[Win10 sandbox mitigations] Four new Win10 mitigations added.

sandbox/win/src/process_mitigations_test.cc

Index: sandbox/win/src/process_mitigations_test.cc
diff --git a/sandbox/win/src/process_mitigations_test.cc b/sandbox/win/src/process_mitigations_test.cc
index 080d8eca3fcbd49752b9b3318e43527cc65e0add..b4e19940516b6b4d62ed0009c0cfe256499ec640 100644
--- a/sandbox/win/src/process_mitigations_test.cc
+++ b/sandbox/win/src/process_mitigations_test.cc
@@ -2,9 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/path_service.h"
+#include "base/process/launch.h"
 #include "base/strings/stringprintf.h"
 #include "base/win/scoped_handle.h"
-
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
 #include "sandbox/win/src/process_mitigations.h"
@@ -17,19 +21,18 @@
 
 namespace {
 
-typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)(
-    HANDLE process,
-    LPDWORD flags,
-    PBOOL permanent);
-
-typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)(
-    HANDLE process,
-    PROCESS_MITIGATION_POLICY mitigation_policy,
-    PVOID buffer,
-    SIZE_T length);
+// API defined in winbase.h.
+typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction;
 
+// API defined in processthreadsapi.h.
+typedef decltype(
+    GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction;
 GetProcessMitigationPolicyFunction get_process_mitigation_policy;
 
+// APIs defined in wingdi.h.
+typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction;
+typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction;
+
 #if !defined(_WIN64)
 bool CheckWin8DepPolicy() {
   PROCESS_MITIGATION_DEP_POLICY policy = {};
@@ -83,10 +86,157 @@ bool CheckWin8DllExtensionPolicy() {
   return policy.DisableExtensionPoints;
 }
 
+bool CheckWin10FontPolicy() {
+  PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {};
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessFontDisablePolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
+  }
+  return policy.DisableNonSystemFonts;
+}
+
+bool CheckWin10ImageLoadNoRemotePolicy() {
+  PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessImageLoadPolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
+  }
+  return policy.NoRemoteImages;
+}
+
+void TestWin10ImageLoadRemote(bool is_success_test) {
+  // ***Insert your manual testing share UNC path here!
+  // E.g.: \\\\hostname\\sharename\\calc.exe
+  std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\"";
+
+  sandbox::TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Set a policy that would normally allow for process creation.
+  policy->SetJobLevel(sandbox::JOB_NONE, 0);
+  policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
+  runner.SetDisableCsrss(false);
+
+  if (!is_success_test) {
+    // Enable the NoRemote mitigation.
+    EXPECT_EQ(policy->SetDelayedProcessMitigations(
+                  sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE),
+              sandbox::SBOX_ALL_OK);
+  }
+
+  std::wstring test = L"TestChildProcess ";
+  test += unc.c_str();
+  EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED
+                             : sandbox::SBOX_TEST_FAILED),
+            runner.RunTest(test.c_str()));
+}
+
+bool CheckWin10ImageLoadNoLowLabelPolicy() {
+  PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
+  if (!get_process_mitigation_policy(::GetCurrentProcess(),
+                                     ProcessImageLoadPolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
+  }
+  return policy.NoLowMandatoryLabelImages;
+}
+
+void TestWin10ImageLoadLowLabel(bool is_success_test) {
+  // Setup a mandatory low executable for this test (calc.exe).
+  // If anything fails during setup, ASSERT to end test.
+  base::FilePath orig_path;
+  ASSERT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path));
+  orig_path = orig_path.Append(L"calc.exe");
+
+  base::ScopedTempDir temp_dir;
+  ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+  base::FilePath new_path = temp_dir.path();
+  new_path = new_path.Append(L"lowIL_calc.exe");
+
+  // Test file will be cleaned up by the ScopedTempDir.
+  ASSERT_TRUE(base::CopyFileW(orig_path, new_path));
+
+  std::wstring cmd_line = L"icacls \"";
+  cmd_line += new_path.value().c_str();
+  cmd_line += L"\" /setintegritylevel Low";
+
+  base::LaunchOptions options = base::LaunchOptionsForTest();
+  base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options);
+  ASSERT_TRUE(setup_proc.IsValid());
+
+  int exit_code = 1;
+  if (!setup_proc.WaitForExitWithTimeout(base::TimeDelta::FromSeconds(10),
+                                         &exit_code)) {
+    // Might have timed out, or might have failed.
+    // Terminate to make sure we clean up any mess.
+    setup_proc.Terminate(0, false);
+    ASSERT_TRUE(false);
+  }
+  // Make sure icacls was successful.
+  ASSERT_TRUE(exit_code == 0);

[Will Harris, 2016/02/01 21:33:57]

ASSERT_EQ so you get the print out of the exit_code if it's not 0.

