OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/files/file_util.h" | |
6 #include "base/files/scoped_temp_dir.h" | |
7 #include "base/memory/scoped_ptr.h" | |
8 #include "base/path_service.h" | |
9 #include "base/process/launch.h" | |
5 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
6 #include "base/win/scoped_handle.h" | 11 #include "base/win/scoped_handle.h" |
7 | |
8 #include "base/win/windows_version.h" | 12 #include "base/win/windows_version.h" |
9 #include "sandbox/win/src/nt_internals.h" | 13 #include "sandbox/win/src/nt_internals.h" |
10 #include "sandbox/win/src/process_mitigations.h" | 14 #include "sandbox/win/src/process_mitigations.h" |
11 #include "sandbox/win/src/sandbox.h" | 15 #include "sandbox/win/src/sandbox.h" |
12 #include "sandbox/win/src/sandbox_factory.h" | 16 #include "sandbox/win/src/sandbox_factory.h" |
13 #include "sandbox/win/src/target_services.h" | 17 #include "sandbox/win/src/target_services.h" |
14 #include "sandbox/win/src/win_utils.h" | 18 #include "sandbox/win/src/win_utils.h" |
15 #include "sandbox/win/tests/common/controller.h" | 19 #include "sandbox/win/tests/common/controller.h" |
16 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
17 | 21 |
18 namespace { | 22 namespace { |
19 | 23 |
20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( | 24 // API defined in winbase.h. |
21 HANDLE process, | 25 typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction; |
22 LPDWORD flags, | |
23 PBOOL permanent); | |
24 | 26 |
25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( | 27 // API defined in processthreadsapi.h. |
26 HANDLE process, | 28 typedef decltype( |
27 PROCESS_MITIGATION_POLICY mitigation_policy, | 29 GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction; |
28 PVOID buffer, | 30 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
29 SIZE_T length); | |
30 | 31 |
31 GetProcessMitigationPolicyFunction get_process_mitigation_policy; | 32 // APIs defined in wingdi.h. |
33 typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction; | |
34 typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction; | |
32 | 35 |
33 #if !defined(_WIN64) | 36 #if !defined(_WIN64) |
34 bool CheckWin8DepPolicy() { | 37 bool CheckWin8DepPolicy() { |
35 PROCESS_MITIGATION_DEP_POLICY policy = {}; | 38 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
36 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, | 39 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, |
37 &policy, sizeof(policy))) { | 40 &policy, sizeof(policy))) { |
38 return false; | 41 return false; |
39 } | 42 } |
40 return policy.Enable && policy.Permanent; | 43 return policy.Enable && policy.Permanent; |
41 } | 44 } |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
76 bool CheckWin8DllExtensionPolicy() { | 79 bool CheckWin8DllExtensionPolicy() { |
77 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | 80 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
78 if (!get_process_mitigation_policy(::GetCurrentProcess(), | 81 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
79 ProcessExtensionPointDisablePolicy, | 82 ProcessExtensionPointDisablePolicy, |
80 &policy, sizeof(policy))) { | 83 &policy, sizeof(policy))) { |
81 return false; | 84 return false; |
82 } | 85 } |
83 return policy.DisableExtensionPoints; | 86 return policy.DisableExtensionPoints; |
84 } | 87 } |
85 | 88 |
89 bool CheckWin10FontPolicy() { | |
90 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
91 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
92 ProcessFontDisablePolicy, &policy, | |
93 sizeof(policy))) { | |
94 return false; | |
95 } | |
96 return policy.DisableNonSystemFonts; | |
97 } | |
98 | |
99 bool CheckWin10ImageLoadNoRemotePolicy() { | |
100 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
101 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
102 ProcessImageLoadPolicy, &policy, | |
103 sizeof(policy))) { | |
104 return false; | |
105 } | |
106 return policy.NoRemoteImages; | |
107 } | |
108 | |
109 void TestWin10ImageLoadRemote(bool is_success_test) { | |
110 // ***Insert your manual testing share UNC path here! | |
111 // E.g.: \\\\hostname\\sharename\\calc.exe | |
112 std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\""; | |
113 | |
114 sandbox::TestRunner runner; | |
115 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
116 | |
117 // Set a policy that would normally allow for process creation. | |
118 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
119 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
120 runner.SetDisableCsrss(false); | |
