[Win10 sandbox mitigations] Four new Win10 mitigations added.

sandbox/win/src/process_mitigations_test.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/memory/scoped_ptr.h"
 #include "base/strings/stringprintf.h"
 #include "base/win/scoped_handle.h"
-
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/target_services.h"
 #include "sandbox/win/src/win_utils.h"
 #include "sandbox/win/tests/common/controller.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace {
 
 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)(
     HANDLE process,
     LPDWORD flags,
     PBOOL permanent);
 
 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)(
     HANDLE process,
     PROCESS_MITIGATION_POLICY mitigation_policy,
     PVOID buffer,
     SIZE_T length);
 
+typedef HANDLE(WINAPI* AddFontMemResourceExFunction)(
+    PVOID font_resource,
+    DWORD font_resource_size,
+    PVOID reserved,
+    DWORD* num_fonts_installed);
+
+typedef BOOL(WINAPI* RemoveFontMemResourceExFunction)(HANDLE resource_handle);
+
 GetProcessMitigationPolicyFunction get_process_mitigation_policy;
 
 #if !defined(_WIN64)
 bool CheckWin8DepPolicy() {
   PROCESS_MITIGATION_DEP_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy,
                                      &policy, sizeof(policy))) {
     return false;
   }
   return policy.Enable && policy.Permanent;
@@ skipping 35 matching lines @@
 bool CheckWin8DllExtensionPolicy() {
   PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(),
                                      ProcessExtensionPointDisablePolicy,
                                      &policy, sizeof(policy))) {
      return false;
   }
   return policy.DisableExtensionPoints;
 }
 
+bool CheckWin10FontPolicy() {
+  PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {};
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessFontDisablePolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
+  }
+  return policy.DisableNonSystemFonts;
+}
+
+bool LoadFileToMemory(const std::wstring& file_name, std::vector<char>& data) {
+  base::win::ScopedHandle file(::CreateFile(file_name.c_str(), GENERIC_READ,
+                                            FILE_SHARE_READ, NULL,
+                                            OPEN_EXISTING, 0, NULL));
+  if (!file.IsValid())
+    return false;
+
+  DWORD total_length = ::GetFileSize(file.Get(), NULL);
+
+  if (total_length == INVALID_FILE_SIZE)
+    return false;
+
+  data.resize(total_length);
+
+  DWORD current_pos = 0;
+  while (current_pos < total_length) {
+    DWORD bytes_read;
+
+    if (!ReadFile(file.Get(), &data[current_pos], total_length - current_pos,
+                  &bytes_read, NULL) ||
+        bytes_read == 0)
+      return false;
+    current_pos += bytes_read;
+  }
+
+  return true;
+}
+
+bool CheckWin10ImageLoadNoRemotePolicy() {
+  PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessImageLoadPolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
+  }
+  return policy.NoRemoteImages;
+}
+
+void TestWin10ImageLoadRemote(bool is_success_test) {
+  // ***Insert your manual testing share UNC path here!
+  // E.g.: \\\\hostname\\sharename\\calc.exe
+  std::wstring unc = L"\\\\hostname\\sharename\\calc.exe";
+
+  sandbox::TestRunner runner(true);
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Set a policy that would normally allow for process creation.
+  policy->SetJobLevel(sandbox::JOB_NONE, 0);
+  policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
+
+  if (!is_success_test) {
+    // Enable the NoRemote mitigation.
+    EXPECT_EQ(
+      policy->SetDelayedProcessMitigations(
+        sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE),
+      sandbox::SBOX_ALL_OK);
+  }
+
+  std::wstring test = L"TestChildProcess ";
+  test += unc.c_str();
+  test += ((is_success_test) ? L" success" : L" failure");
+  EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED,
+    runner.RunTest(test.c_str()));
+}
+
+bool CheckWin10ImageLoadNoLowLabelPolicy() {
+  PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessImageLoadPolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
+  }
+  return policy.NoLowMandatoryLabelImages;
+}
+
+void TestWin10ImageLoadLowLabel(bool is_success_test) {
+  // Setup a mandatory low executable for this test (calc.exe).
+  WCHAR dir_buffer[MAX_PATH];
+  EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH));
+
+  std::wstring orig_path = dir_buffer;
+  orig_path = orig_path + L"\\System32\\calc.exe";
+  std::wstring new_path = dir_buffer;
+  new_path = new_path + L"\\temp\\lowIL_calc.exe";
+
+  EXPECT_TRUE(::CopyFileW(orig_path.c_str(), new_path.c_str(), false));
+
+  std::wstring cmd = L"icacls \"";
+  cmd += new_path.c_str();
+  cmd += L"\" /setintegritylevel Low";
+  scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(cmd.c_str()));
+
+  STARTUPINFOW startup_info = {};
+  startup_info.cb = sizeof(startup_info);
+  PROCESS_INFORMATION proc_info = {};
+  bool setup_success = false;
+
+  if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL,
+    &startup_info, &proc_info)) {
+    if (WAIT_OBJECT_0 == ::WaitForSingleObject(proc_info.hProcess, 10 * 1000)) {
+      DWORD exit_code;
+      if (::GetExitCodeProcess(proc_info.hProcess, &exit_code) &&
+        exit_code == 0) {
+        // icacls was successful.
+        setup_success = true;
+      }
+    }
+    else {