[penny, 2016/02/02 00:10:01]

Done.  My gTest mind is blown once again.  Didn't know that ASSERT_EQ would
result in printout of the values if false.

[Will Harris, 2016/02/02 01:19:18]

Sorry! One more nit: this should be

ASSERT_EQ(0, exit_code)

https://github.com/google/googletest/blob/master/googletest/docs/Primer.md#bi...

+
+  sandbox::TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Set a policy that would normally allow for process creation.
+  policy->SetJobLevel(sandbox::JOB_NONE, 0);
+  policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
+  runner.SetDisableCsrss(false);
+
+  if (!is_success_test) {
+    // Enable the NoLowLabel mitigation.
+    EXPECT_EQ(policy->SetDelayedProcessMitigations(
+                  sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL),
+              sandbox::SBOX_ALL_OK);
+  }
+
+  std::wstring test = L"TestChildProcess ";
+  test += new_path.value().c_str();
+
+  EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED
+                             : sandbox::SBOX_TEST_FAILED),
+            runner.RunTest(test.c_str()));
+}
+
 }  // namespace
 
 namespace sandbox {
 
+// A shared helper test command that will attempt to CreateProcess
+// with a given command line.
+//
+// ***Make sure you've enabled basic process creation in the
+// test sandbox settings via:
+// sandbox::TargetPolicy::SetJobLevel(),
+// sandbox::TargetPolicy::SetTokenLevel(),
+// and TestRunner::SetDisableCsrss().
+SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) {
+  if (argc < 1)
+    return SBOX_TEST_INVALID_PARAMETER;
+
+  std::wstring cmd = argv[0];
+  base::LaunchOptions options = base::LaunchOptionsForTest();
+  base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options);
+
+  if (setup_proc.IsValid()) {
+    setup_proc.Terminate(0, false);
+    return SBOX_TEST_SUCCEEDED;
+  }
+  // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED".
+  return SBOX_TEST_FAILED;
+}
+
+//------------------------------------------------------------------------------

[Will Harris, 2016/02/01 21:33:57]

like++ the extra -

[penny, 2016/02/02 00:10:01]

Acknowledged.

+// Win8 Checks:
+// MITIGATION_DEP(_NO_ATL_THUNK)
+// MITIGATION_EXTENSION_DLL_DISABLE
+// MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only
+// MITIGATION_STRICT_HANDLE_CHECKS
+// >= Win8
+//------------------------------------------------------------------------------
+
 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
   get_process_mitigation_policy =
       reinterpret_cast<GetProcessMitigationPolicyFunction>(
@@ -138,6 +288,10 @@ TEST(ProcessMitigationsTest, CheckWin8) {
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
 }
 
+//------------------------------------------------------------------------------
+// DEP (MITIGATION_DEP)
+// < Win8 x86
+//------------------------------------------------------------------------------
 
 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
   GetProcessDEPPolicyFunction get_process_dep_policy =
@@ -201,6 +355,11 @@ TEST(ProcessMitigationsTest, CheckDep) {
 }
 #endif
 
+//------------------------------------------------------------------------------
+// Win32k Lockdown (MITIGATION_WIN32K_DISABLE)
+// >= Win8
+//------------------------------------------------------------------------------
+
 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) {
   get_process_mitigation_policy =
       reinterpret_cast<GetProcessMitigationPolicyFunction>(
@@ -248,5 +407,297 @@ TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownSuccess) {
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
 }
 
