Chromium Code Reviews Chromium Code Reviews
Issue 1626623003:
[Win10 sandbox mitigations] Four new Win10 mitigations added. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: sandbox/win/src/process_mitigations_test.cc |
| diff --git a/sandbox/win/src/process_mitigations_test.cc b/sandbox/win/src/process_mitigations_test.cc |
| index 080d8eca3fcbd49752b9b3318e43527cc65e0add..7f167436ad7824974463d699df2046d68151d054 100644 |
| --- a/sandbox/win/src/process_mitigations_test.cc |
| +++ b/sandbox/win/src/process_mitigations_test.cc |
| @@ -2,9 +2,9 @@ |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| +#include "base/memory/scoped_ptr.h" |
| #include "base/strings/stringprintf.h" |
| #include "base/win/scoped_handle.h" |
| - |
| #include "base/win/windows_version.h" |
| #include "sandbox/win/src/nt_internals.h" |
| #include "sandbox/win/src/process_mitigations.h" |
| @@ -28,6 +28,14 @@ typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)( |
| PVOID buffer, |
| SIZE_T length); |
| +typedef HANDLE(WINAPI* AddFontMemResourceExFunction)( |
| + PVOID font_resource, |
| + DWORD font_resource_size, |
| + PVOID reserved, |
| + DWORD* num_fonts_installed); |
| + |
| +typedef BOOL(WINAPI* RemoveFontMemResourceExFunction)(HANDLE resource_handle); |
| + |
| GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
| #if !defined(_WIN64) |
| @@ -83,10 +91,210 @@ bool CheckWin8DllExtensionPolicy() { |
| return policy.DisableExtensionPoints; |
| } |
| +bool CheckWin10FontPolicy() { |
| + PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; |
| + if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| + ProcessFontDisablePolicy, &policy, |
| + sizeof(policy))) { |
| + return false; |
| + } |
| + return policy.DisableNonSystemFonts; |
| +} |
| + |
| +bool LoadFileToMemory(const std::wstring& file_name, std::vector<char>& data) { |
| + base::win::ScopedHandle file(::CreateFile(file_name.c_str(), GENERIC_READ, |
| + FILE_SHARE_READ, NULL, |
| + OPEN_EXISTING, 0, NULL)); |
| + if (!file.IsValid()) |
| + return false; |
| + |
| + DWORD total_length = ::GetFileSize(file.Get(), NULL); |
| + |
| + if (total_length == INVALID_FILE_SIZE) |
| + return false; |
| + |
| + data.resize(total_length); |
| + |
| + DWORD current_pos = 0; |
| + while (current_pos < total_length) { |
| + DWORD bytes_read; |
| + |
| + if (!ReadFile(file.Get(), &data[current_pos], total_length - current_pos, |
| + &bytes_read, NULL) || |
| + bytes_read == 0) |
| + return false; |
| + current_pos += bytes_read; |
| + } |
| + |
| + return true; |
| +} |
| + |
| +bool CheckWin10ImageLoadNoRemotePolicy() { |
| + PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| + if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| + ProcessImageLoadPolicy, &policy, |
| + sizeof(policy))) { |
| + return false; |
| + } |
| + return policy.NoRemoteImages; |
| +} |
| + |
| +void TestWin10ImageLoadRemote(bool is_success_test) { |
| + // ***Insert your manual testing share UNC path here! |
| + // E.g.: \\\\hostname\\sharename\\calc.exe |
| + std::wstring unc = L"\\\\hostname\\sharename\\calc.exe"; |
| + |
| + sandbox::TestRunner runner(true); |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + // Set a policy that would normally allow for process creation. |
| + policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| + policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); |
| + |
| + if (!is_success_test) { |
| + // Enable the NoRemote mitigation. |
| + EXPECT_EQ( |
| + policy->SetDelayedProcessMitigations( |
| + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| + sandbox::SBOX_ALL_OK); |
| + } |
| + |
| + std::wstring test = L"TestChildProcess "; |
| + test += unc.c_str(); |
| + test += ((is_success_test) ? L" success" : L" failure"); |
| + EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED, |
| + runner.RunTest(test.c_str())); |
| +} |
| + |
| +bool CheckWin10ImageLoadNoLowLabelPolicy() { |
| + PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| + if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| + ProcessImageLoadPolicy, &policy, |
| + sizeof(policy))) { |
| + return false; |
| + } |
| + return policy.NoLowMandatoryLabelImages; |
| +} |
| + |
| +void TestWin10ImageLoadLowLabel(bool is_success_test) { |
| + // Setup a mandatory low executable for this test (calc.exe). |
| + WCHAR dir_buffer[MAX_PATH]; |
| + EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); |
| + |
| + std::wstring orig_path = dir_buffer; |
| + orig_path = orig_path + L"\\System32\\calc.exe"; |
| + std::wstring new_path = dir_buffer; |
| + new_path = new_path + L"\\temp\\lowIL_calc.exe"; |
| + |
| + EXPECT_TRUE(::CopyFileW(orig_path.c_str(), new_path.c_str(), false)); |
| + |
| + std::wstring cmd = L"icacls \""; |
| + cmd += new_path.c_str(); |
| + cmd += L"\" /setintegritylevel Low"; |
| + scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(cmd.c_str())); |
| + |
| + STARTUPINFOW startup_info = {}; |
| + startup_info.cb = sizeof(startup_info); |
| + PROCESS_INFORMATION proc_info = {}; |
| + bool setup_success = false; |
| + |
| + if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL, |
| + &startup_info, &proc_info)) { |
| + if (WAIT_OBJECT_0 == ::WaitForSingleObject(proc_info.hProcess, 10 * 1000)) { |
| + DWORD exit_code; |
| + if (::GetExitCodeProcess(proc_info.hProcess, &exit_code) && |
| + exit_code == 0) { |
| + // icacls was successful. |
| + setup_success = true; |
| + } |
| + } |
| + else { |
|
Will Harris
2016/01/25 19:32:35
please run git cl format to format these. should b
penny
2016/01/26 22:37:10
Done.
