 74 // On XP, the sandbox can create a pipe without any help but it fails on |
| 75 // Vista+, this is why we do not test the "denied" case. |
| 76 if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { |
| 77 EXPECT_EQ(SBOX_TEST_DENIED, |
| 78 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); |
| 79 } |
| 80 } |
| 81 |
| 82 // Tests if we can create a pipe with a path traversal in the sandbox. |
| 83 TEST(NamedPipePolicyTest, CreatePipeTraversal) { |
| 84 TestRunner runner; |
| 85 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a |
| 86 // namedpipe name. Here we apply it like a wildcard. http://b/893603 |
| 87 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, |
| 88 TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
| 89 L"\\\\.\\pipe\\test*")); |
| 90 |
| 91 // On XP, the sandbox can create a pipe without any help. |
| 92 if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { |
| 93 // This test verifies that the pipe name does not get canonicalized before |
| 94 // being passed to the OS. A failure here would mean we have sucessfully |
| 95 // created a pipe called \\.\pipe\bleh and escaped the sandbox policy. |
| 96 EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| 97 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\..\\bleh" |
| 98 L" \\Device\\NamedPipe\\test")); |
| 99 } |
| 61 } | 100 } |
| 62 | 101 |
| 63 // The same test as CreatePipe but this time using strict interceptions. | 102 // The same test as CreatePipe but this time using strict interceptions. |
| 64 TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) { | 103 TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) { |
| 65 TestRunner runner; | 104 TestRunner runner; |
| 66 runner.GetPolicy()->SetStrictInterceptions(); | 105 runner.GetPolicy()->SetStrictInterceptions(); |
| 67 | 106 |
| 68 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a | 107 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a |
| 69 // namedpipe name. Here we apply it like a wildcard. http://b/893603 | 108 // namedpipe name. Here we apply it like a wildcard. http://b/893603 |
| 70 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, | 109 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, |
| 71 TargetPolicy::NAMEDPIPES_ALLOW_ANY, | 110 TargetPolicy::NAMEDPIPES_ALLOW_ANY, |
| 72 L"\\\\.\\pipe\\test*")); | 111 L"\\\\.\\pipe\\test*")); |
| 73 | 112 |
| 74 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | 113 EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| 75 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); | 114 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); |
| 115 |
| 116 // On XP, the sandbox can create a pipe without any help but it fails on |
| 117 // Vista+, this is why we do not test the "denied" case. |
| 118 if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { |
| 119 EXPECT_EQ(SBOX_TEST_DENIED, |
| 120 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); |
| 121 } |
| 76 } | 122 } |
| 77 | 123 |
| 78 } // namespace sandbox | 124 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 145553007:
Correctly test for canonicalized path in the CreateNamedPipe policy engine. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src