OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/files/file_util.h" | |
6 #include "base/files/scoped_temp_dir.h" | |
7 #include "base/memory/scoped_ptr.h" | |
8 #include "base/path_service.h" | |
9 #include "base/process/launch.h" | |
5 #include "base/strings/stringprintf.h" | 10 #include "base/strings/stringprintf.h" |
6 #include "base/win/scoped_handle.h" | 11 #include "base/win/scoped_handle.h" |
7 | |
8 #include "base/win/windows_version.h" | 12 #include "base/win/windows_version.h" |
9 #include "sandbox/win/src/nt_internals.h" | 13 #include "sandbox/win/src/nt_internals.h" |
10 #include "sandbox/win/src/process_mitigations.h" | 14 #include "sandbox/win/src/process_mitigations.h" |
11 #include "sandbox/win/src/sandbox.h" | 15 #include "sandbox/win/src/sandbox.h" |
12 #include "sandbox/win/src/sandbox_factory.h" | 16 #include "sandbox/win/src/sandbox_factory.h" |
13 #include "sandbox/win/src/target_services.h" | 17 #include "sandbox/win/src/target_services.h" |
14 #include "sandbox/win/src/win_utils.h" | 18 #include "sandbox/win/src/win_utils.h" |
15 #include "sandbox/win/tests/common/controller.h" | 19 #include "sandbox/win/tests/common/controller.h" |
16 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
17 | 21 |
18 namespace { | 22 namespace { |
19 | 23 |
20 typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)( | 24 // API defined in winbase.h. |
21 HANDLE process, | 25 typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction; |
22 LPDWORD flags, | |
23 PBOOL permanent); | |
24 | 26 |
25 typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( | 27 // API defined in processthreadsapi.h. |
26 HANDLE process, | 28 typedef decltype( |
27 PROCESS_MITIGATION_POLICY mitigation_policy, | 29 GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction; |
28 PVOID buffer, | 30 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
29 SIZE_T length); | |
30 | 31 |
31 GetProcessMitigationPolicyFunction get_process_mitigation_policy; | 32 // APIs defined in wingdi.h. |
33 typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction; | |
34 typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction; | |
32 | 35 |
33 #if !defined(_WIN64) | 36 #if !defined(_WIN64) |
34 bool CheckWin8DepPolicy() { | 37 bool CheckWin8DepPolicy() { |
35 PROCESS_MITIGATION_DEP_POLICY policy = {}; | 38 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
36 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, | 39 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, |
37 &policy, sizeof(policy))) { | 40 &policy, sizeof(policy))) { |
38 return false; | 41 return false; |
39 } | 42 } |
40 return policy.Enable && policy.Permanent; | 43 return policy.Enable && policy.Permanent; |
41 } | 44 } |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
76 bool CheckWin8DllExtensionPolicy() { | 79 bool CheckWin8DllExtensionPolicy() { |
77 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | 80 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
78 if (!get_process_mitigation_policy(::GetCurrentProcess(), | 81 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
79 ProcessExtensionPointDisablePolicy, | 82 ProcessExtensionPointDisablePolicy, |
80 &policy, sizeof(policy))) { | 83 &policy, sizeof(policy))) { |
81 return false; | 84 return false; |
82 } | 85 } |
83 return policy.DisableExtensionPoints; | 86 return policy.DisableExtensionPoints; |
84 } | 87 } |
85 | 88 |
89 bool CheckWin10FontPolicy() { | |
90 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
91 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
92 ProcessFontDisablePolicy, &policy, | |
93 sizeof(policy))) { | |
