OLD | NEW |
| (Empty) |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <algorithm> | |
6 #include <cctype> | |
7 | |
8 #include <windows.h> | |
9 #include <winioctl.h> | |
10 | |
11 #include "base/win/scoped_handle.h" | |
12 #include "base/win/windows_version.h" | |
13 #include "sandbox/win/src/filesystem_policy.h" | |
14 #include "sandbox/win/src/nt_internals.h" | |
15 #include "sandbox/win/src/sandbox.h" | |
16 #include "sandbox/win/src/sandbox_factory.h" | |
17 #include "sandbox/win/src/sandbox_policy.h" | |
18 #include "sandbox/win/src/win_utils.h" | |
19 #include "sandbox/win/tests/common/controller.h" | |
20 #include "sandbox/win/tests/common/test_utils.h" | |
21 #include "testing/gtest/include/gtest/gtest.h" | |
22 | |
23 #define BINDNTDLL(name) \ | |
24 name ## Function name = reinterpret_cast<name ## Function>( \ | |
25 ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), #name)) | |
26 | |
27 namespace sandbox { | |
28 | |
29 const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE; | |
30 | |
31 // Creates a file using different desired access. Returns if the call succeeded | |
32 // or not. The first argument in argv is the filename. The second argument | |
33 // determines the type of access and the dispositino of the file. | |
34 SBOX_TESTS_COMMAND int File_Create(int argc, wchar_t **argv) { | |
35 if (argc != 2) | |
36 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
37 | |
38 std::wstring operation(argv[0]); | |
39 | |
40 if (operation == L"Read") { | |
41 base::win::ScopedHandle file1(CreateFile( | |
42 argv[1], GENERIC_READ, kSharing, NULL, OPEN_EXISTING, 0, NULL)); | |
43 base::win::ScopedHandle file2(CreateFile( | |
44 argv[1], FILE_EXECUTE, kSharing, NULL, OPEN_EXISTING, 0, NULL)); | |
45 | |
46 if (file1.IsValid() == file2.IsValid()) | |
47 return file1.IsValid() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED; | |
48 return file1.IsValid() ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SECOND_ERROR; | |
49 | |
50 } else if (operation == L"Write") { | |
51 base::win::ScopedHandle file1(CreateFile( | |
52 argv[1], GENERIC_ALL, kSharing, NULL, OPEN_EXISTING, 0, NULL)); | |
53 base::win::ScopedHandle file2(CreateFile( | |
54 argv[1], GENERIC_READ | FILE_WRITE_DATA, kSharing, NULL, OPEN_EXISTING, | |
55 0, NULL)); | |
56 | |
57 if (file1.IsValid() == file2.IsValid()) | |
58 return file1.IsValid() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED; | |
59 return file1.IsValid() ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SECOND_ERROR; | |
60 | |
61 } else if (operation == L"ReadCreate") { | |
62 base::win::ScopedHandle file2(CreateFile( | |
63 argv[1], GENERIC_READ, kSharing, NULL, CREATE_NEW, 0, NULL)); | |
64 base::win::ScopedHandle file1(CreateFile( | |
65 argv[1], GENERIC_READ, kSharing, NULL, CREATE_ALWAYS, 0, NULL)); | |
66 | |
67 if (file1.IsValid() == file2.IsValid()) | |
68 return file1.IsValid() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED; | |
69 return file1.IsValid() ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SECOND_ERROR; | |
70 } | |
71 | |
72 return SBOX_TEST_INVALID_PARAMETER; | |
73 } | |
74 | |
75 SBOX_TESTS_COMMAND int File_Win32Create(int argc, wchar_t **argv) { | |
76 if (argc != 1) { | |
77 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
78 } | |
79 | |
80 base::string16 full_path = MakePathToSys(argv[0], false); | |
81 if (full_path.empty()) { | |
82 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
83 } | |
84 | |
85 HANDLE file = ::CreateFileW(full_path.c_str(), GENERIC_READ, kSharing, | |
86 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); | |
87 | |
88 if (INVALID_HANDLE_VALUE != file) { | |
89 ::CloseHandle(file); | |
90 return SBOX_TEST_SUCCEEDED; | |
91 } else { | |
92 if (ERROR_ACCESS_DENIED == ::GetLastError()) { | |
93 return SBOX_TEST_DENIED; | |
94 } else { | |
95 return SBOX_TEST_FAILED; | |
96 } | |
97 } | |
98 return SBOX_TEST_SUCCEEDED; | |
99 } | |
100 | |
