OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
| 5 #include "base/files/file_util.h" |
| 6 #include "base/files/scoped_temp_dir.h" |
| 7 #include "base/memory/scoped_ptr.h" |
| 8 #include "base/path_service.h" |
| 9 #include "base/process/launch.h" |
5 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
6 #include "base/win/scoped_handle.h" | 11 #include "base/win/scoped_handle.h" |
7 | |
8 #include "base/win/windows_version.h" | 12 #include "base/win/windows_version.h" |
9 #include "sandbox/win/src/nt_internals.h" | 13 #include "sandbox/win/src/nt_internals.h" |
10 #include "sandbox/win/src/process_mitigations.h" | 14 #include "sandbox/win/src/process_mitigations.h" |
11 #include "sandbox/win/src/sandbox.h" | 15 #include "sandbox/win/src/sandbox.h" |
12 #include "sandbox/win/src/sandbox_factory.h" | 16 #include "sandbox/win/src/sandbox_factory.h" |
13 #include "sandbox/win/src/target_services.h" | 17 #include "sandbox/win/src/target_services.h" |
14 #include "sandbox/win/src/win_utils.h" | 18 #include "sandbox/win/src/win_utils.h" |
15 #include "sandbox/win/tests/common/controller.h" | 19 #include "sandbox/win/tests/common/controller.h" |
16 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
17 | 21 |
18 namespace { | 22 namespace { |
19 | 23 |
20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( | 24 // API defined in winbase.h. |
21 HANDLE process, | 25 typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction; |
22 LPDWORD flags, | |
23 PBOOL permanent); | |
24 | 26 |
25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( | 27 // API defined in processthreadsapi.h. |
26 HANDLE process, | 28 typedef decltype( |
27 PROCESS_MITIGATION_POLICY mitigation_policy, | 29 GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction; |
28 PVOID buffer, | 30 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
29 SIZE_T length); | |
30 | 31 |
31 GetProcessMitigationPolicyFunction get_process_mitigation_policy; | 32 // APIs defined in wingdi.h. |
| 33 typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction; |
| 34 typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction; |
32 | 35 |
33 #if !defined(_WIN64) | 36 #if !defined(_WIN64) |
34 bool CheckWin8DepPolicy() { | 37 bool CheckWin8DepPolicy() { |
35 PROCESS_MITIGATION_DEP_POLICY policy = {}; | 38 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
36 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, | 39 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, |
37 &policy, sizeof(policy))) { | 40 &policy, sizeof(policy))) { |
38 return false; | 41 return false; |
39 } | 42 } |
40 return policy.Enable && policy.Permanent; | 43 return policy.Enable && policy.Permanent; |
41 } | 44 } |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
76 bool CheckWin8DllExtensionPolicy() { | 79 bool CheckWin8DllExtensionPolicy() { |
77 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | 80 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
78 if (!get_process_mitigation_policy(::GetCurrentProcess(), | 81 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
79 ProcessExtensionPointDisablePolicy, | 82 ProcessExtensionPointDisablePolicy, |
80 &policy, sizeof(policy))) { | 83 &policy, sizeof(policy))) { |
81 return false; | 84 return false; |
82 } | 85 } |
83 return policy.DisableExtensionPoints; | 86 return policy.DisableExtensionPoints; |
84 } | 87 } |
85 | 88 |
| 89 bool CheckWin10FontPolicy() { |
| 90 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; |
| 91 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 92 ProcessFontDisablePolicy, &policy, |
| 93 sizeof(policy))) { |
| 94 return false; |
| 95 } |
| 96 return policy.DisableNonSystemFonts; |
| 97 } |
| 98 |
| 99 bool CheckWin10ImageLoadNoRemotePolicy() { |
| 100 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| 101 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 102 ProcessImageLoadPolicy, &policy, |
| 103 sizeof(policy))) { |
| 104 return false; |
| 105 } |
| 106 return policy.NoRemoteImages; |
| 107 } |
| 108 |
| 109 void TestWin10ImageLoadRemote(bool is_success_test) { |
| 110 // ***Insert your manual testing share UNC path here! |
| 111 // E.g.: \\\\hostname\\sharename\\calc.exe |
| 112 std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\""; |
| 113 |
| 114 sandbox::TestRunner runner; |
| 115 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 116 |
| 117 // Set a policy that would normally allow for process creation. |
| 118 policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| 119 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); |
| 120 runner.SetDisableCsrss(false); |
| 121 |
| 122 if (!is_success_test) { |
| 123 // Enable the NoRemote mitigation. |
| 124 EXPECT_EQ(policy->SetDelayedProcessMitigations( |
| 125 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| 126 sandbox::SBOX_ALL_OK); |
| 127 } |
| 128 |
| 129 std::wstring test = L"TestChildProcess "; |
| 130 test += unc.c_str(); |
| 131 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED |
| 132 : sandbox::SBOX_TEST_FAILED), |
| 133 runner.RunTest(test.c_str())); |
| 134 } |
| 135 |