121 | |
122 if (!is_success_test) { | |
123 // Enable the NoRemote mitigation. | |
124 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
125 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
126 sandbox::SBOX_ALL_OK); | |
127 } | |
128 | |
129 std::wstring test = L"TestChildProcess "; | |
130 test += unc.c_str(); | |
131 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED | |
132 : sandbox::SBOX_TEST_FAILED), | |
133 runner.RunTest(test.c_str())); | |
134 } | |
135 | |
136 bool CheckWin10ImageLoadNoLowLabelPolicy() { | |
137 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
138 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
139 ProcessImageLoadPolicy, &policy, | |
140 sizeof(policy))) { | |
141 return false; | |
142 } | |
143 return policy.NoLowMandatoryLabelImages; | |
144 } | |
145 | |
146 void TestWin10ImageLoadLowLabel(bool is_success_test) { | |
147 // Setup a mandatory low executable for this test (calc.exe). | |
148 // If anything fails during setup, ASSERT to end test. | |
149 base::FilePath orig_path; | |
150 ASSERT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path)); | |
151 orig_path = orig_path.Append(L"calc.exe"); | |
152 | |
153 base::ScopedTempDir temp_dir; | |
154 ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); | |
155 base::FilePath new_path = temp_dir.path(); | |
156 new_path = new_path.Append(L"lowIL_calc.exe"); | |
157 | |
158 // Test file will be cleaned up by the ScopedTempDir. | |
159 ASSERT_TRUE(base::CopyFileW(orig_path, new_path)); | |
160 | |
161 std::wstring cmd_line = L"icacls \""; | |
162 cmd_line += new_path.value().c_str(); | |
163 cmd_line += L"\" /setintegritylevel Low"; | |
164 | |
165 base::LaunchOptions options = base::LaunchOptionsForTest(); | |
166 base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options); | |
167 ASSERT_TRUE(setup_proc.IsValid()); | |
168 | |
169 int exit_code = 1; | |
170 if (!setup_proc.WaitForExitWithTimeout(base::TimeDelta::FromSeconds(10), | |
171 &exit_code)) { | |
172 // Might have timed out, or might have failed. | |
173 // Terminate to make sure we clean up any mess. | |
174 setup_proc.Terminate(0, false); | |
175 ASSERT_TRUE(false); | |
176 } | |
177 // Make sure icacls was successful. | |
178 ASSERT_TRUE(exit_code == 0); | |
Will Harris
2016/02/01 21:33:57
ASSERT_EQ so you get the print out of the exit_cod
penny
2016/02/02 00:10:01
Done. My gTest mind is blown once again. Didn't
Will Harris
2016/02/02 01:19:18
Sorry! One more nit: this should be
ASSERT_EQ(0,
| |
179 | |
180 sandbox::TestRunner runner; | |
181 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
182 | |
183 // Set a policy that would normally allow for process creation. | |
184 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
185 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
186 runner.SetDisableCsrss(false); | |
187 | |
188 if (!is_success_test) { | |
189 // Enable the NoLowLabel mitigation. | |
190 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
191 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
192 sandbox::SBOX_ALL_OK); | |
193 } | |
194 | |
195 std::wstring test = L"TestChildProcess "; | |
196 test += new_path.value().c_str(); | |
197 | |
198 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED | |
199 : sandbox::SBOX_TEST_FAILED), | |
200 runner.RunTest(test.c_str())); | |
201 } | |
202 | |
86 } // namespace | 203 } // namespace |
87 | 204 |
88 namespace sandbox { | 205 namespace sandbox { |
89 | 206 |
207 // A shared helper test command that will attempt to CreateProcess | |
208 // with a given command line. | |
209 // | |
210 // ***Make sure you've enabled basic process creation in the | |
211 // test sandbox settings via: | |
212 // sandbox::TargetPolicy::SetJobLevel(), | |
213 // sandbox::TargetPolicy::SetTokenLevel(), | |
214 // and TestRunner::SetDisableCsrss(). | |
215 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { | |
216 if (argc < 1) | |
217 return SBOX_TEST_INVALID_PARAMETER; | |
218 | |
219 std::wstring cmd = argv[0]; | |
220 base::LaunchOptions options = base::LaunchOptionsForTest(); | |
221 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options); | |
222 | |
223 if (setup_proc.IsValid()) { | |
224 setup_proc.Terminate(0, false); | |
225 return SBOX_TEST_SUCCEEDED; | |
226 } | |
227 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED". | |
228 return SBOX_TEST_FAILED; | |
229 } | |
230 | |
231 //------------------------------------------------------------------------------ | |
Will Harris
2016/02/01 21:33:57
like++ the extra -
penny
2016/02/02 00:10:01
Acknowledged.