+//------------------------------------------------------------------------------
+// Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE)
+// >= Win10
+//------------------------------------------------------------------------------
+
+SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin10FontPolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) {
+  if (argc < 1)
+    return SBOX_TEST_INVALID_PARAMETER;
+
+  HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll");
+  if (!gdi_module)
+    return SBOX_TEST_NOT_FOUND;
+
+  AddFontMemResourceExFunction add_font_mem_resource =
+      reinterpret_cast<AddFontMemResourceExFunction>(
+          ::GetProcAddress(gdi_module, "AddFontMemResourceEx"));
+
+  RemoveFontMemResourceExFunction rem_font_mem_resource =
+      reinterpret_cast<RemoveFontMemResourceExFunction>(
+          ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx"));
+
+  if (!add_font_mem_resource || !rem_font_mem_resource)
+    return SBOX_TEST_NOT_FOUND;
+
+  // Open font file passed in as an argument.
+  base::File file(base::FilePath(argv[0]),
+                  base::File::FLAG_OPEN | base::File::FLAG_READ);
+  if (!file.IsValid())
+    // Failed to open the font file passed in.
+    return SBOX_TEST_NOT_FOUND;
+
+  std::vector<char> font_data;
+  int64_t len = file.GetLength();
+  font_data.resize(len);
+
+  int read = file.Read(0, &font_data[0], len);
+  file.Close();
+
+  if (read != len)
+    return SBOX_TEST_NOT_FOUND;
+
+  DWORD font_count = 0;
+  HANDLE font_handle = add_font_mem_resource(
+      &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count);
+
+  if (font_handle) {
+    rem_font_mem_resource(font_handle);
+    return SBOX_TEST_SUCCEEDED;
+  }
+
+  return SBOX_TEST_FAILED;
+}
+
+// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
+            SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown"));
+}
+
+// This test validates that we can load a non-system font
+// if the MITIGATION_NON_SYSTEM_FONTS_DISABLE
+// mitigation is NOT set.
+TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10)
+    return;
+
+  base::FilePath font_path;
+  EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path));
+  // Arial font should always be available
+  font_path = font_path.Append(L"arial.ttf");
+
+  TestRunner runner;
+  EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
+                               font_path.value().c_str()));
+
+  std::wstring test_command = L"CheckWin10FontLoad \"";
+  test_command += font_path.value().c_str();
+  test_command += L"\"";
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
+// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
+// mitigation prevents the loading of a non-system font.
+TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10)
+    return;
+
+  base::FilePath font_path;
+  EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path));
+  // Arial font should always be available
+  font_path = font_path.Append(L"arial.ttf");
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+  EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
+                               font_path.value().c_str()));
+
+  // Turn on the non-system font disable mitigation.
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
+            SBOX_ALL_OK);
+
+  std::wstring test_command = L"CheckWin10FontLoad \"";
+  test_command += font_path.value().c_str();
+  test_command += L"\"";
+
+  EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str()));
+}
+
+//------------------------------------------------------------------------------
+// Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE).
+// >= Win10_TH2
+//------------------------------------------------------------------------------
+
+SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin10ImageLoadNoRemotePolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(
+      policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE),
+      SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED,
+            runner.RunTest(L"CheckWin10ImageLoadNoRemote"));
+}
+
+// This test validates that we CAN create a new process from
+// a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE
+// mitigation is NOT set.
+//
+// DISABLED for automated testing bots.  Enable for manual testing.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
+    return;
+
+  TestWin10ImageLoadRemote(true);
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
+// mitigation prevents creating a new process from a remote
+// UNC device.
+//
+// DISABLED for automated testing bots.  Enable for manual testing.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
+    return;
+
+  TestWin10ImageLoadRemote(false);
+}
+
+//------------------------------------------------------------------------------
+// Disable image load when "mandatory low label" (integrity level).
+// (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)
+// >= Win10_TH2
+//------------------------------------------------------------------------------
+
+SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin10ImageLoadNoLowLabelPolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(
+      policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL),
+      SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED,
+            runner.RunTest(L"CheckWin10ImageLoadNoLowLabel"));
+}
+
+// This test validates that we CAN create a new process with
+// low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
+// mitigation is NOT set.
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
+    return;
+
+  TestWin10ImageLoadLowLabel(true);
+}
+
+// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
+// mitigation prevents creating a new process with low mandatory label (IL).
+TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
+    return;
+
+  TestWin10ImageLoadLowLabel(false);
+}
+
+//------------------------------------------------------------------------------
+// Disable child process creation.
+// - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2).
+// - JobLevel <= JOB_LIMITED_USER which also triggers setting
+//   PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to
+//   PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in
+//   BrokerServicesBase::SpawnTarget (on >= WIN10_TH2).
+//------------------------------------------------------------------------------
+
+// This test validates that we can spawn a child process if
+// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is
+// not set.
+TEST(ProcessMitigationsTest, CheckChildProcessSuccess) {
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Set a policy that would normally allow for process creation.
+  policy->SetJobLevel(JOB_INTERACTIVE, 0);
+  policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
+  runner.SetDisableCsrss(false);
+
+  base::FilePath cmd;
+  EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
+  cmd = cmd.Append(L"calc.exe");
+
+  std::wstring test_command = L"TestChildProcess ";
+  test_command += cmd.value().c_str();
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
+// This test validates that setting the
+// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents
+// the spawning of child processes.
+TEST(ProcessMitigationsTest, CheckChildProcessFailure) {
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  // Now set the job level to be <= JOB_LIMITED_USER
+  // and ensure we can no longer create a child process.
+  policy->SetJobLevel(JOB_LIMITED_USER, 0);
+  policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
+  runner.SetDisableCsrss(false);
+
+  base::FilePath cmd;
+  EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
+  cmd = cmd.Append(L"calc.exe");
+
+  std::wstring test_command = L"TestChildProcess ";
+  test_command += cmd.value().c_str();
+
+  EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str()));
+}
+
 }  // namespace sandbox