|
| + ::TerminateProcess(proc_info.hProcess, 0); |
| + } |
| + ::CloseHandle(proc_info.hProcess); |
| + ::CloseHandle(proc_info.hThread); |
| + } |
| + |
| + if (setup_success) { |
| + // Initialize a TestRunner that can CreateProcess. |
| + // I.e.: do NOT disable ALPCs/CSRSS for this test. |
| + sandbox::TestRunner runner(true); |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + // Set a policy that would normally allow for process creation. |
| + policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| + policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); |
| + |
| + if (!is_success_test) { |
| + // Enable the NoLowLabel mitigation. |
| + EXPECT_EQ( |
| + policy->SetDelayedProcessMitigations( |
| + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| + sandbox::SBOX_ALL_OK); |
| + } |
| + |
| + std::wstring test = L"TestChildProcess "; |
| + test += new_path.c_str(); |
| + test += ((is_success_test) ? L" success" : L" failure"); |
| + EXPECT_EQ(sandbox::SBOX_TEST_SUCCEEDED, |
| + runner.RunTest(test.c_str())); |
| + } |
| + else { |
| + // If setup failed, make sure to fail the test. |
| + EXPECT_TRUE(setup_success); |
| + } |
| + |
| + // Clean up. |
| + EXPECT_TRUE(::DeleteFileW(new_path.c_str())); |
| +} |
| + |
| } // namespace |
| namespace sandbox { |
| +// A shared helper test command that will attempt to CreateProcess |
| +// with a given command line and an expected result. |
| +// |
| +// ***Make sure you've enabled basic process creation in the sandbox |
| +// settings via sandbox::JobLevel, sandbox::TokenLevel, |
| +// and initialize the TestRunner with "true" |
| +// argument to enable interaction with CSRSS in the kernel. |
| +SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { |
| + if (argc < 2) |
| + return SBOX_TEST_INVALID_PARAMETER; |
| + |
| + // Initialize the startup information from the policy. |
| + STARTUPINFOW startup_info = {}; |
| + startup_info.cb = sizeof(startup_info); |
| + PROCESS_INFORMATION proc_info = {}; |
| + std::wstring path = argv[0]; |
| + std::wstring outcome = argv[1]; |
| + bool success_expected = (0 == outcome.compare(L"success")) ? true : false; |
| + |
| + scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(path.c_str())); |
| + if (::CreateProcessW(NULL, cmd_line.get(), NULL, NULL, false, 0, NULL, NULL, |
| + &startup_info, &proc_info)) { |
| + ::TerminateProcess(proc_info.hProcess, 0); |
| + ::CloseHandle(proc_info.hProcess); |
| + ::CloseHandle(proc_info.hThread); |
| + |
| + return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR; |
| + } |
| + else { |
| + // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED". |
| + return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED; |
| + } |
| +} |
| + |
| +/*****************************************************************************/ |
| +// Win8 Checks |
| +// MITIGATION_DEP(_NO_ATL_THUNK) |
| +// MITIGATION_EXTENSION_DLL_DISABLE |
| +// MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only |
| +// MITIGATION_STRICT_HANDLE_CHECKS |
| +// >= Win8 |
| +/*****************************************************************************/ |
| + |
| SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { |
| get_process_mitigation_policy = |
| reinterpret_cast<GetProcessMitigationPolicyFunction>( |
| @@ -138,6 +346,10 @@ TEST(ProcessMitigationsTest, CheckWin8) { |
| EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); |
| } |
| +/*****************************************************************************/ |
| +// DEP (MITIGATION_DEP) |
| +// < Win8 x86 |
| +/*****************************************************************************/ |
| SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { |
| GetProcessDEPPolicyFunction get_process_dep_policy = |
| @@ -201,6 +413,11 @@ TEST(ProcessMitigationsTest, CheckDep) { |
| } |
| #endif |
| +/*****************************************************************************/ |
| +// Win32k Lockdown (MITIGATION_WIN32K_DISABLE) |
| +// >= Win8 |
| +/*****************************************************************************/ |
| + |
| SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { |
| get_process_mitigation_policy = |
| reinterpret_cast<GetProcessMitigationPolicyFunction>( |
| @@ -248,5 +465,301 @@ TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownSuccess) { |
| EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); |
| } |
| +/*****************************************************************************/ |
| +// Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) |
| +// >= Win10 |
| +/*****************************************************************************/ |
| + |
| +SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { |
| + get_process_mitigation_policy = |
| + reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| + ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| + if (!get_process_mitigation_policy) |