| 136 bool CheckWin10ImageLoadNoLowLabelPolicy() { |
| 137 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| 138 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 139 ProcessImageLoadPolicy, &policy, |
| 140 sizeof(policy))) { |
| 141 return false; |
| 142 } |
| 143 return policy.NoLowMandatoryLabelImages; |
| 144 } |
| 145 |
| 146 void TestWin10ImageLoadLowLabel(bool is_success_test) { |
| 147 // Setup a mandatory low executable for this test (calc.exe). |
| 148 // If anything fails during setup, ASSERT to end test. |
| 149 base::FilePath orig_path; |
| 150 ASSERT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path)); |
| 151 orig_path = orig_path.Append(L"calc.exe"); |
| 152 |
| 153 base::ScopedTempDir temp_dir; |
| 154 ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); |
| 155 base::FilePath new_path = temp_dir.path(); |
| 156 new_path = new_path.Append(L"lowIL_calc.exe"); |
| 157 |
| 158 // Test file will be cleaned up by the ScopedTempDir. |
| 159 ASSERT_TRUE(base::CopyFileW(orig_path, new_path)); |
| 160 |
| 161 std::wstring cmd_line = L"icacls \""; |
| 162 cmd_line += new_path.value().c_str(); |
| 163 cmd_line += L"\" /setintegritylevel Low"; |
| 164 |
| 165 base::LaunchOptions options = base::LaunchOptionsForTest(); |
| 166 base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options); |
| 167 ASSERT_TRUE(setup_proc.IsValid()); |
| 168 |
| 169 int exit_code = 1; |
| 170 if (!setup_proc.WaitForExitWithTimeout(base::TimeDelta::FromSeconds(10), |
| 171 &exit_code)) { |
| 172 // Might have timed out, or might have failed. |
| 173 // Terminate to make sure we clean up any mess. |
| 174 setup_proc.Terminate(0, false); |
| 175 ASSERT_TRUE(false); |
| 176 } |
| 177 // Make sure icacls was successful. |
| 178 ASSERT_EQ(0, exit_code); |
| 179 |
| 180 sandbox::TestRunner runner; |
| 181 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 182 |
| 183 // Set a policy that would normally allow for process creation. |
| 184 policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| 185 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); |
| 186 runner.SetDisableCsrss(false); |
| 187 |
| 188 if (!is_success_test) { |
| 189 // Enable the NoLowLabel mitigation. |
| 190 EXPECT_EQ(policy->SetDelayedProcessMitigations( |
| 191 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| 192 sandbox::SBOX_ALL_OK); |
| 193 } |
| 194 |
| 195 std::wstring test = L"TestChildProcess "; |
| 196 test += new_path.value().c_str(); |
| 197 |
| 198 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED |
| 199 : sandbox::SBOX_TEST_FAILED), |
| 200 runner.RunTest(test.c_str())); |
| 201 } |
| 202 |
86 } // namespace | 203 } // namespace |
87 | 204 |
88 namespace sandbox { | 205 namespace sandbox { |
89 | 206 |
| 207 // A shared helper test command that will attempt to CreateProcess |
| 208 // with a given command line. |
| 209 // |
| 210 // ***Make sure you've enabled basic process creation in the |
| 211 // test sandbox settings via: |
| 212 // sandbox::TargetPolicy::SetJobLevel(), |
| 213 // sandbox::TargetPolicy::SetTokenLevel(), |
| 214 // and TestRunner::SetDisableCsrss(). |
| 215 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { |
| 216 if (argc < 1) |
| 217 return SBOX_TEST_INVALID_PARAMETER; |
| 218 |
| 219 std::wstring cmd = argv[0]; |
| 220 base::LaunchOptions options = base::LaunchOptionsForTest(); |
| 221 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options); |
| 222 |
| 223 if (setup_proc.IsValid()) { |
| 224 setup_proc.Terminate(0, false); |
| 225 return SBOX_TEST_SUCCEEDED; |
| 226 } |
| 227 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED". |
| 228 return SBOX_TEST_FAILED; |
| 229 } |
| 230 |
| 231 //------------------------------------------------------------------------------ |
| 232 // Win8 Checks: |
| 233 // MITIGATION_DEP(_NO_ATL_THUNK) |
| 234 // MITIGATION_EXTENSION_DLL_DISABLE |
| 235 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only |
| 236 // MITIGATION_STRICT_HANDLE_CHECKS |
| 237 // >= Win8 |
| 238 //------------------------------------------------------------------------------ |
| 239 |
90 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { | 240 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { |
91 get_process_mitigation_policy = | 241 get_process_mitigation_policy = |
92 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 242 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
93 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 243 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
94 "GetProcessMitigationPolicy")); | 244 "GetProcessMitigationPolicy")); |
95 if (!get_process_mitigation_policy) | 245 if (!get_process_mitigation_policy) |
96 return SBOX_TEST_NOT_FOUND; | 246 return SBOX_TEST_NOT_FOUND; |
97 | 247 |
98 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | 248 #if !defined(_WIN64) // DEP is always enabled on 64-bit. |
99 if (!CheckWin8DepPolicy()) | 249 if (!CheckWin8DepPolicy()) |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
131 | 281 |
132 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); | 282 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); |
