OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/memory/scoped_ptr.h" | |
5 #include "base/strings/stringprintf.h" | 6 #include "base/strings/stringprintf.h" |
6 #include "base/win/scoped_handle.h" | 7 #include "base/win/scoped_handle.h" |
7 | |
8 #include "base/win/windows_version.h" | 8 #include "base/win/windows_version.h" |
9 #include "sandbox/win/src/nt_internals.h" | 9 #include "sandbox/win/src/nt_internals.h" |
10 #include "sandbox/win/src/process_mitigations.h" | 10 #include "sandbox/win/src/process_mitigations.h" |
11 #include "sandbox/win/src/sandbox.h" | 11 #include "sandbox/win/src/sandbox.h" |
12 #include "sandbox/win/src/sandbox_factory.h" | 12 #include "sandbox/win/src/sandbox_factory.h" |
13 #include "sandbox/win/src/target_services.h" | 13 #include "sandbox/win/src/target_services.h" |
14 #include "sandbox/win/src/win_utils.h" | 14 #include "sandbox/win/src/win_utils.h" |
15 #include "sandbox/win/tests/common/controller.h" | 15 #include "sandbox/win/tests/common/controller.h" |
16 #include "testing/gtest/include/gtest/gtest.h" | 16 #include "testing/gtest/include/gtest/gtest.h" |
17 | 17 |
18 namespace { | 18 namespace { |
19 | 19 |
20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( | 20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( |
21 HANDLE process, | 21 HANDLE process, |
22 LPDWORD flags, | 22 LPDWORD flags, |
23 PBOOL permanent); | 23 PBOOL permanent); |
24 | 24 |
25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( | 25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( |
26 HANDLE process, | 26 HANDLE process, |
27 PROCESS_MITIGATION_POLICY mitigation_policy, | 27 PROCESS_MITIGATION_POLICY mitigation_policy, |
28 PVOID buffer, | 28 PVOID buffer, |
29 SIZE_T length); | 29 SIZE_T length); |
30 | 30 |
31 typedef HANDLE(WINAPI* AddFontMemResourceExFunction)( | |
32 PVOID font_resource, | |
33 DWORD font_resource_size, | |
34 PVOID reserved, | |
35 DWORD* num_fonts_installed); | |
36 | |
37 typedef BOOL(WINAPI* RemoveFontMemResourceExFunction)(HANDLE resource_handle); | |
38 | |
31 GetProcessMitigationPolicyFunction get_process_mitigation_policy; | 39 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
32 | 40 |
33 #if !defined(_WIN64) | 41 #if !defined(_WIN64) |
34 bool CheckWin8DepPolicy() { | 42 bool CheckWin8DepPolicy() { |
35 PROCESS_MITIGATION_DEP_POLICY policy = {}; | 43 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
36 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, | 44 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, |
37 &policy, sizeof(policy))) { | 45 &policy, sizeof(policy))) { |
38 return false; | 46 return false; |
39 } | 47 } |
40 return policy.Enable && policy.Permanent; | 48 return policy.Enable && policy.Permanent; |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
76 bool CheckWin8DllExtensionPolicy() { | 84 bool CheckWin8DllExtensionPolicy() { |
77 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | 85 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
78 if (!get_process_mitigation_policy(::GetCurrentProcess(), | 86 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
79 ProcessExtensionPointDisablePolicy, | 87 ProcessExtensionPointDisablePolicy, |
80 &policy, sizeof(policy))) { | 88 &policy, sizeof(policy))) { |
81 return false; | 89 return false; |
82 } | 90 } |
83 return policy.DisableExtensionPoints; | 91 return policy.DisableExtensionPoints; |
84 } | 92 } |
85 | 93 |
94 bool CheckWin10FontPolicy() { | |
95 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
96 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
97 ProcessFontDisablePolicy, &policy, | |
98 sizeof(policy))) { | |
99 return false; | |
100 } | |
101 return policy.DisableNonSystemFonts; | |
102 } | |
103 | |
104 bool LoadFileToMemory(const std::wstring& file_name, std::vector<char>& data) { | |
