OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/memory/scoped_ptr.h" | |
5 #include "base/strings/stringprintf.h" | 6 #include "base/strings/stringprintf.h" |
6 #include "base/win/scoped_handle.h" | 7 #include "base/win/scoped_handle.h" |
7 | |
8 #include "base/win/windows_version.h" | 8 #include "base/win/windows_version.h" |
9 #include "sandbox/win/src/nt_internals.h" | 9 #include "sandbox/win/src/nt_internals.h" |
10 #include "sandbox/win/src/process_mitigations.h" | 10 #include "sandbox/win/src/process_mitigations.h" |
11 #include "sandbox/win/src/sandbox.h" | 11 #include "sandbox/win/src/sandbox.h" |
12 #include "sandbox/win/src/sandbox_factory.h" | 12 #include "sandbox/win/src/sandbox_factory.h" |
13 #include "sandbox/win/src/target_services.h" | 13 #include "sandbox/win/src/target_services.h" |
14 #include "sandbox/win/src/win_utils.h" | 14 #include "sandbox/win/src/win_utils.h" |
15 #include "sandbox/win/tests/common/controller.h" | 15 #include "sandbox/win/tests/common/controller.h" |
16 #include "testing/gtest/include/gtest/gtest.h" | 16 #include "testing/gtest/include/gtest/gtest.h" |
17 | 17 |
18 namespace { | 18 namespace { |
19 | 19 |
20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( | 20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( |
21 HANDLE process, | 21 HANDLE process, |
22 LPDWORD flags, | 22 LPDWORD flags, |
23 PBOOL permanent); | 23 PBOOL permanent); |
24 | 24 |
25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( | 25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( |
26 HANDLE process, | 26 HANDLE process, |
27 PROCESS_MITIGATION_POLICY mitigation_policy, | 27 PROCESS_MITIGATION_POLICY mitigation_policy, |
28 PVOID buffer, | 28 PVOID buffer, |
29 SIZE_T length); | 29 SIZE_T length); |
30 | 30 |
31 typedef HANDLE(WINAPI* AddFontMemResourceExFunction)( | |
32 PVOID font_resource, | |
33 DWORD font_resource_size, | |
34 PVOID reserved, | |
35 DWORD* num_fonts_installed); | |
36 | |
37 typedef BOOL(WINAPI* RemoveFontMemResourceExFunction)(HANDLE resource_handle); | |
Will Harris
2016/01/27 02:04:27
no real need for these here with c++11 syntactic m
penny
2016/01/28 19:25:15
Done.
| |
38 | |
31 GetProcessMitigationPolicyFunction get_process_mitigation_policy; | 39 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
32 | 40 |
33 #if !defined(_WIN64) | 41 #if !defined(_WIN64) |
34 bool CheckWin8DepPolicy() { | 42 bool CheckWin8DepPolicy() { |
35 PROCESS_MITIGATION_DEP_POLICY policy = {}; | 43 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
36 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, | 44 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, |
37 &policy, sizeof(policy))) { | 45 &policy, sizeof(policy))) { |
38 return false; | 46 return false; |
39 } | 47 } |
40 return policy.Enable && policy.Permanent; | 48 return policy.Enable && policy.Permanent; |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
76 bool CheckWin8DllExtensionPolicy() { | 84 bool CheckWin8DllExtensionPolicy() { |
77 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | 85 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
78 if (!get_process_mitigation_policy(::GetCurrentProcess(), | 86 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
79 ProcessExtensionPointDisablePolicy, | 87 ProcessExtensionPointDisablePolicy, |
80 &policy, sizeof(policy))) { | 88 &policy, sizeof(policy))) { |
81 return false; | 89 return false; |
82 } | 90 } |
83 return policy.DisableExtensionPoints; | 91 return policy.DisableExtensionPoints; |
84 } | 92 } |
85 | 93 |
94 bool CheckWin10FontPolicy() { | |
95 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
96 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
97 ProcessFontDisablePolicy, &policy, | |
98 sizeof(policy))) { | |
99 return false; | |
100 } | |
101 return policy.DisableNonSystemFonts; | |
102 } | |
103 | |
104 bool LoadFileToMemory(const std::wstring& file_name, std::vector<char>& data) { | |
Will Harris
2016/01/27 02:04:27
it seems base::File::Read() does a lot of what thi
penny
2016/01/28 19:25:15
Done. I'm using base::File now.