[Will Harris, 2016/01/25 19:32:35]

please run git cl format to format these. should be

} else {

[penny, 2016/01/26 22:37:10]

Done.

+      ::TerminateProcess(proc_info.hProcess, 0);
+    }
+    ::CloseHandle(proc_info.hProcess);
+    ::CloseHandle(proc_info.hThread);
+  }
+
+  if (setup_success) {
+    // Initialize a TestRunner that can CreateProcess.
+    // I.e.: do NOT disable ALPCs/CSRSS for this test.
+    sandbox::TestRunner runner(true);
+    sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+    // Set a policy that would normally allow for process creation.
+    policy->SetJobLevel(sandbox::JOB_NONE, 0);
+    policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
+
+    if (!is_success_test) {
+      // Enable the NoLowLabel mitigation.
+      EXPECT_EQ(
+        policy->SetDelayedProcessMitigations(
+          sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL),
+        sandbox::SBOX_ALL_OK);
+    }
+
+    std::wstring test = L"TestChildProcess ";
+    test += new_path.c_str();
+    test += ((is_success_test) ? L" success" : L" failure");
+    EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED,
+      runner.RunTest(test.c_str()));
+  }
+  else {
+    // If setup failed, make sure to fail the test.
+    EXPECT_TRUE(setup_success);
+  }
+
+  // Clean up.
+  EXPECT_TRUE(::DeleteFileW(new_path.c_str()));
+}
+
 }  // namespace
 
 namespace sandbox {
 
+// A shared helper test command that will attempt to CreateProcess
+// with a given command line and an expected result.
+//
+// ***Make sure you've enabled basic process creation in the sandbox
+// settings via sandbox::JobLevel, sandbox::TokenLevel,
+// and initialize the TestRunner with "true"
+// argument to enable interaction with CSRSS in the kernel.
+SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) {
+  if (argc < 2)
+    return SBOX_TEST_INVALID_PARAMETER;
+
+  // Initialize the startup information from the policy.
+  STARTUPINFOW startup_info = {};
+  startup_info.cb = sizeof(startup_info);
+  PROCESS_INFORMATION proc_info = {};
+  std::wstring path = argv[0];
+  std::wstring outcome = argv[1];
+  bool success_expected = (0 == outcome.compare(L"success")) ? true : false;
+
+  scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(path.c_str()));
+  if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL,
+    &startup_info, &proc_info)) {
+    ::TerminateProcess(proc_info.hProcess, 0);
+    ::CloseHandle(proc_info.hProcess);
+    ::CloseHandle(proc_info.hThread);
+
+    return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR;
+  }
+  else {
+    // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED".
+    return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED;
+  }
+}
+
+/*****************************************************************************/
+// Win8 Checks
+// MITIGATION_DEP(_NO_ATL_THUNK)
+// MITIGATION_EXTENSION_DLL_DISABLE
+// MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only
+// MITIGATION_STRICT_HANDLE_CHECKS
+// >= Win8
+/*****************************************************************************/
+
 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
   get_process_mitigation_policy =
       reinterpret_cast<GetProcessMitigationPolicyFunction>(
           ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
                            "GetProcessMitigationPolicy"));
   if (!get_process_mitigation_policy)
     return SBOX_TEST_NOT_FOUND;
 