105 base::win::ScopedHandle file(::CreateFile(file_name.c_str(), GENERIC_READ, | |
106 FILE_SHARE_READ, NULL, | |
107 OPEN_EXISTING, 0, NULL)); | |
108 if (!file.IsValid()) | |
109 return false; | |
110 | |
111 DWORD total_length = ::GetFileSize(file.Get(), NULL); | |
112 | |
113 if (total_length == INVALID_FILE_SIZE) | |
114 return false; | |
115 | |
116 data.resize(total_length); | |
117 | |
118 DWORD current_pos = 0; | |
119 while (current_pos < total_length) { | |
120 DWORD bytes_read; | |
121 | |
122 if (!ReadFile(file.Get(), &data[current_pos], total_length - current_pos, | |
123 &bytes_read, NULL) || | |
124 bytes_read == 0) | |
125 return false; | |
126 current_pos += bytes_read; | |
127 } | |
128 | |
129 return true; | |
130 } | |
131 | |
132 bool CheckWin10ImageLoadNoRemotePolicy() { | |
133 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
134 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
135 ProcessImageLoadPolicy, &policy, | |
136 sizeof(policy))) { | |
137 return false; | |
138 } | |
139 return policy.NoRemoteImages; | |
140 } | |
141 | |
142 void TestWin10ImageLoadRemote(bool is_success_test) { | |
143 // ***Insert your manual testing share UNC path here! | |
144 // E.g.: \\\\hostname\\sharename\\calc.exe | |
145 std::wstring unc = L"\\\\hostname\\sharename\\calc.exe"; | |
146 | |
147 sandbox::TestRunner runner(true); | |
148 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
149 | |
150 // Set a policy that would normally allow for process creation. | |
151 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
152 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
153 | |
154 if (!is_success_test) { | |
155 // Enable the NoRemote mitigation. | |
156 EXPECT_EQ( | |
157 policy->SetDelayedProcessMitigations( | |
158 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
159 sandbox::SBOX_ALL_OK); | |
160 } | |
161 | |
162 std::wstring test = L"TestChildProcess "; | |
163 test += unc.c_str(); | |
164 test += ((is_success_test) ? L" success" : L" failure"); | |
165 EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED, | |
166 runner.RunTest(test.c_str())); | |
167 } | |
168 | |
169 bool CheckWin10ImageLoadNoLowLabelPolicy() { | |
170 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
171 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
172 ProcessImageLoadPolicy, &policy, | |
173 sizeof(policy))) { | |
174 return false; | |
175 } | |
176 return policy.NoLowMandatoryLabelImages; | |
177 } | |
178 | |
179 void TestWin10ImageLoadLowLabel(bool is_success_test) { | |
180 // Setup a mandatory low executable for this test (calc.exe). | |
181 WCHAR dir_buffer[MAX_PATH]; | |
182 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
183 | |
184 std::wstring orig_path = dir_buffer; | |
185 orig_path = orig_path + L"\\System32\\calc.exe"; | |
186 std::wstring new_path = dir_buffer; | |
187 new_path = new_path + L"\\temp\\lowIL_calc.exe"; | |
188 | |
189 EXPECT_TRUE(::CopyFileW(orig_path.c_str(), new_path.c_str(), false)); | |
190 | |
191 std::wstring cmd = L"icacls \""; | |
192 cmd += new_path.c_str(); | |
193 cmd += L"\" /setintegritylevel Low"; | |
194 scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(cmd.c_str())); | |
195 | |
196 STARTUPINFOW startup_info = {}; | |
197 startup_info.cb = sizeof(startup_info); | |
198 PROCESS_INFORMATION proc_info = {}; | |
199 bool setup_success = false; | |
200 | |
201 if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL, | |
202 &startup_info, &proc_info)) { | |
203 if (WAIT_OBJECT_0 == ::WaitForSingleObject(proc_info.hProcess, 10 * 1000)) { | |
204 DWORD exit_code; | |
205 if (::GetExitCodeProcess(proc_info.hProcess, &exit_code) && | |
206 exit_code == 0) { | |
207 // icacls was successful. | |
208 setup_success = true; | |
209 } | |
210 } | |
211 else { | |
Will Harris
2016/01/25 19:32:35
please run git cl format to format these. should b
penny
2016/01/26 22:37:10
Done.