133 | 283 |
134 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; | 284 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; |
135 | 285 |
136 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); | 286 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); |
137 | 287 |
138 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); | 288 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); |
139 } | 289 } |
140 | 290 |
| 291 //------------------------------------------------------------------------------ |
| 292 // DEP (MITIGATION_DEP) |
| 293 // < Win8 x86 |
| 294 //------------------------------------------------------------------------------ |
141 | 295 |
142 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { | 296 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { |
143 GetProcessDEPPolicyFunction get_process_dep_policy = | 297 GetProcessDEPPolicyFunction get_process_dep_policy = |
144 reinterpret_cast<GetProcessDEPPolicyFunction>( | 298 reinterpret_cast<GetProcessDEPPolicyFunction>( |
145 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 299 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
146 "GetProcessDEPPolicy")); | 300 "GetProcessDEPPolicy")); |
147 if (get_process_dep_policy) { | 301 if (get_process_dep_policy) { |
148 BOOL is_permanent = FALSE; | 302 BOOL is_permanent = FALSE; |
149 DWORD dep_flags = 0; | 303 DWORD dep_flags = 0; |
150 | 304 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
194 | 348 |
195 EXPECT_EQ(policy->SetProcessMitigations( | 349 EXPECT_EQ(policy->SetProcessMitigations( |
196 MITIGATION_DEP | | 350 MITIGATION_DEP | |
197 MITIGATION_DEP_NO_ATL_THUNK | | 351 MITIGATION_DEP_NO_ATL_THUNK | |
198 MITIGATION_SEHOP), | 352 MITIGATION_SEHOP), |
199 SBOX_ALL_OK); | 353 SBOX_ALL_OK); |
200 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); | 354 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
201 } | 355 } |
202 #endif | 356 #endif |
203 | 357 |
| 358 //------------------------------------------------------------------------------ |
| 359 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE) |
| 360 // >= Win8 |
| 361 //------------------------------------------------------------------------------ |
| 362 |
204 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { | 363 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { |
205 get_process_mitigation_policy = | 364 get_process_mitigation_policy = |
206 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 365 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
207 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 366 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
208 "GetProcessMitigationPolicy")); | 367 "GetProcessMitigationPolicy")); |
209 if (!get_process_mitigation_policy) | 368 if (!get_process_mitigation_policy) |
210 return SBOX_TEST_NOT_FOUND; | 369 return SBOX_TEST_NOT_FOUND; |
211 | 370 |
212 if (!CheckWin8Win32CallPolicy()) | 371 if (!CheckWin8Win32CallPolicy()) |
213 return SBOX_TEST_FIRST_ERROR; | 372 return SBOX_TEST_FIRST_ERROR; |
(...skipping 27 matching lines...) Expand all Loading... |
241 sandbox::TargetPolicy* policy = runner.GetPolicy(); | 400 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
242 | 401 |
243 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | 402 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), |
244 SBOX_ALL_OK); | 403 SBOX_ALL_OK); |
245 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, | 404 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, |
246 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), | 405 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), |
247 sandbox::SBOX_ALL_OK); | 406 sandbox::SBOX_ALL_OK); |
248 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | 407 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); |
249 } | 408 } |
250 | 409 |
| 410 //------------------------------------------------------------------------------ |
| 411 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) |
| 412 // >= Win10 |
| 413 //------------------------------------------------------------------------------ |
| 414 |
| 415 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { |
| 416 get_process_mitigation_policy = |
| 417 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| 418 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| 419 if (!get_process_mitigation_policy) |
| 420 return SBOX_TEST_NOT_FOUND; |
| 421 |
| 422 if (!CheckWin10FontPolicy()) |
| 423 return SBOX_TEST_FIRST_ERROR; |
| 424 return SBOX_TEST_SUCCEEDED; |
| 425 } |
| 426 |
| 427 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { |
| 428 if (argc < 1) |
| 429 return SBOX_TEST_INVALID_PARAMETER; |
| 430 |
| 431 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); |
| 432 if (!gdi_module) |
| 433 return SBOX_TEST_NOT_FOUND; |
| 434 |
| 435 AddFontMemResourceExFunction add_font_mem_resource = |
| 436 reinterpret_cast<AddFontMemResourceExFunction>( |
| 437 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); |
| 438 |
| 439 RemoveFontMemResourceExFunction rem_font_mem_resource = |
| 440 reinterpret_cast<RemoveFontMemResourceExFunction>( |