 #if !defined(_WIN64)  // DEP is always enabled on 64-bit.
   if (!CheckWin8DepPolicy())
@@ skipping 31 matching lines @@
 
   EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK);
 
   mitigations |= MITIGATION_STRICT_HANDLE_CHECKS;
 
   EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK);
 
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
 }
 
+/*****************************************************************************/
+// DEP (MITIGATION_DEP)
+// < Win8 x86
+/*****************************************************************************/
 
 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
   GetProcessDEPPolicyFunction get_process_dep_policy =
       reinterpret_cast<GetProcessDEPPolicyFunction>(
           ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
                            "GetProcessDEPPolicy"));
   if (get_process_dep_policy) {
     BOOL is_permanent = FALSE;
     DWORD dep_flags = 0;
 
@@ skipping 43 matching lines @@
 
   EXPECT_EQ(policy->SetProcessMitigations(
                 MITIGATION_DEP |
                 MITIGATION_DEP_NO_ATL_THUNK |
                 MITIGATION_SEHOP),
             SBOX_ALL_OK);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
 }
 #endif
 
+/*****************************************************************************/
+// Win32k Lockdown (MITIGATION_WIN32K_DISABLE)
+// >= Win8
+/*****************************************************************************/
+
 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) {
   get_process_mitigation_policy =
       reinterpret_cast<GetProcessMitigationPolicyFunction>(
           ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
                            "GetProcessMitigationPolicy"));
   if (!get_process_mitigation_policy)
     return SBOX_TEST_NOT_FOUND;
 
   if (!CheckWin8Win32CallPolicy())
     return SBOX_TEST_FIRST_ERROR;
@@ skipping 27 matching lines @@
   sandbox::TargetPolicy* policy = runner.GetPolicy();
 
   EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
             SBOX_ALL_OK);
   EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
                             sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL),
             sandbox::SBOX_ALL_OK);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
 }
 