| |
232 // Win8 Checks: | |
233 // MITIGATION_DEP(_NO_ATL_THUNK) | |
234 // MITIGATION_EXTENSION_DLL_DISABLE | |
235 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only | |
236 // MITIGATION_STRICT_HANDLE_CHECKS | |
237 // >= Win8 | |
238 //------------------------------------------------------------------------------ | |
239 | |
90 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { | 240 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { |
91 get_process_mitigation_policy = | 241 get_process_mitigation_policy = |
92 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 242 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
93 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 243 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
94 "GetProcessMitigationPolicy")); | 244 "GetProcessMitigationPolicy")); |
95 if (!get_process_mitigation_policy) | 245 if (!get_process_mitigation_policy) |
96 return SBOX_TEST_NOT_FOUND; | 246 return SBOX_TEST_NOT_FOUND; |
97 | 247 |
98 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | 248 #if !defined(_WIN64) // DEP is always enabled on 64-bit. |
99 if (!CheckWin8DepPolicy()) | 249 if (!CheckWin8DepPolicy()) |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
131 | 281 |
132 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); | 282 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); |
133 | 283 |
134 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; | 284 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; |
135 | 285 |
136 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); | 286 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); |
137 | 287 |
138 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); | 288 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); |
139 } | 289 } |
140 | 290 |
291 //------------------------------------------------------------------------------ | |
292 // DEP (MITIGATION_DEP) | |
293 // < Win8 x86 | |
294 //------------------------------------------------------------------------------ | |
141 | 295 |
142 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { | 296 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { |
143 GetProcessDEPPolicyFunction get_process_dep_policy = | 297 GetProcessDEPPolicyFunction get_process_dep_policy = |
144 reinterpret_cast<GetProcessDEPPolicyFunction>( | 298 reinterpret_cast<GetProcessDEPPolicyFunction>( |
145 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 299 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
146 "GetProcessDEPPolicy")); | 300 "GetProcessDEPPolicy")); |
147 if (get_process_dep_policy) { | 301 if (get_process_dep_policy) { |
148 BOOL is_permanent = FALSE; | 302 BOOL is_permanent = FALSE; |
149 DWORD dep_flags = 0; | 303 DWORD dep_flags = 0; |
150 | 304 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
194 | 348 |
195 EXPECT_EQ(policy->SetProcessMitigations( | 349 EXPECT_EQ(policy->SetProcessMitigations( |
196 MITIGATION_DEP | | 350 MITIGATION_DEP | |
197 MITIGATION_DEP_NO_ATL_THUNK | | 351 MITIGATION_DEP_NO_ATL_THUNK | |
198 MITIGATION_SEHOP), | 352 MITIGATION_SEHOP), |
199 SBOX_ALL_OK); | 353 SBOX_ALL_OK); |
200 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); | 354 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
201 } | 355 } |
202 #endif | 356 #endif |
203 | 357 |
358 //------------------------------------------------------------------------------ | |
359 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE) | |
360 // >= Win8 | |
361 //------------------------------------------------------------------------------ | |
362 | |
204 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { | 363 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { |
205 get_process_mitigation_policy = | 364 get_process_mitigation_policy = |
206 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 365 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
207 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 366 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
208 "GetProcessMitigationPolicy")); | 367 "GetProcessMitigationPolicy")); |
209 if (!get_process_mitigation_policy) | 368 if (!get_process_mitigation_policy) |
210 return SBOX_TEST_NOT_FOUND; | 369 return SBOX_TEST_NOT_FOUND; |
211 | 370 |
212 if (!CheckWin8Win32CallPolicy()) | 371 if (!CheckWin8Win32CallPolicy()) |
213 return SBOX_TEST_FIRST_ERROR; | 372 return SBOX_TEST_FIRST_ERROR; |
(...skipping 27 matching lines...) Expand all Loading... | |
241 sandbox::TargetPolicy* policy = runner.GetPolicy(); | 400 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
242 | 401 |
243 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | 402 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), |
244 SBOX_ALL_OK); | 403 SBOX_ALL_OK); |
245 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, | 404 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, |
246 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), | 405 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), |
247 sandbox::SBOX_ALL_OK); | 406 sandbox::SBOX_ALL_OK); |
248 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | 407 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); |
249 } | 408 } |
250 | 409 |
410 //------------------------------------------------------------------------------ | |
411 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) | |
412 // >= Win10 | |
413 //------------------------------------------------------------------------------ | |
414 | |
415 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { | |
416 get_process_mitigation_policy = | |
417 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
418 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
419 if (!get_process_mitigation_policy) | |
420 return SBOX_TEST_NOT_FOUND; | |
421 | |
422 if (!CheckWin10FontPolicy()) | |
423 return SBOX_TEST_FIRST_ERROR; | |
424 return SBOX_TEST_SUCCEEDED; | |
425 } | |
426 | |
427 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { | |
428 if (argc < 1) | |
429 return SBOX_TEST_INVALID_PARAMETER; | |
430 | |
431 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); | |
432 if (!gdi_module) | |
433 return SBOX_TEST_NOT_FOUND; | |
434 | |
435 AddFontMemResourceExFunction add_font_mem_resource = | |
436 reinterpret_cast<AddFontMemResourceExFunction>( | |
437 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); | |
438 | |
439 RemoveFontMemResourceExFunction rem_font_mem_resource = | |
440 reinterpret_cast<RemoveFontMemResourceExFunction>( | |
441 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); | |
442 | |
443 if (!add_font_mem_resource || !rem_font_mem_resource) | |
444 return SBOX_TEST_NOT_FOUND; | |
445 | |
446 // Open font file passed in as an argument. | |
447 base::File file(base::FilePath(argv[0]), | |
448 base::File::FLAG_OPEN | base::File::FLAG_READ); | |
449 if (!file.IsValid()) | |
450 // Failed to open the font file passed in. | |
451 return SBOX_TEST_NOT_FOUND; | |
452 | |
453 std::vector<char> font_data; | |
454 int64_t len = file.GetLength(); | |
455 font_data.resize(len); | |
456 | |
457 int read = file.Read(0, &font_data[0], len); | |
458 file.Close(); | |
459 | |
460 if (read != len) | |
461 return SBOX_TEST_NOT_FOUND; | |
462 | |
463 DWORD font_count = 0; | |
464 HANDLE font_handle = add_font_mem_resource( | |
465 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); | |
466 | |
467 if (font_handle) { | |
468 rem_font_mem_resource(font_handle); | |
469 return SBOX_TEST_SUCCEEDED; | |
470 } | |
471 | |
472 return SBOX_TEST_FAILED; | |
473 } | |
474 | |
475 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
476 // mitigation enables the setting on a process. | |
477 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { | |
478 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
479 return; | |
480 | |
481 TestRunner runner; | |
482 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
483 | |
484 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
485 SBOX_ALL_OK); | |
486 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); | |
487 } | |
488 | |
489 // This test validates that we can load a non-system font | |
490 // if the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
491 // mitigation is NOT set. | |
492 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { | |
493 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
494 return; | |
495 | |
496 base::FilePath font_path; | |
497 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); | |
498 // Arial font should always be available | |
499 font_path = font_path.Append(L"arial.ttf"); | |
500 | |
501 TestRunner runner; | |
502 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
503 font_path.value().c_str())); | |
504 | |
505 std::wstring test_command = L"CheckWin10FontLoad \""; | |
506 test_command += font_path.value().c_str(); | |
507 test_command += L"\""; | |
508 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
509 } | |
510 | |
511 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
512 // mitigation prevents the loading of a non-system font. | |
513 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { | |
514 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
515 return; | |
516 | |
517 base::FilePath font_path; | |
518 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); | |
519 // Arial font should always be available | |
520 font_path = font_path.Append(L"arial.ttf"); | |
521 | |
522 TestRunner runner; | |
523 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
524 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
525 font_path.value().c_str())); | |
526 | |
527 // Turn on the non-system font disable mitigation. | |
528 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
529 SBOX_ALL_OK); | |
530 | |
531 std::wstring test_command = L"CheckWin10FontLoad \""; | |
532 test_command += font_path.value().c_str(); | |
533 test_command += L"\""; | |
534 | |
535 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); | |
536 } | |
537 | |
538 //------------------------------------------------------------------------------ | |
539 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). | |
540 // >= Win10_TH2 | |
541 //------------------------------------------------------------------------------ | |
542 | |
543 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { | |
544 get_process_mitigation_policy = | |
545 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
546 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
547 if (!get_process_mitigation_policy) | |
548 return SBOX_TEST_NOT_FOUND; | |
549 | |
550 if (!CheckWin10ImageLoadNoRemotePolicy()) | |
551 return SBOX_TEST_FIRST_ERROR; | |
552 return SBOX_TEST_SUCCEEDED; | |
553 } | |
554 | |
555 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
556 // mitigation enables the setting on a process. | |
557 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { | |
558 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
559 return; | |
560 | |
561 TestRunner runner; | |
562 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
563 | |
564 EXPECT_EQ( | |
565 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