| 441 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); |
| 442 |
| 443 if (!add_font_mem_resource || !rem_font_mem_resource) |
| 444 return SBOX_TEST_NOT_FOUND; |
| 445 |
| 446 // Open font file passed in as an argument. |
| 447 base::File file(base::FilePath(argv[0]), |
| 448 base::File::FLAG_OPEN | base::File::FLAG_READ); |
| 449 if (!file.IsValid()) |
| 450 // Failed to open the font file passed in. |
| 451 return SBOX_TEST_NOT_FOUND; |
| 452 |
| 453 std::vector<char> font_data; |
| 454 int64_t len = file.GetLength(); |
| 455 font_data.resize(len); |
| 456 |
| 457 int read = file.Read(0, &font_data[0], len); |
| 458 file.Close(); |
| 459 |
| 460 if (read != len) |
| 461 return SBOX_TEST_NOT_FOUND; |
| 462 |
| 463 DWORD font_count = 0; |
| 464 HANDLE font_handle = add_font_mem_resource( |
| 465 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); |
| 466 |
| 467 if (font_handle) { |
| 468 rem_font_mem_resource(font_handle); |
| 469 return SBOX_TEST_SUCCEEDED; |
| 470 } |
| 471 |
| 472 return SBOX_TEST_FAILED; |
| 473 } |
| 474 |
| 475 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 476 // mitigation enables the setting on a process. |
| 477 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { |
| 478 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 479 return; |
| 480 |
| 481 TestRunner runner; |
| 482 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 483 |
| 484 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 485 SBOX_ALL_OK); |
| 486 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); |
| 487 } |
| 488 |
| 489 // This test validates that we can load a non-system font |
| 490 // if the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 491 // mitigation is NOT set. |
| 492 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { |
| 493 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 494 return; |
| 495 |
| 496 base::FilePath font_path; |
| 497 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); |
| 498 // Arial font should always be available |
| 499 font_path = font_path.Append(L"arial.ttf"); |
| 500 |
| 501 TestRunner runner; |
| 502 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, |
| 503 font_path.value().c_str())); |
| 504 |
| 505 std::wstring test_command = L"CheckWin10FontLoad \""; |
| 506 test_command += font_path.value().c_str(); |
| 507 test_command += L"\""; |
| 508 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 509 } |
| 510 |
| 511 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 512 // mitigation prevents the loading of a non-system font. |
| 513 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { |
| 514 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 515 return; |
| 516 |
| 517 base::FilePath font_path; |
| 518 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); |
| 519 // Arial font should always be available |
| 520 font_path = font_path.Append(L"arial.ttf"); |
| 521 |
| 522 TestRunner runner; |
| 523 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 524 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, |
| 525 font_path.value().c_str())); |
| 526 |
| 527 // Turn on the non-system font disable mitigation. |
| 528 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 529 SBOX_ALL_OK); |
| 530 |
| 531 std::wstring test_command = L"CheckWin10FontLoad \""; |
| 532 test_command += font_path.value().c_str(); |
| 533 test_command += L"\""; |
| 534 |
| 535 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); |
| 536 } |
| 537 |
| 538 //------------------------------------------------------------------------------ |
| 539 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). |
| 540 // >= Win10_TH2 |
| 541 //------------------------------------------------------------------------------ |
| 542 |
| 543 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { |
| 544 get_process_mitigation_policy = |
| 545 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| 546 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| 547 if (!get_process_mitigation_policy) |
| 548 return SBOX_TEST_NOT_FOUND; |
| 549 |
| 550 if (!CheckWin10ImageLoadNoRemotePolicy()) |
| 551 return SBOX_TEST_FIRST_ERROR; |
| 552 return SBOX_TEST_SUCCEEDED; |
| 553 } |
| 554 |
| 555 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 556 // mitigation enables the setting on a process. |
| 557 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { |
| 558 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 559 return; |
| 560 |
| 561 TestRunner runner; |
| 562 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 563 |
| 564 EXPECT_EQ( |
| 565 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| 566 SBOX_ALL_OK); |
| 567 EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| 568 runner.RunTest(L"CheckWin10ImageLoadNoRemote")); |
| 569 } |
| 570 |
| 571 // This test validates that we CAN create a new process from |
| 572 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 573 // mitigation is NOT set. |
| 574 // |
| 575 // DISABLED for automated testing bots. Enable for manual testing. |
| 576 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { |
| 577 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 578 return; |
| 579 |
| 580 TestWin10ImageLoadRemote(true); |
| 581 } |
| 582 |
| 583 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 584 // mitigation prevents creating a new process from a remote |
| 585 // UNC device. |
| 586 // |
| 587 // DISABLED for automated testing bots. Enable for manual testing. |
| 588 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { |
| 589 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 590 return; |
| 591 |
| 592 TestWin10ImageLoadRemote(false); |
| 593 } |
| 594 |
| 595 //------------------------------------------------------------------------------ |
| 596 // Disable image load when "mandatory low label" (integrity level). |
| 597 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) |
| 598 // >= Win10_TH2 |
| 599 //------------------------------------------------------------------------------ |
| 600 |
| 601 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { |
| 602 get_process_mitigation_policy = |
| 603 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| 604 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| 605 if (!get_process_mitigation_policy) |
| 606 return SBOX_TEST_NOT_FOUND; |
| 607 |
| 608 if (!CheckWin10ImageLoadNoLowLabelPolicy()) |
| 609 return SBOX_TEST_FIRST_ERROR; |
| 610 return SBOX_TEST_SUCCEEDED; |
| 611 } |
| 612 |
| 613 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 614 // mitigation enables the setting on a process. |
| 615 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { |
| 616 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 617 return; |
| 618 |
| 619 TestRunner runner; |
| 620 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 621 |
| 622 EXPECT_EQ( |
| 623 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| 624 SBOX_ALL_OK); |
| 625 EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| 626 runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); |
| 627 } |
| 628 |
| 629 // This test validates that we CAN create a new process with |
| 630 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 631 // mitigation is NOT set. |
| 632 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { |
| 633 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 634 return; |
| 635 |
| 636 TestWin10ImageLoadLowLabel(true); |
| 637 } |
| 638 |
| 639 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 640 // mitigation prevents creating a new process with low mandatory label (IL). |
| 641 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { |
| 642 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 643 return; |
| 644 |
| 645 TestWin10ImageLoadLowLabel(false); |
| 646 } |
| 647 |
| 648 //------------------------------------------------------------------------------ |
| 649 // Disable child process creation. |
| 650 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). |
| 651 // - JobLevel <= JOB_LIMITED_USER which also triggers setting |
| 652 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to |
| 653 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in |
| 654 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). |
| 655 //------------------------------------------------------------------------------ |
| 656 |
| 657 // This test validates that we can spawn a child process if |
| 658 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is |
| 659 // not set. |
| 660 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { |
| 661 TestRunner runner; |
| 662 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 663 |
| 664 // Set a policy that would normally allow for process creation. |
| 665 policy->SetJobLevel(JOB_INTERACTIVE, 0); |
| 666 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 667 runner.SetDisableCsrss(false); |
| 668 |
| 669 base::FilePath cmd; |
| 670 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 671 cmd = cmd.Append(L"calc.exe"); |
| 672 |
| 673 std::wstring test_command = L"TestChildProcess "; |
| 674 test_command += cmd.value().c_str(); |
| 675 |
| 676 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 677 } |
| 678 |
| 679 // This test validates that setting the |
| 680 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents |
| 681 // the spawning of child processes. |
| 682 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { |
| 683 TestRunner runner; |
| 684 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 685 |
| 686 // Now set the job level to be <= JOB_LIMITED_USER |
| 687 // and ensure we can no longer create a child process. |
| 688 policy->SetJobLevel(JOB_LIMITED_USER, 0); |
| 689 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 690 runner.SetDisableCsrss(false); |
| 691 |
| 692 base::FilePath cmd; |
| 693 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 694 cmd = cmd.Append(L"calc.exe"); |
| 695 |
| 696 std::wstring test_command = L"TestChildProcess "; |
| 697 test_command += cmd.value().c_str(); |
| 698 |
| 699 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); |
| 700 } |
| 701 |
251 } // namespace sandbox | 702 } // namespace sandbox |
252 | 703 |
OLD | NEW |