101 // Creates the file in parameter using the NtCreateFile api and returns if the | |
102 // call succeeded or not. | |
103 SBOX_TESTS_COMMAND int File_CreateSys32(int argc, wchar_t **argv) { | |
104 BINDNTDLL(NtCreateFile); | |
105 BINDNTDLL(RtlInitUnicodeString); | |
106 if (!NtCreateFile || !RtlInitUnicodeString) | |
107 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
108 | |
109 if (argc != 1) | |
110 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
111 | |
112 base::string16 file(argv[0]); | |
113 if (0 != _wcsnicmp(file.c_str(), kNTDevicePrefix, kNTDevicePrefixLen)) | |
114 file = MakePathToSys(argv[0], true); | |
115 | |
116 UNICODE_STRING object_name; | |
117 RtlInitUnicodeString(&object_name, file.c_str()); | |
118 | |
119 OBJECT_ATTRIBUTES obj_attributes = {}; | |
120 InitializeObjectAttributes(&obj_attributes, &object_name, | |
121 OBJ_CASE_INSENSITIVE, NULL, NULL); | |
122 | |
123 HANDLE handle; | |
124 IO_STATUS_BLOCK io_block = {}; | |
125 NTSTATUS status = NtCreateFile(&handle, FILE_READ_DATA, &obj_attributes, | |
126 &io_block, NULL, 0, kSharing, FILE_OPEN, | |
127 0, NULL, 0); | |
128 if (NT_SUCCESS(status)) { | |
129 ::CloseHandle(handle); | |
130 return SBOX_TEST_SUCCEEDED; | |
131 } else if (STATUS_ACCESS_DENIED == status) { | |
132 return SBOX_TEST_DENIED; | |
133 } else if (STATUS_OBJECT_NAME_NOT_FOUND == status) { | |
134 return SBOX_TEST_NOT_FOUND; | |
135 } | |
136 return SBOX_TEST_FAILED; | |
137 } | |
138 | |
139 // Opens the file in parameter using the NtOpenFile api and returns if the | |
140 // call succeeded or not. | |
141 SBOX_TESTS_COMMAND int File_OpenSys32(int argc, wchar_t **argv) { | |
142 BINDNTDLL(NtOpenFile); | |
143 BINDNTDLL(RtlInitUnicodeString); | |
144 if (!NtOpenFile || !RtlInitUnicodeString) | |
145 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
146 | |
147 if (argc != 1) | |
148 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
149 | |
150 base::string16 file = MakePathToSys(argv[0], true); | |
151 UNICODE_STRING object_name; | |
152 RtlInitUnicodeString(&object_name, file.c_str()); | |
153 | |
154 OBJECT_ATTRIBUTES obj_attributes = {}; | |
155 InitializeObjectAttributes(&obj_attributes, &object_name, | |
156 OBJ_CASE_INSENSITIVE, NULL, NULL); | |
157 | |
158 HANDLE handle; | |
159 IO_STATUS_BLOCK io_block = {}; | |
160 NTSTATUS status = NtOpenFile(&handle, FILE_READ_DATA, &obj_attributes, | |
161 &io_block, kSharing, 0); | |
162 if (NT_SUCCESS(status)) { | |
163 ::CloseHandle(handle); | |
164 return SBOX_TEST_SUCCEEDED; | |
165 } else if (STATUS_ACCESS_DENIED == status) { | |
166 return SBOX_TEST_DENIED; | |
167 } else if (STATUS_OBJECT_NAME_NOT_FOUND == status) { | |
168 return SBOX_TEST_NOT_FOUND; | |
169 } | |
170 return SBOX_TEST_FAILED; | |
171 } | |
172 | |
173 SBOX_TESTS_COMMAND int File_GetDiskSpace(int argc, wchar_t **argv) { | |
174 base::string16 sys_path = MakePathToSys(L"", false); | |
175 if (sys_path.empty()) { | |
176 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
177 } | |
178 ULARGE_INTEGER free_user = {}; | |
179 ULARGE_INTEGER total = {}; | |
180 ULARGE_INTEGER free_total = {}; | |
181 if (::GetDiskFreeSpaceExW(sys_path.c_str(), &free_user, &total, | |
182 &free_total)) { | |
183 if ((total.QuadPart != 0) && (free_total.QuadPart !=0)) { | |
184 return SBOX_TEST_SUCCEEDED; | |
185 } | |
186 } else { | |
187 if (ERROR_ACCESS_DENIED == ::GetLastError()) { | |
188 return SBOX_TEST_DENIED; | |
189 } else { | |
190 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
191 } | |
192 } | |
193 return SBOX_TEST_SUCCEEDED; | |
194 } | |
195 | |
196 // Move a file using the MoveFileEx api and returns if the call succeeded or | |
197 // not. | |
198 SBOX_TESTS_COMMAND int File_Rename(int argc, wchar_t **argv) { | |
199 if (argc != 2) | |
200 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
201 | |
202 if (::MoveFileEx(argv[0], argv[1], 0)) | |
203 return SBOX_TEST_SUCCEEDED; | |
204 | |
205 if (::GetLastError() != ERROR_ACCESS_DENIED) | |