566 SBOX_ALL_OK); | |
567 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
568 runner.RunTest(L"CheckWin10ImageLoadNoRemote")); | |
569 } | |
570 | |
571 // This test validates that we CAN create a new process from | |
572 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
573 // mitigation is NOT set. | |
574 // | |
575 // DISABLED for automated testing bots. Enable for manual testing. | |
576 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { | |
577 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
578 return; | |
579 | |
580 TestWin10ImageLoadRemote(true); | |
581 } | |
582 | |
583 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
584 // mitigation prevents creating a new process from a remote | |
585 // UNC device. | |
586 // | |
587 // DISABLED for automated testing bots. Enable for manual testing. | |
588 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { | |
589 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
590 return; | |
591 | |
592 TestWin10ImageLoadRemote(false); | |
593 } | |
594 | |
595 //------------------------------------------------------------------------------ | |
596 // Disable image load when "mandatory low label" (integrity level). | |
597 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
598 // >= Win10_TH2 | |
599 //------------------------------------------------------------------------------ | |
600 | |
601 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { | |
602 get_process_mitigation_policy = | |
603 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
604 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
605 if (!get_process_mitigation_policy) | |
606 return SBOX_TEST_NOT_FOUND; | |
607 | |
608 if (!CheckWin10ImageLoadNoLowLabelPolicy()) | |
609 return SBOX_TEST_FIRST_ERROR; | |
610 return SBOX_TEST_SUCCEEDED; | |
611 } | |
612 | |
613 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
614 // mitigation enables the setting on a process. | |
615 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { | |
616 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
617 return; | |
618 | |
619 TestRunner runner; | |
620 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
621 | |
622 EXPECT_EQ( | |
623 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
624 SBOX_ALL_OK); | |
625 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
626 runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); | |
627 } | |
628 | |
629 // This test validates that we CAN create a new process with | |
630 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
631 // mitigation is NOT set. | |
632 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { | |
633 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
634 return; | |
635 | |
636 TestWin10ImageLoadLowLabel(true); | |
637 } | |
638 | |
639 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
640 // mitigation prevents creating a new process with low mandatory label (IL). | |
641 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { | |
642 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
643 return; | |
644 | |
645 TestWin10ImageLoadLowLabel(false); | |
646 } | |
647 | |
648 //------------------------------------------------------------------------------ | |
649 // Disable child process creation. | |
650 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). | |
651 // - JobLevel <= JOB_LIMITED_USER which also triggers setting | |
652 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to | |
653 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in | |
654 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). | |
655 //------------------------------------------------------------------------------ | |
656 | |
657 // This test validates that we can spawn a child process if | |
658 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is | |
659 // not set. | |
660 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { | |
661 TestRunner runner; | |
662 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
663 | |
664 // Set a policy that would normally allow for process creation. | |
665 policy->SetJobLevel(JOB_INTERACTIVE, 0); | |
666 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
667 runner.SetDisableCsrss(false); | |
668 | |
669 base::FilePath cmd; | |
670 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
671 cmd = cmd.Append(L"calc.exe"); | |
672 | |
673 std::wstring test_command = L"TestChildProcess "; | |
674 test_command += cmd.value().c_str(); | |
675 | |
676 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
677 } | |
678 | |
679 // This test validates that setting the | |
680 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents | |
681 // the spawning of child processes. | |
682 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { | |
683 TestRunner runner; | |
684 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
685 | |
686 // Now set the job level to be <= JOB_LIMITED_USER | |
687 // and ensure we can no longer create a child process. | |
688 policy->SetJobLevel(JOB_LIMITED_USER, 0); | |
689 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
690 runner.SetDisableCsrss(false); | |
691 | |
692 base::FilePath cmd; | |
693 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
694 cmd = cmd.Append(L"calc.exe"); | |
695 | |
696 std::wstring test_command = L"TestChildProcess "; | |
697 test_command += cmd.value().c_str(); | |
698 | |
699 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); | |
700 } | |
701 | |
251 } // namespace sandbox | 702 } // namespace sandbox |
252 | 703 |
OLD | NEW |