| Index: sandbox/win/src/restricted_token_unittest.cc
|
| diff --git a/sandbox/win/src/restricted_token_unittest.cc b/sandbox/win/src/restricted_token_unittest.cc
|
| index b11948e9ffd49ca63442f88211183397cbaa359d..b0647dc3d6f25f85eaf2607ef5603a8196f65c23 100644
|
| --- a/sandbox/win/src/restricted_token_unittest.cc
|
| +++ b/sandbox/win/src/restricted_token_unittest.cc
|
| @@ -16,6 +16,52 @@
|
|
|
| namespace sandbox {
|
|
|
| +namespace {
|
| +
|
| +void TestDefaultDalc(bool restricted_required) {
|
| + RestrictedToken token;
|
| + ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
|
| + if (!restricted_required)
|
| + token.SetLockdownDefaultDacl();
|
| +
|
| + ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
|
| + token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
|
| +
|
| + base::win::ScopedHandle handle;
|
| + ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
|
| + token.GetRestrictedToken(&handle));
|
| +
|
| + ATL::CAccessToken restricted_token;
|
| + restricted_token.Attach(handle.Take());
|
| +
|
| + ATL::CDacl dacl;
|
| + ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
|
| +
|
| + ATL::CSid logon_sid;
|
| + ASSERT_TRUE(restricted_token.GetLogonSid(&logon_sid));
|
| +
|
| + bool restricted_found = false;
|
| + bool logon_sid_found = false;
|
| +
|
| + unsigned int ace_count = dacl.GetAceCount();
|
| + for (unsigned int i = 0; i < ace_count; ++i) {
|
| + ATL::CSid sid;
|
| + ACCESS_MASK mask = 0;
|
| + dacl.GetAclEntry(i, &sid, &mask);
|
| + if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {
|
| + restricted_found = true;
|
| + } else if (sid == logon_sid) {
|
| + logon_sid_found = true;
|
| + }
|
| + }
|
| +
|
| + ASSERT_EQ(restricted_required, restricted_found);
|
| + if (!restricted_required)
|
| + ASSERT_FALSE(logon_sid_found);
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| // Tests the initializatioin with an invalid token handle.
|
| TEST(RestrictedTokenTest, InvalidHandle) {
|
| RestrictedToken token;
|
| @@ -141,36 +187,13 @@ TEST(RestrictedTokenTest, ResultToken) {
|
|
|
| // Verifies that the token created has "Restricted" in its default dacl.
|
| TEST(RestrictedTokenTest, DefaultDacl) {
|
| - RestrictedToken token;
|
| - ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
|
| -
|
| - ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
|
| - token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
|
| -
|
| - base::win::ScopedHandle handle;
|
| - ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
|
| - token.GetRestrictedToken(&handle));
|
| -
|
| - ATL::CAccessToken restricted_token;
|
| - restricted_token.Attach(handle.Take());
|
| -
|
| - ATL::CDacl dacl;
|
| - ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
|
| -
|
| - bool restricted_found = false;
|
| -
|
| - unsigned int ace_count = dacl.GetAceCount();
|
| - for (unsigned int i = 0; i < ace_count ; ++i) {
|
| - ATL::CSid sid;
|
| - ACCESS_MASK mask = 0;
|
| - dacl.GetAclEntry(i, &sid, &mask);
|
| - if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {
|
| - restricted_found = true;
|
| - break;
|
| - }
|
| - }
|
| + TestDefaultDalc(true);
|
| +}
|
|
|
| - ASSERT_TRUE(restricted_found);
|
| +// Verifies that the token created does not have "Restricted" in its default
|
| +// dacl.
|
| +TEST(RestrictedTokenTest, DefaultDaclLockdown) {
|
| + TestDefaultDalc(false);
|
| }
|
|
|
| // Tests the method "AddSidForDenyOnly".
|
|
|
Chromium Code Reviews
Issue 1821193002:
Added a policy option to restrict the default DACL for tokens. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master