| |
105 base::win::ScopedHandle file(::CreateFile(file_name.c_str(), GENERIC_READ, | |
106 FILE_SHARE_READ, NULL, | |
107 OPEN_EXISTING, 0, NULL)); | |
108 if (!file.IsValid()) | |
109 return false; | |
110 | |
111 DWORD total_length = ::GetFileSize(file.Get(), NULL); | |
112 | |
113 if (total_length == INVALID_FILE_SIZE) | |
114 return false; | |
115 | |
116 data.resize(total_length); | |
117 | |
118 DWORD current_pos = 0; | |
119 while (current_pos < total_length) { | |
120 DWORD bytes_read; | |
121 | |
122 if (!ReadFile(file.Get(), &data[current_pos], total_length - current_pos, | |
123 &bytes_read, NULL) || | |
124 bytes_read == 0) | |
125 return false; | |
126 current_pos += bytes_read; | |
127 } | |
128 | |
129 return true; | |
130 } | |
131 | |
132 bool CheckWin10ImageLoadNoRemotePolicy() { | |
133 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
134 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
135 ProcessImageLoadPolicy, &policy, | |
136 sizeof(policy))) { | |
137 return false; | |
138 } | |
139 return policy.NoRemoteImages; | |
140 } | |
141 | |
142 void TestWin10ImageLoadRemote(bool is_success_test) { | |
143 // ***Insert your manual testing share UNC path here! | |
144 // E.g.: \\\\hostname\\sharename\\calc.exe | |
145 std::wstring unc = L"\\\\hostname\\sharename\\calc.exe"; | |
146 | |
147 sandbox::TestRunner runner; | |
148 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
149 | |
150 // Set a policy that would normally allow for process creation. | |
151 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
152 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
153 runner.SetDisableCsrss(false); | |
154 | |
155 if (!is_success_test) { | |
156 // Enable the NoRemote mitigation. | |
157 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
158 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
159 sandbox::SBOX_ALL_OK); | |
160 } | |
161 | |
162 std::wstring test = L"TestChildProcess "; | |
163 test += unc.c_str(); | |
164 test += ((is_success_test) ? L" success" : L" failure"); | |
165 EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED, runner.RunTest(test.c_str())); | |
166 } | |
167 | |
168 bool CheckWin10ImageLoadNoLowLabelPolicy() { | |
169 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
170 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
171 ProcessImageLoadPolicy, &policy, | |
172 sizeof(policy))) { | |
173 return false; | |
174 } | |
175 return policy.NoLowMandatoryLabelImages; | |
176 } | |
177 | |
178 void TestWin10ImageLoadLowLabel(bool is_success_test) { | |
Will Harris
2016/01/27 02:04:26
this is a cool test.
| |
179 // Setup a mandatory low executable for this test (calc.exe). | |
180 WCHAR dir_buffer[MAX_PATH]; | |
181 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
Will Harris
2016/01/27 02:04:27
you could use base::PathService::Get(base::DIR_WIN
penny
2016/01/28 19:25:15
Done.
| |
182 | |
183 std::wstring orig_path = dir_buffer; | |
184 orig_path = orig_path + L"\\System32\\calc.exe"; | |
185 std::wstring new_path = dir_buffer; | |
186 new_path = new_path + L"\\temp\\lowIL_calc.exe"; | |
Will Harris
2016/01/27 02:04:27
can't use temp, as multiple tests might be running
penny
2016/01/28 19:25:15
Nice. ScopedTempDir is handy.
| |
187 | |
188 EXPECT_TRUE(::CopyFileW(orig_path.c_str(), new_path.c_str(), false)); | |
Will Harris
2016/01/27 02:04:27
base::CopyFile and using base::FilePath instead of
penny
2016/01/28 19:25:16
Done.
| |
189 | |
190 std::wstring cmd = L"icacls \""; | |
191 cmd += new_path.c_str(); | |
192 cmd += L"\" /setintegritylevel Low"; | |
193 scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(cmd.c_str())); | |
194 | |
195 STARTUPINFOW startup_info = {}; | |
196 startup_info.cb = sizeof(startup_info); | |
197 PROCESS_INFORMATION proc_info = {}; | |
198 bool setup_success = false; | |
199 | |
200 if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL, | |
Will Harris
2016/01/27 02:04:27
base::LaunchProcess() here might be easier.