| |
212 ::TerminateProcess(proc_info.hProcess, 0); | |
213 } | |
214 ::CloseHandle(proc_info.hProcess); | |
215 ::CloseHandle(proc_info.hThread); | |
216 } | |
217 | |
218 if (setup_success) { | |
219 // Initialize a TestRunner that can CreateProcess. | |
220 // I.e.: do NOT disable ALPCs/CSRSS for this test. | |
221 sandbox::TestRunner runner(true); | |
222 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
223 | |
224 // Set a policy that would normally allow for process creation. | |
225 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
226 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
227 | |
228 if (!is_success_test) { | |
229 // Enable the NoLowLabel mitigation. | |
230 EXPECT_EQ( | |
231 policy->SetDelayedProcessMitigations( | |
232 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
233 sandbox::SBOX_ALL_OK); | |
234 } | |
235 | |
236 std::wstring test = L"TestChildProcess "; | |
237 test += new_path.c_str(); | |
238 test += ((is_success_test) ? L" success" : L" failure"); | |
239 EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED, | |
240 runner.RunTest(test.c_str())); | |
241 } | |
242 else { | |
243 // If setup failed, make sure to fail the test. | |
244 EXPECT_TRUE(setup_success); | |
245 } | |
246 | |
247 // Clean up. | |
248 EXPECT_TRUE(::DeleteFileW(new_path.c_str())); | |
249 } | |
250 | |
86 } // namespace | 251 } // namespace |
87 | 252 |
88 namespace sandbox { | 253 namespace sandbox { |
89 | 254 |
255 // A shared helper test command that will attempt to CreateProcess | |
256 // with a given command line and an expected result. | |
257 // | |
258 // ***Make sure you've enabled basic process creation in the sandbox | |
259 // settings via sandbox::JobLevel, sandbox::TokenLevel, | |
260 // and initialize the TestRunner with "true" | |
261 // argument to enable interaction with CSRSS in the kernel. | |
262 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { | |
263 if (argc < 2) | |
264 return SBOX_TEST_INVALID_PARAMETER; | |
265 | |
266 // Initialize the startup information from the policy. | |
267 STARTUPINFOW startup_info = {}; | |
268 startup_info.cb = sizeof(startup_info); | |
269 PROCESS_INFORMATION proc_info = {}; | |
270 std::wstring path = argv[0]; | |
271 std::wstring outcome = argv[1]; | |
272 bool success_expected = (0 == outcome.compare(L"success")) ? true : false; | |
273 | |
274 scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(path.c_str())); | |
275 if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL, | |
276 &startup_info, &proc_info)) { | |
277 ::TerminateProcess(proc_info.hProcess, 0); | |
278 ::CloseHandle(proc_info.hProcess); | |
279 ::CloseHandle(proc_info.hThread); | |
280 | |
281 return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR; | |
282 } | |
283 else { | |
284 // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED". | |
285 return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED; | |
286 } | |
287 } | |
288 | |
289 /*****************************************************************************/ | |
290 // Win8 Checks | |
291 // MITIGATION_DEP(_NO_ATL_THUNK) | |
292 // MITIGATION_EXTENSION_DLL_DISABLE | |
293 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only | |
294 // MITIGATION_STRICT_HANDLE_CHECKS | |
295 // >= Win8 | |
296 /*****************************************************************************/ | |
297 | |
90 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { | 298 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { |
91 get_process_mitigation_policy = | 299 get_process_mitigation_policy = |
92 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 300 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
93 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 301 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
94 "GetProcessMitigationPolicy")); | 302 "GetProcessMitigationPolicy")); |
95 if (!get_process_mitigation_policy) | 303 if (!get_process_mitigation_policy) |
96 return SBOX_TEST_NOT_FOUND; | 304 return SBOX_TEST_NOT_FOUND; |
97 | 305 |
98 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | 306 #if !defined(_WIN64) // DEP is always enabled on 64-bit. |
99 if (!CheckWin8DepPolicy()) | 307 if (!CheckWin8DepPolicy()) |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
131 | 339 |
132 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); | 340 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); |
133 | 341 |
134 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; | 342 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; |
135 | 343 |
136 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); | 344 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); |
137 | 345 |
138 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); | 346 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); |
139 } | 347 } |
140 | 348 |
349 /*****************************************************************************/ | |
350 // DEP (MITIGATION_DEP) | |
351 // < Win8 x86 | |