94 return false; | |
95 } | |
96 return policy.DisableNonSystemFonts; | |
97 } | |
98 | |
99 bool CheckWin10ImageLoadNoRemotePolicy() { | |
100 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
101 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
102 ProcessImageLoadPolicy, &policy, | |
103 sizeof(policy))) { | |
104 return false; | |
105 } | |
106 return policy.NoRemoteImages; | |
107 } | |
108 | |
109 void TestWin10ImageLoadRemote(bool is_success_test) { | |
110 // ***Insert your manual testing share UNC path here! | |
111 // E.g.: \\\\hostname\\sharename\\calc.exe | |
112 std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\""; | |
113 | |
114 sandbox::TestRunner runner; | |
115 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
116 | |
117 // Set a policy that would normally allow for process creation. | |
118 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
119 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
120 runner.SetDisableCsrss(false); | |
121 | |
122 if (!is_success_test) { | |
123 // Enable the NoRemote mitigation. | |
124 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
125 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
126 sandbox::SBOX_ALL_OK); | |
127 } | |
128 | |
129 std::wstring test = L"TestChildProcess "; | |
130 test += unc.c_str(); | |
131 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED | |
132 : sandbox::SBOX_TEST_FAILED), | |
133 runner.RunTest(test.c_str())); | |
134 } | |
135 | |
136 bool CheckWin10ImageLoadNoLowLabelPolicy() { | |
137 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
138 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
139 ProcessImageLoadPolicy, &policy, | |
140 sizeof(policy))) { | |
141 return false; | |
142 } | |
143 return policy.NoLowMandatoryLabelImages; | |
144 } | |
145 | |
146 void TestWin10ImageLoadLowLabel(bool is_success_test) { | |
147 // Setup a mandatory low executable for this test (calc.exe). | |
148 bool setup_success = false; | |
149 | |
150 base::FilePath orig_path; | |
151 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path)); | |
152 orig_path = orig_path.Append(L"calc.exe"); | |
153 | |
154 base::ScopedTempDir temp_dir; | |
155 EXPECT_TRUE(temp_dir.CreateUniqueTempDir()); | |
156 base::FilePath new_path = temp_dir.path(); | |
157 new_path = new_path.Append(L"lowIL_calc.exe"); | |
158 | |
159 // Test file will be cleaned up by the ScopedTempDir. | |
160 EXPECT_TRUE(base::CopyFileW(orig_path, new_path)); | |
161 | |
162 std::wstring cmd_line = L"icacls \""; | |
163 cmd_line += new_path.value().c_str(); | |
164 cmd_line += L"\" /setintegritylevel Low"; | |
165 | |
166 base::LaunchOptions options = base::LaunchOptionsForTest(); | |
167 base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options); | |
168 if (setup_proc.IsValid()) { | |
Will Harris
2016/01/30 00:28:43
avoid the indent by just doing ASSERT_TRUE, test w
penny
2016/02/01 20:43:21
Done. You just expanded my gTest universe. I did
| |
169 int exit_code = 1; | |
170 if (setup_proc.WaitForExitWithTimeout(base::TimeDelta::FromSeconds(10), | |
171 &exit_code)) { | |
172 if (exit_code == 0) | |
Will Harris
2016/01/30 00:28:43
again, mountain coding is usually avoided in chrom
penny
2016/02/01 20:43:21
Done.
| |
173 // icacls was successful. | |
174 setup_success = true; | |
175 } else { | |
176 // Might have timed out, or might have failed. Terminate just to be sure. | |
177 setup_proc.Terminate(0, false); | |
178 } | |
179 setup_proc.Close(); | |
Will Harris
2016/01/30 00:28:43
this should happen automatically at setup_proc des
penny
2016/02/01 20:43:21
Done.