penny
2016/01/28 19:25:16
Done. Took me quite a while to figure out how to
| |
201 &startup_info, &proc_info)) { | |
202 if (WAIT_OBJECT_0 == ::WaitForSingleObject(proc_info.hProcess, 10 * 1000)) { | |
203 DWORD exit_code; | |
204 if (::GetExitCodeProcess(proc_info.hProcess, &exit_code) && | |
205 exit_code == 0) { | |
206 // icacls was successful. | |
207 setup_success = true; | |
208 } | |
209 } else { | |
210 ::TerminateProcess(proc_info.hProcess, 0); | |
211 } | |
212 ::CloseHandle(proc_info.hProcess); | |
213 ::CloseHandle(proc_info.hThread); | |
214 } | |
215 | |
216 if (setup_success) { | |
217 sandbox::TestRunner runner; | |
218 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
219 | |
220 // Set a policy that would normally allow for process creation. | |
221 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
222 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
223 runner.SetDisableCsrss(false); | |
224 | |
225 if (!is_success_test) { | |
226 // Enable the NoLowLabel mitigation. | |
227 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
228 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
229 sandbox::SBOX_ALL_OK); | |
230 } | |
231 | |
232 std::wstring test = L"TestChildProcess "; | |
233 test += new_path.c_str(); | |
234 test += ((is_success_test) ? L" success" : L" failure"); | |
Will Harris
2016/01/27 02:04:26
nit: for all these success | failure tests can't y
penny
2016/01/28 19:25:15
Done.
| |
235 EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED, runner.RunTest(test.c_str())); | |
236 } else { | |
237 // If setup failed, make sure to fail the test. | |
238 EXPECT_TRUE(setup_success); | |
239 } | |
240 | |
241 // Clean up. | |
242 EXPECT_TRUE(::DeleteFileW(new_path.c_str())); | |
243 } | |
244 | |
86 } // namespace | 245 } // namespace |
87 | 246 |
88 namespace sandbox { | 247 namespace sandbox { |
89 | 248 |
249 // A shared helper test command that will attempt to CreateProcess | |
250 // with a given command line and an expected result. | |
251 // | |
252 // ***Make sure you've enabled basic process creation in the | |
253 // test sandbox settings via: | |
254 // sandbox::TargetPolicy::SetJobLevel(), | |
255 // sandbox::TargetPolicy::SetTokenLevel(), | |
256 // and TestRunner::SetDisableCsrss(). | |
257 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { | |
258 if (argc < 2) | |
259 return SBOX_TEST_INVALID_PARAMETER; | |
260 | |
261 // Initialize the startup information from the policy. | |
262 STARTUPINFOW startup_info = {}; | |
263 startup_info.cb = sizeof(startup_info); | |
264 PROCESS_INFORMATION proc_info = {}; | |
265 std::wstring path = argv[0]; | |
266 std::wstring outcome = argv[1]; | |
267 bool success_expected = (0 == outcome.compare(L"success")) ? true : false; | |
268 | |
269 scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(path.c_str())); | |
270 if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL, | |
Will Harris
2016/01/27 02:04:27
base::LaunchProcess maybe?