+/*****************************************************************************/
+// Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE)
+// >= Win10
+/*****************************************************************************/
+
+SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin10FontPolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) {
+  if (argc < 2)
+    return SBOX_TEST_INVALID_PARAMETER;
+
+  std::wstring outcome = argv[1];
+  bool success_expected = (0 == outcome.compare(L"success")) ? true : false;
+
+  HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll");
+  if (!gdi_module)
+    return SBOX_TEST_NOT_FOUND;
+
+  AddFontMemResourceExFunction add_font_mem_resource =
+      reinterpret_cast<AddFontMemResourceExFunction>(
+          ::GetProcAddress(gdi_module, "AddFontMemResourceEx"));
+
+  RemoveFontMemResourceExFunction rem_font_mem_resource =
+      reinterpret_cast<RemoveFontMemResourceExFunction>(
+          ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx"));
+
+  if (!add_font_mem_resource || !rem_font_mem_resource)
+    return SBOX_TEST_NOT_FOUND;
+
+  // Load font file passed in as an argument.
+  std::vector<char> font_data;
+  if (!LoadFileToMemory(argv[0], font_data))
+    return SBOX_TEST_NOT_FOUND;
+
+  DWORD font_count = 0;
+  HANDLE font_handle = add_font_mem_resource(
+      &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count);
+
+  if (font_handle) {
+    rem_font_mem_resource(font_handle);
+    return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR;
+  }
+  else {
+    // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED".
+    return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED;
+  }
+
+  return SBOX_TEST_SUCCEEDED;
+}
+
+// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
+            SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown"));
+}
+
+// This test validates that we can load a non-system font
+// if the MITIGATION_NON_SYSTEM_FONTS_DISABLE
+// mitigation is NOT set.
+TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10)
+    return;
+
+  TestRunner runner;
+
+  WCHAR dir_buffer[MAX_PATH];
+  EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH));
+  std::wstring font_name = dir_buffer;
+  // Arial font should always be available
+  font_name = font_name + L"\\fonts\\arial.ttf";
+
+  EXPECT_TRUE(
+    runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str()));
+
+  std::wstring test_command =
+    L"CheckWin10FontLoad \"" + font_name + L"\" success";
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
+// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
+// mitigation prevents the loading of a non-system font.
+TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  WCHAR dir_buffer[MAX_PATH];
+  EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH));
+  std::wstring font_name = dir_buffer;
+  // Arial font should always be available
+  font_name = font_name + L"\\fonts\\arial.ttf";
+
+  // Turn on the non-system font disable mitigation.
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
+    SBOX_ALL_OK);
+  EXPECT_TRUE(
+    runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str()));
+
+  std::wstring test_command =
+    L"CheckWin10FontLoad \"" + font_name + L"\" failure";
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
+/*****************************************************************************/
+// Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE).
+// >= Win10_10586
+/*****************************************************************************/
+
+SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin10ImageLoadNoRemotePolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(
+      policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE),
+      SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED,
+            runner.RunTest(L"CheckWin10ImageLoadNoRemote"));
+}
+
+// This test validates that we CAN create a new process from
+// a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE
+// mitigation is NOT set.
+//
+// DISABLED for automated testing bots.  Enable for manual testing.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  TestWin10ImageLoadRemote(true);
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
+// mitigation prevents creating a new process from a remote
+// UNC device.
+//
+// DISABLED for automated testing bots.  Enable for manual testing.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  TestWin10ImageLoadRemote(false);
+}
+
+/*****************************************************************************/
+// Disable image load when "mandatory low label" (integrity level).
+// (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)
+// >= Win10_10586
+/*****************************************************************************/
+
+SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin10ImageLoadNoLowLabelPolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(
+      policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL),
+      SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED,
+            runner.RunTest(L"CheckWin10ImageLoadNoLowLabel"));
+}
+
+// This test validates that we CAN create a new process with
+// low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
+// mitigation is NOT set.
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  TestWin10ImageLoadLowLabel(true);
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
+// mitigation prevents creating a new process with low mandatory label (IL).
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  TestWin10ImageLoadLowLabel(false);
+}
+
+/*****************************************************************************/
+// Disable child process creation.
+// (MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED)
+// >= Win10_10586
+/*****************************************************************************/
+
+// This test validates that we can spawn a child process if
+// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is
+// not set.
+TEST(ProcessMitigationsTest, CheckWin10ChildProcessSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  // Initialize a TestRunner that can CreateProcess.
+  // I.e.: do NOT disable ALPCs/CSRSS for this test.
+  TestRunner runner(true);
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Set a policy that would normally allow for process creation.
+  policy->SetJobLevel(JOB_NONE, 0);
+  policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
+
+  std::wstring test_command = L"TestChildProcess ";
+  WCHAR dir_buffer[MAX_PATH];
+  EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH));
+  test_command += dir_buffer;
+  test_command += L"\\System32\\calc.exe success";
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
+// This test validates that setting the
+// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents
+// the spawning of child processes.
+TEST(ProcessMitigationsTest, CheckWin10ChildProcessFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_10586)
+    return;
+
+  // Initialize a TestRunner that can CreateProcess.
+  // I.e.: do NOT disable ALPCs/CSRSS for this test.
+  TestRunner runner(true);
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Set a policy that would normally allow for process creation.
+  policy->SetJobLevel(JOB_NONE, 0);
+  policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
+
+  // Turn on the child process restriction mitigation.
+  EXPECT_EQ(policy->SetProcessMitigations(
+                MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED),
+            SBOX_ALL_OK);
+
+  std::wstring test_command = L"TestChildProcess ";
+  WCHAR dir_buffer[MAX_PATH];
+  EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH));
+  test_command += dir_buffer;
+  test_command += L"\\System32\\calc.exe failure";
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
 }  // namespace sandbox