206 return SBOX_TEST_FAILED; | |
207 | |
208 return SBOX_TEST_DENIED; | |
209 } | |
210 | |
211 // Query the attributes of file in parameter using the NtQueryAttributesFile api | |
212 // and NtQueryFullAttributesFile and returns if the call succeeded or not. The | |
213 // second argument in argv is "d" or "f" telling if we expect the attributes to | |
214 // specify a file or a directory. The expected attribute has to match the real | |
215 // attributes for the call to be successful. | |
216 SBOX_TESTS_COMMAND int File_QueryAttributes(int argc, wchar_t **argv) { | |
217 BINDNTDLL(NtQueryAttributesFile); | |
218 BINDNTDLL(NtQueryFullAttributesFile); | |
219 BINDNTDLL(RtlInitUnicodeString); | |
220 if (!NtQueryAttributesFile || !NtQueryFullAttributesFile || | |
221 !RtlInitUnicodeString) | |
222 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
223 | |
224 if (argc != 2) | |
225 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
226 | |
227 bool expect_directory = (L'd' == argv[1][0]); | |
228 | |
229 UNICODE_STRING object_name; | |
230 base::string16 file = MakePathToSys(argv[0], true); | |
231 RtlInitUnicodeString(&object_name, file.c_str()); | |
232 | |
233 OBJECT_ATTRIBUTES obj_attributes = {}; | |
234 InitializeObjectAttributes(&obj_attributes, &object_name, | |
235 OBJ_CASE_INSENSITIVE, NULL, NULL); | |
236 | |
237 FILE_BASIC_INFORMATION info = {}; | |
238 FILE_NETWORK_OPEN_INFORMATION full_info = {}; | |
239 NTSTATUS status1 = NtQueryAttributesFile(&obj_attributes, &info); | |
240 NTSTATUS status2 = NtQueryFullAttributesFile(&obj_attributes, &full_info); | |
241 | |
242 if (status1 != status2) | |
243 return SBOX_TEST_FAILED; | |
244 | |
245 if (NT_SUCCESS(status1)) { | |
246 if (info.FileAttributes != full_info.FileAttributes) | |
247 return SBOX_TEST_FAILED; | |
248 | |
249 bool is_directory1 = (info.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0; | |
250 if (expect_directory == is_directory1) | |
251 return SBOX_TEST_SUCCEEDED; | |
252 } else if (STATUS_ACCESS_DENIED == status1) { | |
253 return SBOX_TEST_DENIED; | |
254 } else if (STATUS_OBJECT_NAME_NOT_FOUND == status1) { | |
255 return SBOX_TEST_NOT_FOUND; | |
256 } | |
257 | |
258 return SBOX_TEST_FAILED; | |
259 } | |
260 | |
261 TEST(FilePolicyTest, DenyNtCreateCalc) { | |
262 TestRunner runner; | |
263 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY, | |
264 L"calc.exe")); | |
265 | |
266 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_CreateSys32 calc.exe")); | |
267 | |
268 runner.SetTestState(BEFORE_REVERT); | |
269 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe")); | |
270 } | |
271 | |
272 TEST(FilePolicyTest, AllowNtCreateCalc) { | |
273 TestRunner runner; | |
274 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"calc.exe")); | |
275 | |
276 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe")); | |
277 | |
278 runner.SetTestState(BEFORE_REVERT); | |
279 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe")); | |
280 } | |
281 | |
282 TEST(FilePolicyTest, AllowNtCreateWithNativePath) { | |
283 | |
284 base::string16 calc = MakePathToSys(L"calc.exe", false); | |
285 base::string16 nt_path; | |
286 ASSERT_TRUE(GetNtPathFromWin32Path(calc, &nt_path)); | |
287 TestRunner runner; | |
288 runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, nt_path.c_str()); | |
289 | |
290 wchar_t buff[MAX_PATH]; | |
291 ::wsprintfW(buff, L"File_CreateSys32 %s", nt_path.c_str()); | |
292 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(buff)); | |
293 | |
294 std::transform(nt_path.begin(), nt_path.end(), nt_path.begin(), std::tolower); | |
295 ::wsprintfW(buff, L"File_CreateSys32 %s", nt_path.c_str()); | |
296 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(buff)); | |
297 } | |
298 | |
299 TEST(FilePolicyTest, AllowReadOnly) { | |
300 TestRunner runner; | |
301 | |
302 // Create a temp file because we need write access to it. | |
303 wchar_t temp_directory[MAX_PATH]; | |