| + return SBOX_TEST_NOT_FOUND; |
| + |
| + if (!CheckWin10FontPolicy()) |
| + return SBOX_TEST_FIRST_ERROR; |
| + return SBOX_TEST_SUCCEEDED; |
| +} |
| + |
| +SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { |
| + if (argc < 2) |
| + return SBOX_TEST_INVALID_PARAMETER; |
| + |
| + std::wstring outcome = argv[1]; |
| + bool success_expected = (0 == outcome.compare(L"success")) ? true : false; |
| + |
| + HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); |
| + if (!gdi_module) |
| + return SBOX_TEST_NOT_FOUND; |
| + |
| + AddFontMemResourceExFunction add_font_mem_resource = |
| + reinterpret_cast<AddFontMemResourceExFunction>( |
| + ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); |
| + |
| + RemoveFontMemResourceExFunction rem_font_mem_resource = |
| + reinterpret_cast<RemoveFontMemResourceExFunction>( |
| + ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); |
| + |
| + if (!add_font_mem_resource || !rem_font_mem_resource) |
| + return SBOX_TEST_NOT_FOUND; |
| + |
| + // Load font file passed in as an argument. |
| + std::vector<char> font_data; |
| + if (!LoadFileToMemory(argv[0], font_data)) |
| + return SBOX_TEST_NOT_FOUND; |
| + |
| + DWORD font_count = 0; |
| + HANDLE font_handle = add_font_mem_resource( |
| + &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); |
| + |
| + if (font_handle) { |
| + rem_font_mem_resource(font_handle); |
| + return (success_expected) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FIRST_ERROR; |
| + } |
| + else { |
| + // Note: GetLastError returns 5, "ERROR_ACCESS_DENIED". |
| + return (success_expected) ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SUCCEEDED; |
| + } |
| + |
| + return SBOX_TEST_SUCCEEDED; |
| +} |
| + |
| +// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| +// mitigation enables the setting on a process. |
| +TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| + return; |
| + |
| + TestRunner runner; |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| + SBOX_ALL_OK); |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); |
| +} |
| + |
| +// This test validates that we can load a non-system font |
| +// if the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| +// mitigation is NOT set. |
| +TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| + return; |
| + |
| + TestRunner runner; |
| + |
| + WCHAR dir_buffer[MAX_PATH]; |
| + EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); |
| + std::wstring font_name = dir_buffer; |
| + // Arial font should always be available |
| + font_name = font_name + L"\\fonts\\arial.ttf"; |
| + |
| + EXPECT_TRUE( |
| + runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str())); |
| + |
| + std::wstring test_command = |
| + L"CheckWin10FontLoad \"" + font_name + L"\" success"; |
| + |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| +} |
| + |
| +// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| +// mitigation prevents the loading of a non-system font. |
| +TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| + return; |
| + |
| + TestRunner runner; |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + WCHAR dir_buffer[MAX_PATH]; |
| + EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); |
| + std::wstring font_name = dir_buffer; |
| + // Arial font should always be available |
| + font_name = font_name + L"\\fonts\\arial.ttf"; |
| + |
| + // Turn on the non-system font disable mitigation. |
| + EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| + SBOX_ALL_OK); |
| + EXPECT_TRUE( |
| + runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, font_name.c_str())); |
| + |
| + std::wstring test_command = |
| + L"CheckWin10FontLoad \"" + font_name + L"\" failure"; |
| + |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| +} |
| + |
| +/*****************************************************************************/ |
| +// Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). |
| +// >= Win10_10586 |
| +/*****************************************************************************/ |
| + |
| +SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { |
| + get_process_mitigation_policy = |
| + reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| + ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| + if (!get_process_mitigation_policy) |
| + return SBOX_TEST_NOT_FOUND; |
| + |
| + if (!CheckWin10ImageLoadNoRemotePolicy()) |
| + return SBOX_TEST_FIRST_ERROR; |
| + return SBOX_TEST_SUCCEEDED; |
| +} |
| + |
| +// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| +// mitigation enables the setting on a process. |
| +TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + TestRunner runner; |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + EXPECT_EQ( |
| + policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| + SBOX_ALL_OK); |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| + runner.RunTest(L"CheckWin10ImageLoadNoRemote")); |