unless you want to lau
penny
2016/01/28 19:25:15
Done. Popping calc is the most thrilling part of
| |
271 &startup_info, &proc_info)) { | |
272 ::TerminateProcess(proc_info.hProcess, 0); | |
273 ::CloseHandle(proc_info.hProcess); | |
274 ::CloseHandle(proc_info.hThread); | |
275 | |
276 return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR; | |
277 } else { | |
278 // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED". | |
279 return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED; | |
280 } | |
281 } | |
282 | |
283 /*****************************************************************************/ | |
Will Harris
2016/01/27 02:04:26
This comment style is not chromium, and also below
penny
2016/01/28 19:25:15
Soooo, how does one create a visual horizontal sep
Will Harris
2016/01/30 00:28:43
okay - //-- seems to have precedent with other fil
penny
2016/02/01 20:43:21
Done! I appreciate you noticing that I'm missing
| |
284 // Win8 Checks | |
285 // MITIGATION_DEP(_NO_ATL_THUNK) | |
286 // MITIGATION_EXTENSION_DLL_DISABLE | |
287 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only | |
288 // MITIGATION_STRICT_HANDLE_CHECKS | |
289 // >= Win8 | |
290 /*****************************************************************************/ | |
291 | |
90 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { | 292 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { |
91 get_process_mitigation_policy = | 293 get_process_mitigation_policy = |
92 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 294 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
93 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 295 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
94 "GetProcessMitigationPolicy")); | 296 "GetProcessMitigationPolicy")); |
95 if (!get_process_mitigation_policy) | 297 if (!get_process_mitigation_policy) |
96 return SBOX_TEST_NOT_FOUND; | 298 return SBOX_TEST_NOT_FOUND; |
97 | 299 |
98 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | 300 #if !defined(_WIN64) // DEP is always enabled on 64-bit. |
99 if (!CheckWin8DepPolicy()) | 301 if (!CheckWin8DepPolicy()) |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
131 | 333 |
132 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); | 334 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); |
133 | 335 |
134 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; | 336 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; |
135 | 337 |
136 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); | 338 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); |
137 | 339 |
138 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); | 340 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); |
139 } | 341 } |
140 | 342 |
343 /*****************************************************************************/ | |
344 // DEP (MITIGATION_DEP) | |
345 // < Win8 x86 | |
346 /*****************************************************************************/ | |
141 | 347 |
142 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { | 348 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { |
143 GetProcessDEPPolicyFunction get_process_dep_policy = | 349 GetProcessDEPPolicyFunction get_process_dep_policy = |
144 reinterpret_cast<GetProcessDEPPolicyFunction>( | 350 reinterpret_cast<GetProcessDEPPolicyFunction>( |
145 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 351 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
146 "GetProcessDEPPolicy")); | 352 "GetProcessDEPPolicy")); |
147 if (get_process_dep_policy) { | 353 if (get_process_dep_policy) { |
148 BOOL is_permanent = FALSE; | 354 BOOL is_permanent = FALSE; |
149 DWORD dep_flags = 0; | 355 DWORD dep_flags = 0; |
150 | 356 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
194 | 400 |
195 EXPECT_EQ(policy->SetProcessMitigations( | 401 EXPECT_EQ(policy->SetProcessMitigations( |
196 MITIGATION_DEP | | 402 MITIGATION_DEP | |
197 MITIGATION_DEP_NO_ATL_THUNK | | 403 MITIGATION_DEP_NO_ATL_THUNK | |
198 MITIGATION_SEHOP), | 404 MITIGATION_SEHOP), |
199 SBOX_ALL_OK); | 405 SBOX_ALL_OK); |
200 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); | 406 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
201 } | 407 } |
202 #endif | 408 #endif |
203 | 409 |
410 /*****************************************************************************/ | |
411 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE) | |
412 // >= Win8 | |
413 /*****************************************************************************/ | |
414 | |
204 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { | 415 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { |
205 get_process_mitigation_policy = | 416 get_process_mitigation_policy = |
206 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 417 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
207 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 418 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
208 "GetProcessMitigationPolicy")); | 419 "GetProcessMitigationPolicy")); |
209 if (!get_process_mitigation_policy) | 420 if (!get_process_mitigation_policy) |
210 return SBOX_TEST_NOT_FOUND; | 421 return SBOX_TEST_NOT_FOUND; |
211 | 422 |
212 if (!CheckWin8Win32CallPolicy()) | 423 if (!CheckWin8Win32CallPolicy()) |
213 return SBOX_TEST_FIRST_ERROR; | 424 return SBOX_TEST_FIRST_ERROR; |
(...skipping 27 matching lines...) Expand all Loading... | |
241 sandbox::TargetPolicy* policy = runner.GetPolicy(); | 452 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
242 | 453 |
243 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | 454 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), |
244 SBOX_ALL_OK); | 455 SBOX_ALL_OK); |
245 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, | 456 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, |