304 wchar_t temp_file_name[MAX_PATH]; | |
305 ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u); | |
306 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u); | |
307 | |
308 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
309 temp_file_name)); | |
310 | |
311 wchar_t command_read[MAX_PATH + 20] = {}; | |
312 wsprintf(command_read, L"File_Create Read \"%ls\"", temp_file_name); | |
313 wchar_t command_read_create[MAX_PATH + 20] = {}; | |
314 wsprintf(command_read_create, L"File_Create ReadCreate \"%ls\"", | |
315 temp_file_name); | |
316 wchar_t command_write[MAX_PATH + 20] = {}; | |
317 wsprintf(command_write, L"File_Create Write \"%ls\"", temp_file_name); | |
318 | |
319 // Verify that we cannot create the file after revert. | |
320 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_read_create)); | |
321 | |
322 // Verify that we don't have write access after revert. | |
323 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_write)); | |
324 | |
325 // Verify that we have read access after revert. | |
326 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_read)); | |
327 | |
328 // Verify that we really have write access to the file. | |
329 runner.SetTestState(BEFORE_REVERT); | |
330 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write)); | |
331 | |
332 DeleteFile(temp_file_name); | |
333 } | |
334 | |
335 // Tests support of "\\\\.\\DeviceName" kind of paths. | |
336 TEST(FilePolicyTest, AllowImplicitDeviceName) { | |
337 | |
338 TestRunner runner; | |
339 | |
340 wchar_t temp_directory[MAX_PATH]; | |
341 wchar_t temp_file_name[MAX_PATH]; | |
342 ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u); | |
343 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u); | |
344 | |
345 std::wstring path(temp_file_name); | |
346 EXPECT_TRUE(ConvertToLongPath(&path)); | |
347 EXPECT_TRUE(GetNtPathFromWin32Path(path, &path)); | |
348 path = path.substr(sandbox::kNTDevicePrefixLen); | |
349 | |
350 wchar_t command[MAX_PATH + 20] = {}; | |
351 wsprintf(command, L"File_Create Read \"\\\\.\\%ls\"", path.c_str()); | |
352 path = std::wstring(kNTPrefix) + path; | |
353 | |
354 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); | |
355 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, path.c_str())); | |
356 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command)); | |
357 | |
358 DeleteFile(temp_file_name); | |
359 } | |
360 | |
361 TEST(FilePolicyTest, AllowWildcard) { | |
362 TestRunner runner; | |
363 | |
364 // Create a temp file because we need write access to it. | |
365 wchar_t temp_directory[MAX_PATH]; | |
366 wchar_t temp_file_name[MAX_PATH]; | |
367 ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u); | |
368 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u); | |
369 | |
370 wcscat_s(temp_directory, MAX_PATH, L"*"); | |
371 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_directory)); | |
372 | |
373 wchar_t command_write[MAX_PATH + 20] = {}; | |
374 wsprintf(command_write, L"File_Create Write \"%ls\"", temp_file_name); | |
375 | |
376 // Verify that we have write access after revert. | |
377 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write)); | |
378 | |
379 DeleteFile(temp_file_name); | |
380 } | |
381 | |
382 TEST(FilePolicyTest, AllowNtCreatePatternRule) { | |
383 TestRunner runner; | |
384 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"App*.dll")); | |
385 | |
386 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
387 runner.RunTest(L"File_OpenSys32 appmgmts.dll")); | |
388 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_OpenSys32 appwiz.cpl")); | |
389 | |
390 runner.SetTestState(BEFORE_REVERT); | |
391 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
392 runner.RunTest(L"File_OpenSys32 appmgmts.dll")); | |
393 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_OpenSys32 appwiz.cpl")); | |
394 } | |
395 | |
396 TEST(FilePolicyTest, CheckNotFound) { | |
397 TestRunner runner; | |