| +} |
| + |
| +// This test validates that we CAN create a new process from |
| +// a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| +// mitigation is NOT set. |
| +// |
| +// DISABLED for automated testing bots. Enable for manual testing. |
| +TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + TestWin10ImageLoadRemote(true); |
| +} |
| + |
| +// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| +// mitigation prevents creating a new process from a remote |
| +// UNC device. |
| +// |
| +// DISABLED for automated testing bots. Enable for manual testing. |
| +TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + TestWin10ImageLoadRemote(false); |
| +} |
| + |
| +/*****************************************************************************/ |
| +// Disable image load when "mandatory low label" (integrity level). |
| +// (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) |
| +// >= Win10_10586 |
| +/*****************************************************************************/ |
| + |
| +SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { |
| + get_process_mitigation_policy = |
| + reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| + ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| + if (!get_process_mitigation_policy) |
| + return SBOX_TEST_NOT_FOUND; |
| + |
| + if (!CheckWin10ImageLoadNoLowLabelPolicy()) |
| + return SBOX_TEST_FIRST_ERROR; |
| + return SBOX_TEST_SUCCEEDED; |
| +} |
| + |
| +// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| +// mitigation enables the setting on a process. |
| +TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + TestRunner runner; |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + EXPECT_EQ( |
| + policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| + SBOX_ALL_OK); |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| + runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); |
| +} |
| + |
| +// This test validates that we CAN create a new process with |
| +// low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| +// mitigation is NOT set. |
| +TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + TestWin10ImageLoadLowLabel(true); |
| +} |
| + |
| +// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| +// mitigation prevents creating a new process with low mandatory label (IL). |
| +TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + TestWin10ImageLoadLowLabel(false); |
| +} |
| + |
| +/*****************************************************************************/ |
| +// Disable child process creation. |
| +// (MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED) |
| +// >= Win10_10586 |
| +/*****************************************************************************/ |
| + |
| +// This test validates that we can spawn a child process if |
| +// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is |
| +// not set. |
| +TEST(ProcessMitigationsTest, CheckWin10ChildProcessSuccess) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + // Initialize a TestRunner that can CreateProcess. |
| + // I.e.: do NOT disable ALPCs/CSRSS for this test. |
| + TestRunner runner(true); |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + // Set a policy that would normally allow for process creation. |
| + policy->SetJobLevel(JOB_NONE, 0); |
| + policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| + |
| + std::wstring test_command = L"TestChildProcess "; |
| + WCHAR dir_buffer[MAX_PATH]; |
| + EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); |
| + test_command += dir_buffer; |
| + test_command += L"\\System32\\calc.exe success"; |
| + |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| +} |
| + |
| +// This test validates that setting the |
| +// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents |
| +// the spawning of child processes. |
| +TEST(ProcessMitigationsTest, CheckWin10ChildProcessFailure) { |
| + if (base::win::GetVersion() < base::win::VERSION_WIN10_10586) |
| + return; |
| + |
| + // Initialize a TestRunner that can CreateProcess. |
| + // I.e.: do NOT disable ALPCs/CSRSS for this test. |
| + TestRunner runner(true); |
| + sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| + |
| + // Set a policy that would normally allow for process creation. |
| + policy->SetJobLevel(JOB_NONE, 0); |
| + policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| + |
| + // Turn on the child process restriction mitigation. |
| + EXPECT_EQ(policy->SetProcessMitigations( |
| + MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED), |
| + SBOX_ALL_OK); |
| + |
| + std::wstring test_command = L"TestChildProcess "; |
| + WCHAR dir_buffer[MAX_PATH]; |
| + EXPECT_TRUE(::GetWindowsDirectory(dir_buffer, MAX_PATH)); |
| + test_command += dir_buffer; |
| + test_command += L"\\System32\\calc.exe failure"; |
| + |
| + EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| +} |
| + |
| } // namespace sandbox |
