Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(459)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/restricted_token_unittest.cc

Issue 1821193002: Added a policy option to restrict the default DACL for tokens. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Added access mask to open process test Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/win/src/restricted_token_test.cc ('k') | sandbox/win/src/restricted_token_utils.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file contains unit tests for the RestrictedToken. 5 // This file contains unit tests for the RestrictedToken.
6 6
7 #define _ATL_NO_EXCEPTIONS 7 #define _ATL_NO_EXCEPTIONS
8 #include <atlbase.h> 8 #include <atlbase.h>
9 #include <atlsecurity.h> 9 #include <atlsecurity.h>
10 #include <vector> 10 #include <vector>
11 11
12 #include "base/win/scoped_handle.h" 12 #include "base/win/scoped_handle.h"
13 #include "sandbox/win/src/restricted_token.h" 13 #include "sandbox/win/src/restricted_token.h"
14 #include "sandbox/win/src/sid.h" 14 #include "sandbox/win/src/sid.h"
15 #include "testing/gtest/include/gtest/gtest.h" 15 #include "testing/gtest/include/gtest/gtest.h"
16 16
17 namespace sandbox { 17 namespace sandbox {
18 18
19 namespace {
20
21 void TestDefaultDalc(bool restricted_required) {
22 RestrictedToken token;
23 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
24 if (!restricted_required)
25 token.SetLockdownDefaultDacl();
26
27 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
28 token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
29
30 base::win::ScopedHandle handle;
31 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
32 token.GetRestrictedToken(&handle));
33
34 ATL::CAccessToken restricted_token;
35 restricted_token.Attach(handle.Take());
36
37 ATL::CDacl dacl;
38 ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
39
40 ATL::CSid logon_sid;
41 ASSERT_TRUE(restricted_token.GetLogonSid(&logon_sid));
42
43 bool restricted_found = false;
44 bool logon_sid_found = false;
45
46 unsigned int ace_count = dacl.GetAceCount();
47 for (unsigned int i = 0; i < ace_count; ++i) {
48 ATL::CSid sid;
49 ACCESS_MASK mask = 0;
50 dacl.GetAclEntry(i, &sid, &mask);
51 if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {
52 restricted_found = true;
53 } else if (sid == logon_sid) {
54 logon_sid_found = true;
55 }
56 }
57
58 ASSERT_EQ(restricted_required, restricted_found);
59 if (!restricted_required)
60 ASSERT_FALSE(logon_sid_found);
61 }
62
63 } // namespace
64
19 // Tests the initializatioin with an invalid token handle. 65 // Tests the initializatioin with an invalid token handle.
20 TEST(RestrictedTokenTest, InvalidHandle) { 66 TEST(RestrictedTokenTest, InvalidHandle) {
21 RestrictedToken token; 67 RestrictedToken token;
22 ASSERT_EQ(static_cast<DWORD>(ERROR_INVALID_HANDLE), 68 ASSERT_EQ(static_cast<DWORD>(ERROR_INVALID_HANDLE),
23 token.Init(reinterpret_cast<HANDLE>(0x5555))); 69 token.Init(reinterpret_cast<HANDLE>(0x5555)));
24 } 70 }
25 71
26 // Tests the initialization with NULL as parameter. 72 // Tests the initialization with NULL as parameter.
27 TEST(RestrictedTokenTest, DefaultInit) { 73 TEST(RestrictedTokenTest, DefaultInit) {
28 // Get the current process token. 74 // Get the current process token.
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after
134 ::TokenType, 180 ::TokenType,
135 &type, 181 &type,
136 sizeof(type), 182 sizeof(type),
137 &length)); 183 &length));
138 184
139 ASSERT_EQ(type, TokenImpersonation); 185 ASSERT_EQ(type, TokenImpersonation);
140 } 186 }
141 187
142 // Verifies that the token created has "Restricted" in its default dacl. 188 // Verifies that the token created has "Restricted" in its default dacl.
143 TEST(RestrictedTokenTest, DefaultDacl) { 189 TEST(RestrictedTokenTest, DefaultDacl) {
144 RestrictedToken token; 190 TestDefaultDalc(true);
145 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); 191 }
146 192
147 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), 193 // Verifies that the token created does not have "Restricted" in its default
148 token.AddRestrictingSid(ATL::Sids::World().GetPSID())); 194 // dacl.
149 195 TEST(RestrictedTokenTest, DefaultDaclLockdown) {
150 base::win::ScopedHandle handle; 196 TestDefaultDalc(false);
151 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
152 token.GetRestrictedToken(&handle));
153
154 ATL::CAccessToken restricted_token;
155 restricted_token.Attach(handle.Take());
156
157 ATL::CDacl dacl;
158 ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
159
160 bool restricted_found = false;
161
162 unsigned int ace_count = dacl.GetAceCount();
163 for (unsigned int i = 0; i < ace_count ; ++i) {
164 ATL::CSid sid;
165 ACCESS_MASK mask = 0;
166 dacl.GetAclEntry(i, &sid, &mask);
167 if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {
168 restricted_found = true;
169 break;
170 }
171 }
172
173 ASSERT_TRUE(restricted_found);
174 } 197 }
175 198
176 // Tests the method "AddSidForDenyOnly". 199 // Tests the method "AddSidForDenyOnly".
177 TEST(RestrictedTokenTest, DenySid) { 200 TEST(RestrictedTokenTest, DenySid) {
178 RestrictedToken token; 201 RestrictedToken token;
179 base::win::ScopedHandle token_handle; 202 base::win::ScopedHandle token_handle;
180 203
181 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); 204 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
182 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), 205 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
183 token.AddSidForDenyOnly(Sid(WinWorldSid))); 206 token.AddSidForDenyOnly(Sid(WinWorldSid)));
(...skipping 427 matching lines...) Expand 10 before | Expand all | Expand 10 after
611 634
612 // Checks the error code when the object is initialized twice. 635 // Checks the error code when the object is initialized twice.
613 TEST(RestrictedTokenTest, DoubleInit) { 636 TEST(RestrictedTokenTest, DoubleInit) {
614 RestrictedToken token; 637 RestrictedToken token;
615 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL)); 638 ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
616 639
617 ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED), token.Init(NULL)); 640 ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED), token.Init(NULL));
618 } 641 }
619 642
620 } // namespace sandbox 643 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/win/src/restricted_token_test.cc ('k') | sandbox/win/src/restricted_token_utils.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698