246 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), | 457 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), |
247 sandbox::SBOX_ALL_OK); | 458 sandbox::SBOX_ALL_OK); |
248 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | 459 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); |
249 } | 460 } |
250 | 461 |
462 /*****************************************************************************/ | |
463 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) | |
464 // >= Win10 | |
465 /*****************************************************************************/ | |
466 | |
467 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { | |
468 get_process_mitigation_policy = | |
469 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
470 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
471 if (!get_process_mitigation_policy) | |
472 return SBOX_TEST_NOT_FOUND; | |
473 | |
474 if (!CheckWin10FontPolicy()) | |
475 return SBOX_TEST_FIRST_ERROR; | |
476 return SBOX_TEST_SUCCEEDED; | |
477 } | |
478 | |
479 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { | |
480 if (argc < 2) | |
481 return SBOX_TEST_INVALID_PARAMETER; | |
482 | |
483 std::wstring outcome = argv[1]; | |
484 bool success_expected = (0 == outcome.compare(L"success")) ? true : false; | |
485 | |
486 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); | |
487 if (!gdi_module) | |
488 return SBOX_TEST_NOT_FOUND; | |
489 | |
490 AddFontMemResourceExFunction add_font_mem_resource = | |
491 reinterpret_cast<AddFontMemResourceExFunction>( | |
492 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); | |
493 | |
494 RemoveFontMemResourceExFunction rem_font_mem_resource = | |
495 reinterpret_cast<RemoveFontMemResourceExFunction>( | |
496 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); | |
497 | |
498 if (!add_font_mem_resource || !rem_font_mem_resource) | |
499 return SBOX_TEST_NOT_FOUND; | |
500 | |
501 // Load font file passed in as an argument. | |
502 std::vector<char> font_data; | |
503 if (!LoadFileToMemory(argv[0], font_data)) | |
504 return SBOX_TEST_NOT_FOUND; | |
505 | |
506 DWORD font_count = 0; | |
507 HANDLE font_handle = add_font_mem_resource( | |
508 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); | |
509 | |
510 if (font_handle) { | |
511 rem_font_mem_resource(font_handle); | |
512 return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR; | |
513 } else { | |
514 // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED". | |
515 return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED; | |
516 } | |
517 | |
518 return SBOX_TEST_SUCCEEDED; | |
519 } | |
520 | |
521 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
522 // mitigation enables the setting on a process. | |
523 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { | |
524 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
525 return; | |
526 | |
527 TestRunner runner; | |
528 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
529 | |
530 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
531 SBOX_ALL_OK); | |
532 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); | |
533 } | |
534 | |
535 // This test validates that we can load a non-system font | |
536 // if the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
537 // mitigation is NOT set. | |
538 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { | |
539 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
540 return; | |
541 | |
542 TestRunner runner; | |
543 | |
544 WCHAR dir_buffer[MAX_PATH]; | |
545 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
546 std::wstring font_name = dir_buffer; | |
547 // Arial font should always be available | |
548 font_name = font_name + L"\\fonts\\arial.ttf"; | |
549 | |
550 EXPECT_TRUE( | |
551 runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str())); | |
552 | |
553 std::wstring test_command = | |
554 L"CheckWin10FontLoad \"" + font_name + L"\" success"; | |
555 | |
556 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
557 } | |
558 | |
559 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
560 // mitigation prevents the loading of a non-system font. | |
561 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { | |
562 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
563 return; | |
564 | |
565 TestRunner runner; | |
566 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
567 | |
568 WCHAR dir_buffer[MAX_PATH]; | |
569 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
570 std::wstring font_name = dir_buffer; | |
571 // Arial font should always be available | |
572 font_name = font_name + L"\\fonts\\arial.ttf"; | |
573 | |
574 // Turn on the non-system font disable mitigation. | |
575 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
576 SBOX_ALL_OK); | |
577 EXPECT_TRUE( | |
578 runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str())); | |
579 | |
580 std::wstring test_command = | |
581 L"CheckWin10FontLoad \"" + font_name + L"\" failure"; | |
582 | |
583 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
584 } | |
585 | |
586 /*****************************************************************************/ | |
587 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). | |
588 // >= Win10_TH2 | |
589 /*****************************************************************************/ | |
590 | |
591 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { | |
592 get_process_mitigation_policy = | |
593 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
594 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
595 if (!get_process_mitigation_policy) | |
596 return SBOX_TEST_NOT_FOUND; | |
597 | |
598 if (!CheckWin10ImageLoadNoRemotePolicy()) | |
599 return SBOX_TEST_FIRST_ERROR; | |
600 return SBOX_TEST_SUCCEEDED; | |
601 } | |
602 | |
603 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
604 // mitigation enables the setting on a process. | |