352 /*****************************************************************************/ | |
141 | 353 |
142 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { | 354 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { |
143 GetProcessDEPPolicyFunction get_process_dep_policy = | 355 GetProcessDEPPolicyFunction get_process_dep_policy = |
144 reinterpret_cast<GetProcessDEPPolicyFunction>( | 356 reinterpret_cast<GetProcessDEPPolicyFunction>( |
145 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 357 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
146 "GetProcessDEPPolicy")); | 358 "GetProcessDEPPolicy")); |
147 if (get_process_dep_policy) { | 359 if (get_process_dep_policy) { |
148 BOOL is_permanent = FALSE; | 360 BOOL is_permanent = FALSE; |
149 DWORD dep_flags = 0; | 361 DWORD dep_flags = 0; |
150 | 362 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
194 | 406 |
195 EXPECT_EQ(policy->SetProcessMitigations( | 407 EXPECT_EQ(policy->SetProcessMitigations( |
196 MITIGATION_DEP | | 408 MITIGATION_DEP | |
197 MITIGATION_DEP_NO_ATL_THUNK | | 409 MITIGATION_DEP_NO_ATL_THUNK | |
198 MITIGATION_SEHOP), | 410 MITIGATION_SEHOP), |
199 SBOX_ALL_OK); | 411 SBOX_ALL_OK); |
200 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); | 412 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
201 } | 413 } |
202 #endif | 414 #endif |
203 | 415 |
416 /*****************************************************************************/ | |
417 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE) | |
418 // >= Win8 | |
419 /*****************************************************************************/ | |
420 | |
204 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { | 421 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { |
205 get_process_mitigation_policy = | 422 get_process_mitigation_policy = |
206 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 423 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
207 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 424 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
208 "GetProcessMitigationPolicy")); | 425 "GetProcessMitigationPolicy")); |
209 if (!get_process_mitigation_policy) | 426 if (!get_process_mitigation_policy) |
210 return SBOX_TEST_NOT_FOUND; | 427 return SBOX_TEST_NOT_FOUND; |
211 | 428 |
212 if (!CheckWin8Win32CallPolicy()) | 429 if (!CheckWin8Win32CallPolicy()) |
213 return SBOX_TEST_FIRST_ERROR; | 430 return SBOX_TEST_FIRST_ERROR; |
(...skipping 27 matching lines...) Expand all Loading... | |
241 sandbox::TargetPolicy* policy = runner.GetPolicy(); | 458 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
242 | 459 |
243 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | 460 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), |
244 SBOX_ALL_OK); | 461 SBOX_ALL_OK); |
245 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, | 462 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, |
246 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), | 463 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), |
247 sandbox::SBOX_ALL_OK); | 464 sandbox::SBOX_ALL_OK); |
248 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | 465 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); |
249 } | 466 } |
250 | 467 |
468 /*****************************************************************************/ | |
469 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) | |
470 // >= Win10 | |
471 /*****************************************************************************/ | |
472 | |
473 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { | |
474 get_process_mitigation_policy = | |
475 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
476 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
477 if (!get_process_mitigation_policy) | |
478 return SBOX_TEST_NOT_FOUND; | |
479 | |
480 if (!CheckWin10FontPolicy()) | |
481 return SBOX_TEST_FIRST_ERROR; | |
482 return SBOX_TEST_SUCCEEDED; | |
483 } | |
484 | |
485 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { | |
486 if (argc < 2) | |
487 return SBOX_TEST_INVALID_PARAMETER; | |
488 | |
489 std::wstring outcome = argv[1]; | |
490 bool success_expected = (0 == outcome.compare(L"success")) ? true : false; | |
491 | |
492 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); | |
493 if (!gdi_module) | |
494 return SBOX_TEST_NOT_FOUND; | |
495 | |
496 AddFontMemResourceExFunction add_font_mem_resource = | |
497 reinterpret_cast<AddFontMemResourceExFunction>( | |
498 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); | |
499 | |
500 RemoveFontMemResourceExFunction rem_font_mem_resource = | |
501 reinterpret_cast<RemoveFontMemResourceExFunction>( | |
502 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); | |
503 | |
504 if (!add_font_mem_resource || !rem_font_mem_resource) | |
505 return SBOX_TEST_NOT_FOUND; | |
506 | |
507 // Load font file passed in as an argument. | |
508 std::vector<char> font_data; | |
509 if (!LoadFileToMemory(argv[0], font_data)) | |