| |
180 } | |
181 | |
182 if (setup_success) { | |
183 sandbox::TestRunner runner; | |
184 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
185 | |
186 // Set a policy that would normally allow for process creation. | |
187 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
188 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
189 runner.SetDisableCsrss(false); | |
190 | |
191 if (!is_success_test) { | |
192 // Enable the NoLowLabel mitigation. | |
193 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
194 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
195 sandbox::SBOX_ALL_OK); | |
196 } | |
197 | |
198 std::wstring test = L"TestChildProcess "; | |
199 test += new_path.value().c_str(); | |
200 | |
201 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED | |
202 : sandbox::SBOX_TEST_FAILED), | |
203 runner.RunTest(test.c_str())); | |
204 } else { | |
205 // If setup failed, make sure to fail the test. | |
206 EXPECT_TRUE(setup_success); | |
207 } | |
208 } | |
209 | |
86 } // namespace | 210 } // namespace |
87 | 211 |
88 namespace sandbox { | 212 namespace sandbox { |
89 | 213 |
214 // A shared helper test command that will attempt to CreateProcess | |
215 // with a given command line. | |
216 // | |
217 // ***Make sure you've enabled basic process creation in the | |
218 // test sandbox settings via: | |
219 // sandbox::TargetPolicy::SetJobLevel(), | |
220 // sandbox::TargetPolicy::SetTokenLevel(), | |
221 // and TestRunner::SetDisableCsrss(). | |
222 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { | |
223 if (argc < 1) | |
224 return SBOX_TEST_INVALID_PARAMETER; | |
225 | |
226 std::wstring cmd = argv[0]; | |
227 base::LaunchOptions options = base::LaunchOptionsForTest(); | |
228 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options); | |
229 | |
230 if (setup_proc.IsValid()) { | |
231 setup_proc.Terminate(0, false); | |
232 setup_proc.Close(); | |
233 return SBOX_TEST_SUCCEEDED; | |
234 } else { | |
Will Harris
2016/01/30 00:28:43
style: no need for the else, as you return.
penny
2016/02/01 20:43:21
Done.
| |
235 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED". | |
236 return SBOX_TEST_FAILED; | |
237 } | |
238 } | |
239 | |
240 //----------------------------------------------------------------------------- | |
241 // Win8 Checks: | |
242 // MITIGATION_DEP(_NO_ATL_THUNK) | |
243 // MITIGATION_EXTENSION_DLL_DISABLE | |
244 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only | |
245 // MITIGATION_STRICT_HANDLE_CHECKS | |
246 // >= Win8 | |
247 //----------------------------------------------------------------------------- | |
248 | |
90 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { | 249 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { |
91 get_process_mitigation_policy = | 250 get_process_mitigation_policy = |
92 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 251 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
93 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 252 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
94 "GetProcessMitigationPolicy")); | 253 "GetProcessMitigationPolicy")); |
95 if (!get_process_mitigation_policy) | 254 if (!get_process_mitigation_policy) |
96 return SBOX_TEST_NOT_FOUND; | 255 return SBOX_TEST_NOT_FOUND; |
97 | 256 |
98 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | 257 #if !defined(_WIN64) // DEP is always enabled on 64-bit. |
99 if (!CheckWin8DepPolicy()) | 258 if (!CheckWin8DepPolicy()) |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
131 | 290 |
132 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); | 291 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); |
133 | 292 |
134 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; | 293 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; |
135 | 294 |
136 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); | 295 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); |
137 | 296 |
138 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); | 297 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); |
139 } | 298 } |
140 | 299 |
300 //----------------------------------------------------------------------------- | |
301 // DEP (MITIGATION_DEP) | |
302 // < Win8 x86 | |
303 //----------------------------------------------------------------------------- | |
141 | 304 |
142 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { | 305 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { |
143 GetProcessDEPPolicyFunction get_process_dep_policy = | 306 GetProcessDEPPolicyFunction get_process_dep_policy = |