605 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { | |
606 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
607 return; | |
608 | |
609 TestRunner runner; | |
610 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
611 | |
612 EXPECT_EQ( | |
613 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
614 SBOX_ALL_OK); | |
615 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
616 runner.RunTest(L"CheckWin10ImageLoadNoRemote")); | |
617 } | |
618 | |
619 // This test validates that we CAN create a new process from | |
620 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
621 // mitigation is NOT set. | |
622 // | |
623 // DISABLED for automated testing bots. Enable for manual testing. | |
624 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { | |
625 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
626 return; | |
627 | |
628 TestWin10ImageLoadRemote(true); | |
629 } | |
630 | |
631 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
632 // mitigation prevents creating a new process from a remote | |
633 // UNC device. | |
634 // | |
635 // DISABLED for automated testing bots. Enable for manual testing. | |
636 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { | |
637 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
638 return; | |
639 | |
640 TestWin10ImageLoadRemote(false); | |
641 } | |
642 | |
643 /*****************************************************************************/ | |
644 // Disable image load when "mandatory low label" (integrity level). | |
645 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
646 // >= Win10_TH2 | |
647 /*****************************************************************************/ | |
648 | |
649 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { | |
650 get_process_mitigation_policy = | |
651 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
652 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
653 if (!get_process_mitigation_policy) | |
654 return SBOX_TEST_NOT_FOUND; | |
655 | |
656 if (!CheckWin10ImageLoadNoLowLabelPolicy()) | |
657 return SBOX_TEST_FIRST_ERROR; | |
658 return SBOX_TEST_SUCCEEDED; | |
659 } | |
660 | |
661 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
662 // mitigation enables the setting on a process. | |
663 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { | |
664 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
665 return; | |
666 | |
667 TestRunner runner; | |
668 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
669 | |
670 EXPECT_EQ( | |
671 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
672 SBOX_ALL_OK); | |
673 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
674 runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); | |
675 } | |
676 | |
677 // This test validates that we CAN create a new process with | |
678 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
679 // mitigation is NOT set. | |
680 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { | |
681 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
682 return; | |
683 | |
684 TestWin10ImageLoadLowLabel(true); | |
685 } | |
686 | |
687 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
688 // mitigation prevents creating a new process with low mandatory label (IL). | |
689 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { | |
690 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
691 return; | |
692 | |
693 TestWin10ImageLoadLowLabel(false); | |
694 } | |
695 | |
696 /*****************************************************************************/ | |
697 // Disable child process creation. | |
698 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). | |
699 // - JobLevel <= JOB_LIMITED_USER which also triggers setting | |
700 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to | |
701 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in | |
702 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). | |
703 /*****************************************************************************/ | |
704 | |
705 // This test validates that we can spawn a child process if | |
706 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is | |
707 // not set. | |
708 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { | |
709 TestRunner runner; | |
710 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
711 | |
712 // Set a policy that would normally allow for process creation. | |
713 policy->SetJobLevel(JOB_INTERACTIVE, 0); | |
714 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
715 runner.SetDisableCsrss(false); | |
716 | |
717 std::wstring test_command = L"TestChildProcess "; | |
718 WCHAR dir_buffer[MAX_PATH]; | |
719 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
720 test_command += dir_buffer; | |
721 test_command += L"\\System32\\calc.exe success"; | |
722 | |
723 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
724 } | |
725 | |
726 // This test validates that setting the | |
727 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents | |
728 // the spawning of child processes. | |
729 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { | |
730 TestRunner runner; | |
731 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
732 | |
733 // Now set the job level to be <= JOB_LIMITED_USER | |
734 // and ensure we can no longer create a child process. | |
735 policy->SetJobLevel(JOB_LIMITED_USER, 0); | |
736 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
737 runner.SetDisableCsrss(false); | |
738 | |
739 std::wstring test_command = L"TestChildProcess "; | |
740 WCHAR dir_buffer[MAX_PATH]; | |
741 EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); | |
742 test_command += dir_buffer; | |
743 test_command += L"\\System32\\calc.exe failure"; | |
744 | |
745 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
746 } | |
747 | |
251 } // namespace sandbox | 748 } // namespace sandbox |
252 | 749 |
OLD | NEW |