510 return SBOX_TEST_NOT_FOUND; | |
511 | |
512 DWORD font_count = 0; | |
513 HANDLE font_handle = add_font_mem_resource( | |
514 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); | |
515 | |
516 if (font_handle) { | |
517 rem_font_mem_resource(font_handle); | |
518 return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR; | |
519 } | |
520 else { | |
521 // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED". | |
522 return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED; | |
523 } | |
524 | |
525 return SBOX_TEST_SUCCEEDED; | |
526 } | |
527 | |
528 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
529 // mitigation enables the setting on a process. | |
530 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { | |
531 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
532 return; | |
533 | |
534 TestRunner runner; | |
535 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
536 | |
537 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
538 SBOX_ALL_OK); | |
539 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); | |
540 } | |
541 | |
542 // This test validates that we can load a non-system font | |
543 // if the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
544 // mitigation is NOT set. | |
545 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { | |
546 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
547 return; | |
548 | |
549 TestRunner runner; | |
550 | |
551 WCHAR dir_buffer[MAX_PATH]; | |
552 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
553 std::wstring font_name = dir_buffer; | |
554 // Arial font should always be available | |
555 font_name = font_name + L"\\fonts\\arial.ttf"; | |
556 | |
557 EXPECT_TRUE( | |
558 runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str())); | |
559 | |
560 std::wstring test_command = | |
561 L"CheckWin10FontLoad \"" + font_name + L"\" success"; | |
562 | |
563 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
564 } | |
565 | |
566 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
567 // mitigation prevents the loading of a non-system font. | |
568 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { | |
569 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
570 return; | |
571 | |
572 TestRunner runner; | |
573 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
574 | |
575 WCHAR dir_buffer[MAX_PATH]; | |
576 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
577 std::wstring font_name = dir_buffer; | |
578 // Arial font should always be available | |
579 font_name = font_name + L"\\fonts\\arial.ttf"; | |
580 | |
581 // Turn on the non-system font disable mitigation. | |
582 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
583 SBOX_ALL_OK); | |
584 EXPECT_TRUE( | |
585 runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str())); | |
586 | |
587 std::wstring test_command = | |
588 L"CheckWin10FontLoad \"" + font_name + L"\" failure"; | |
589 | |
590 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
591 } | |
592 | |
593 /*****************************************************************************/ | |
594 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). | |
595 // >= Win10_10586 | |
596 /*****************************************************************************/ | |
597 | |
598 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { | |
599 get_process_mitigation_policy = | |
600 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
601 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
602 if (!get_process_mitigation_policy) | |
603 return SBOX_TEST_NOT_FOUND; | |
604 | |
605 if (!CheckWin10ImageLoadNoRemotePolicy()) | |
606 return SBOX_TEST_FIRST_ERROR; | |
607 return SBOX_TEST_SUCCEEDED; | |
608 } | |
609 | |
610 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
611 // mitigation enables the setting on a process. | |
612 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { | |
613 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
614 return; | |
615 | |
616 TestRunner runner; | |
617 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
618 | |
619 EXPECT_EQ( | |
620 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
621 SBOX_ALL_OK); | |
622 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
623 runner.RunTest(L"CheckWin10ImageLoadNoRemote")); | |
624 } | |
625 | |
626 // This test validates that we CAN create a new process from | |
627 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
628 // mitigation is NOT set. | |
629 // | |
630 // DISABLED for automated testing bots. Enable for manual testing. | |
631 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { | |
632 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
633 return; | |
634 | |
635 TestWin10ImageLoadRemote(true); | |
636 } | |
637 | |
638 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
639 // mitigation prevents creating a new process from a remote | |
640 // UNC device. | |
641 // | |
642 // DISABLED for automated testing bots. Enable for manual testing. | |