144 reinterpret_cast<GetProcessDEPPolicyFunction>( | 307 reinterpret_cast<GetProcessDEPPolicyFunction>( |
145 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 308 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
146 "GetProcessDEPPolicy")); | 309 "GetProcessDEPPolicy")); |
147 if (get_process_dep_policy) { | 310 if (get_process_dep_policy) { |
148 BOOL is_permanent = FALSE; | 311 BOOL is_permanent = FALSE; |
149 DWORD dep_flags = 0; | 312 DWORD dep_flags = 0; |
150 | 313 |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
194 | 357 |
195 EXPECT_EQ(policy->SetProcessMitigations( | 358 EXPECT_EQ(policy->SetProcessMitigations( |
196 MITIGATION_DEP | | 359 MITIGATION_DEP | |
197 MITIGATION_DEP_NO_ATL_THUNK | | 360 MITIGATION_DEP_NO_ATL_THUNK | |
198 MITIGATION_SEHOP), | 361 MITIGATION_SEHOP), |
199 SBOX_ALL_OK); | 362 SBOX_ALL_OK); |
200 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); | 363 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
201 } | 364 } |
202 #endif | 365 #endif |
203 | 366 |
367 //----------------------------------------------------------------------------- | |
368 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE) | |
369 // >= Win8 | |
370 //----------------------------------------------------------------------------- | |
371 | |
204 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { | 372 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { |
205 get_process_mitigation_policy = | 373 get_process_mitigation_policy = |
206 reinterpret_cast<GetProcessMitigationPolicyFunction>( | 374 reinterpret_cast<GetProcessMitigationPolicyFunction>( |
207 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | 375 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), |
208 "GetProcessMitigationPolicy")); | 376 "GetProcessMitigationPolicy")); |
209 if (!get_process_mitigation_policy) | 377 if (!get_process_mitigation_policy) |
210 return SBOX_TEST_NOT_FOUND; | 378 return SBOX_TEST_NOT_FOUND; |
211 | 379 |
212 if (!CheckWin8Win32CallPolicy()) | 380 if (!CheckWin8Win32CallPolicy()) |
213 return SBOX_TEST_FIRST_ERROR; | 381 return SBOX_TEST_FIRST_ERROR; |
(...skipping 27 matching lines...) Expand all Loading... | |
241 sandbox::TargetPolicy* policy = runner.GetPolicy(); | 409 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
242 | 410 |
243 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | 411 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), |
244 SBOX_ALL_OK); | 412 SBOX_ALL_OK); |
245 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, | 413 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, |
246 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), | 414 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), |
247 sandbox::SBOX_ALL_OK); | 415 sandbox::SBOX_ALL_OK); |
248 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | 416 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); |
249 } | 417 } |
250 | 418 |
419 //----------------------------------------------------------------------------- | |
420 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) | |
421 // >= Win10 | |
422 //----------------------------------------------------------------------------- | |
423 | |
424 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { | |
425 get_process_mitigation_policy = | |
426 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
427 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
428 if (!get_process_mitigation_policy) | |
429 return SBOX_TEST_NOT_FOUND; | |
430 | |
431 if (!CheckWin10FontPolicy()) | |
432 return SBOX_TEST_FIRST_ERROR; | |
433 return SBOX_TEST_SUCCEEDED; | |
434 } | |
435 | |
436 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { | |
437 if (argc < 1) | |
438 return SBOX_TEST_INVALID_PARAMETER; | |
439 | |
440 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); | |
441 if (!gdi_module) | |
442 return SBOX_TEST_NOT_FOUND; | |
443 | |
444 AddFontMemResourceExFunction add_font_mem_resource = | |
445 reinterpret_cast<AddFontMemResourceExFunction>( | |
446 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); | |
447 | |
448 RemoveFontMemResourceExFunction rem_font_mem_resource = | |
449 reinterpret_cast<RemoveFontMemResourceExFunction>( | |
450 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); | |
451 | |
452 if (!add_font_mem_resource || !rem_font_mem_resource) | |
453 return SBOX_TEST_NOT_FOUND; | |
454 | |
455 // Open font file passed in as an argument. | |
456 base::File file(base::FilePath(static_cast<std::wstring>(argv[0])), | |
Will Harris
2016/01/30 00:28:43
shouldn't need a static_cast here, try:
base::Fil
penny
2016/02/01 20:43:21
Done.