643 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { | |
644 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
645 return; | |
646 | |
647 TestWin10ImageLoadRemote(false); | |
648 } | |
649 | |
650 /*****************************************************************************/ | |
651 // Disable image load when "mandatory low label" (integrity level). | |
652 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
653 // >= Win10_10586 | |
654 /*****************************************************************************/ | |
655 | |
656 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { | |
657 get_process_mitigation_policy = | |
658 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
659 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
660 if (!get_process_mitigation_policy) | |
661 return SBOX_TEST_NOT_FOUND; | |
662 | |
663 if (!CheckWin10ImageLoadNoLowLabelPolicy()) | |
664 return SBOX_TEST_FIRST_ERROR; | |
665 return SBOX_TEST_SUCCEEDED; | |
666 } | |
667 | |
668 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
669 // mitigation enables the setting on a process. | |
670 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { | |
671 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
672 return; | |
673 | |
674 TestRunner runner; | |
675 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
676 | |
677 EXPECT_EQ( | |
678 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
679 SBOX_ALL_OK); | |
680 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
681 runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); | |
682 } | |
683 | |
684 // This test validates that we CAN create a new process with | |
685 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
686 // mitigation is NOT set. | |
687 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { | |
688 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
689 return; | |
690 | |
691 TestWin10ImageLoadLowLabel(true); | |
692 } | |
693 | |
694 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
695 // mitigation prevents creating a new process with low mandatory label (IL). | |
696 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { | |
697 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
698 return; | |
699 | |
700 TestWin10ImageLoadLowLabel(false); | |
701 } | |
702 | |
703 /*****************************************************************************/ | |
704 // Disable child process creation. | |
705 // (MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED) | |
706 // >= Win10_10586 | |
707 /*****************************************************************************/ | |
708 | |
709 // This test validates that we can spawn a child process if | |
710 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is | |
711 // not set. | |
712 TEST(ProcessMitigationsTest, CheckWin10ChildProcessSuccess) { | |
713 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
714 return; | |
715 | |
716 // Initialize a TestRunner that can CreateProcess. | |
717 // I.e.: do NOT disable ALPCs/CSRSS for this test. | |
718 TestRunner runner(true); | |
719 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
720 | |
721 // Set a policy that would normally allow for process creation. | |
722 policy->SetJobLevel(JOB_NONE, 0); | |
723 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
724 | |
725 std::wstring test_command = L"TestChildProcess "; | |
726 WCHAR dir_buffer[MAX_PATH]; | |
727 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
728 test_command += dir_buffer; | |
729 test_command += L"\\System32\\calc.exe success"; | |
730 | |
731 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
732 } | |
733 | |
734 // This test validates that setting the | |
735 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents | |
736 // the spawning of child processes. | |
737 TEST(ProcessMitigationsTest, CheckWin10ChildProcessFailure) { | |
738 if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) | |
739 return; | |
740 | |
741 // Initialize a TestRunner that can CreateProcess. | |
742 // I.e.: do NOT disable ALPCs/CSRSS for this test. | |
743 TestRunner runner(true); | |
744 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
745 | |
746 // Set a policy that would normally allow for process creation. | |
747 policy->SetJobLevel(JOB_NONE, 0); | |
748 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
749 | |
750 // Turn on the child process restriction mitigation. | |
751 EXPECT_EQ(policy->SetProcessMitigations( | |
752 MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED), | |
753 SBOX_ALL_OK); | |
754 | |
755 std::wstring test_command = L"TestChildProcess "; | |
756 WCHAR dir_buffer[MAX_PATH]; | |
757 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
758 test_command += dir_buffer; | |
759 test_command += L"\\System32\\calc.exe failure"; | |
760 | |
761 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
762 } | |
763 | |
251 } // namespace sandbox | 764 } // namespace sandbox |
252 | 765 |
OLD | NEW |