| |
457 base::File::FLAG_OPEN | base::File::FLAG_READ); | |
458 if (!file.IsValid()) | |
459 // Failed to open the font file passed in. | |
460 return SBOX_TEST_NOT_FOUND; | |
461 | |
462 std::vector<char> font_data; | |
463 int64_t len = file.GetLength(); | |
464 font_data.resize(len); | |
465 | |
466 int read = file.Read(0, &font_data[0], len); | |
Will Harris
2016/01/30 00:28:43
strange base::File::Read returns an int and not a
penny
2016/02/01 20:43:21
Acknowledged. I thought the exact same thing when
| |
467 file.Close(); | |
468 | |
469 if (read != len) | |
470 return SBOX_TEST_NOT_FOUND; | |
471 | |
472 DWORD font_count = 0; | |
473 HANDLE font_handle = add_font_mem_resource( | |
474 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); | |
475 | |
476 if (font_handle) { | |
477 rem_font_mem_resource(font_handle); | |
478 return SBOX_TEST_SUCCEEDED; | |
479 } else { | |
Will Harris
2016/01/30 00:28:43
no need for else
penny
2016/02/01 20:43:21
Done.
| |
480 return SBOX_TEST_FAILED; | |
481 } | |
482 } | |
483 | |
484 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
485 // mitigation enables the setting on a process. | |
486 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { | |
487 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
488 return; | |
489 | |
490 TestRunner runner; | |
491 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
492 | |
493 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
494 SBOX_ALL_OK); | |
495 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); | |
496 } | |
497 | |
498 // This test validates that we can load a non-system font | |
499 // if the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
500 // mitigation is NOT set. | |
501 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { | |
502 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
503 return; | |
504 | |
505 base::FilePath font_path; | |
506 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); | |
507 // Arial font should always be available | |
508 font_path = font_path.Append(L"arial.ttf"); | |
509 | |
510 TestRunner runner; | |
511 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
512 font_path.value().c_str())); | |
513 | |
514 std::wstring test_command = L"CheckWin10FontLoad \""; | |
515 test_command += font_path.value().c_str(); | |
516 test_command += L"\""; | |
517 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
518 } | |
519 | |
520 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
521 // mitigation prevents the loading of a non-system font. | |
522 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { | |
523 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
524 return; | |
525 | |
526 base::FilePath font_path; | |
527 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); | |
528 // Arial font should always be available | |
529 font_path = font_path.Append(L"arial.ttf"); | |
530 | |
531 TestRunner runner; | |
532 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
533 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
534 font_path.value().c_str())); | |
535 | |
536 // Turn on the non-system font disable mitigation. | |
537 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
538 SBOX_ALL_OK); | |
539 | |
540 std::wstring test_command = L"CheckWin10FontLoad \""; | |
541 test_command += font_path.value().c_str(); | |
542 test_command += L"\""; | |
543 | |
544 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); | |
545 } | |
546 | |
547 //----------------------------------------------------------------------------- | |
548 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). | |
549 // >= Win10_TH2 | |
550 //----------------------------------------------------------------------------- | |
551 | |
552 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { | |
553 get_process_mitigation_policy = | |
554 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
555 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
556 if (!get_process_mitigation_policy) | |
557 return SBOX_TEST_NOT_FOUND; | |
558 | |
559 if (!CheckWin10ImageLoadNoRemotePolicy()) | |
560 return SBOX_TEST_FIRST_ERROR; | |
561 return SBOX_TEST_SUCCEEDED; | |
562 } | |
563 | |
564 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
565 // mitigation enables the setting on a process. | |
566 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { | |
567 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
568 return; | |
569 | |
570 TestRunner runner; | |
571 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
572 | |
573 EXPECT_EQ( | |
574 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
575 SBOX_ALL_OK); | |
576 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
577 runner.RunTest(L"CheckWin10ImageLoadNoRemote")); | |
578 } | |
579 | |
580 // This test validates that we CAN create a new process from | |
581 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
582 // mitigation is NOT set. | |
583 // | |
584 // DISABLED for automated testing bots. Enable for manual testing. | |
585 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { | |
586 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
587 return; | |
588 | |
589 TestWin10ImageLoadRemote(true); | |
590 } | |
591 | |
592 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
593 // mitigation prevents creating a new process from a remote | |
594 // UNC device. | |
595 // | |
596 // DISABLED for automated testing bots. Enable for manual testing. | |
597 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { | |
598 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
599 return; | |
600 | |
601 TestWin10ImageLoadRemote(false); | |
602 } | |
603 | |
604 //----------------------------------------------------------------------------- | |
605 // Disable image load when "mandatory low label" (integrity level). | |
606 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
607 // >= Win10_TH2 | |
608 //----------------------------------------------------------------------------- | |
609 | |
610 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { | |
611 get_process_mitigation_policy = | |
612 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
613 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
614 if (!get_process_mitigation_policy) | |
615 return SBOX_TEST_NOT_FOUND; | |
616 | |
617 if (!CheckWin10ImageLoadNoLowLabelPolicy()) | |
618 return SBOX_TEST_FIRST_ERROR; | |
619 return SBOX_TEST_SUCCEEDED; | |
620 } | |
621 | |
622 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
623 // mitigation enables the setting on a process. | |
624 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { | |
625 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
626 return; | |
627 | |
628 TestRunner runner; | |
629 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
630 | |
631 EXPECT_EQ( | |
632 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
633 SBOX_ALL_OK); | |
634 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
635 runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); | |
636 } | |
637 | |
638 // This test validates that we CAN create a new process with | |
639 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
640 // mitigation is NOT set. | |
641 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { | |
642 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
643 return; | |
644 | |
645 TestWin10ImageLoadLowLabel(true); | |
646 } | |
647 | |
648 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
649 // mitigation prevents creating a new process with low mandatory label (IL). | |
650 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { | |
651 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
652 return; | |
653 | |
654 TestWin10ImageLoadLowLabel(false); | |
655 } | |
656 | |
657 //----------------------------------------------------------------------------- | |
658 // Disable child process creation. | |
659 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). | |
660 // - JobLevel <= JOB_LIMITED_USER which also triggers setting | |
661 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to | |
662 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in | |
663 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). | |
664 //----------------------------------------------------------------------------- | |
665 | |
666 // This test validates that we can spawn a child process if | |
667 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is | |
668 // not set. | |
669 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { | |
670 TestRunner runner; | |
671 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
672 | |
673 // Set a policy that would normally allow for process creation. | |
674 policy->SetJobLevel(JOB_INTERACTIVE, 0); | |
675 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
676 runner.SetDisableCsrss(false); | |
677 | |
678 base::FilePath cmd; | |
679 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
680 cmd = cmd.Append(L"calc.exe"); | |
681 | |
682 std::wstring test_command = L"TestChildProcess "; | |
683 test_command += cmd.value().c_str(); | |
684 | |
685 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
686 } | |
687 | |
688 // This test validates that setting the | |
689 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents | |
690 // the spawning of child processes. | |
691 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { | |
692 TestRunner runner; | |
693 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
694 | |
695 // Now set the job level to be <= JOB_LIMITED_USER | |
696 // and ensure we can no longer create a child process. | |
697 policy->SetJobLevel(JOB_LIMITED_USER, 0); | |
698 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
699 runner.SetDisableCsrss(false); | |
700 | |
701 base::FilePath cmd; | |
702 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
703 cmd = cmd.Append(L"calc.exe"); | |
704 | |
705 std::wstring test_command = L"TestChildProcess "; | |
706 test_command += cmd.value().c_str(); | |
707 | |
708 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); | |
709 } | |
710 | |
251 } // namespace sandbox | 711 } // namespace sandbox |
252 | 712 |
OLD | NEW |