398 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"n*.dll")); | |
399 | |
400 EXPECT_EQ(SBOX_TEST_NOT_FOUND, | |
401 runner.RunTest(L"File_OpenSys32 notfound.dll")); | |
402 } | |
403 | |
404 TEST(FilePolicyTest, CheckNoLeak) { | |
405 TestRunner runner; | |
406 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_CreateSys32 notfound.exe")); | |
407 } | |
408 | |
409 TEST(FilePolicyTest, TestQueryAttributesFile) { | |
410 TestRunner runner; | |
411 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, | |
412 L"appmgmts.dll")); | |
413 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, | |
414 L"notfound.exe")); | |
415 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"drivers")); | |
416 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_QUERY, | |
417 L"ipconfig.exe")); | |
418 | |
419 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
420 runner.RunTest(L"File_QueryAttributes drivers d")); | |
421 | |
422 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
423 runner.RunTest(L"File_QueryAttributes appmgmts.dll f")); | |
424 | |
425 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
426 runner.RunTest(L"File_QueryAttributes ipconfig.exe f")); | |
427 | |
428 EXPECT_EQ(SBOX_TEST_DENIED, | |
429 runner.RunTest(L"File_QueryAttributes ftp.exe f")); | |
430 | |
431 EXPECT_EQ(SBOX_TEST_NOT_FOUND, | |
432 runner.RunTest(L"File_QueryAttributes notfound.exe f")); | |
433 } | |
434 | |
435 // Makes sure that we don't leak information when there is not policy to allow | |
436 // a path. | |
437 TEST(FilePolicyTest, TestQueryAttributesFileNoPolicy) { | |
438 TestRunner runner; | |
439 EXPECT_EQ(SBOX_TEST_DENIED, | |
440 runner.RunTest(L"File_QueryAttributes ftp.exe f")); | |
441 | |
442 EXPECT_EQ(SBOX_TEST_DENIED, | |
443 runner.RunTest(L"File_QueryAttributes notfound.exe f")); | |
444 } | |
445 | |
446 TEST(FilePolicyTest, TestRename) { | |
447 TestRunner runner; | |
448 | |
449 // Give access to the temp directory. | |
450 wchar_t temp_directory[MAX_PATH]; | |
451 wchar_t temp_file_name1[MAX_PATH]; | |
452 wchar_t temp_file_name2[MAX_PATH]; | |
453 wchar_t temp_file_name3[MAX_PATH]; | |
454 wchar_t temp_file_name4[MAX_PATH]; | |
455 wchar_t temp_file_name5[MAX_PATH]; | |
456 wchar_t temp_file_name6[MAX_PATH]; | |
457 wchar_t temp_file_name7[MAX_PATH]; | |
458 wchar_t temp_file_name8[MAX_PATH]; | |
459 ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u); | |
460 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name1), 0u); | |
461 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name2), 0u); | |
462 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name3), 0u); | |
463 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name4), 0u); | |
464 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name5), 0u); | |
465 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name6), 0u); | |
466 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name7), 0u); | |
467 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name8), 0u); | |
468 | |
469 | |
470 // Add rules to make file1->file2 succeed. | |
471 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name1)); | |
472 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name2)); | |
473 | |
474 // Add rules to make file3->file4 fail. | |
475 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name3)); | |
476 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
477 temp_file_name4)); | |
478 | |
479 // Add rules to make file5->file6 fail. | |
480 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
481 temp_file_name5)); | |
482 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name6)); | |
483 | |
484 // Add rules to make file7->no_pol_file fail. | |
485 ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name7)); | |
486 | |
487 // Delete the files where the files are going to be renamed to. | |
488 ::DeleteFile(temp_file_name2); | |
489 ::DeleteFile(temp_file_name4); | |
490 ::DeleteFile(temp_file_name6); | |
491 ::DeleteFile(temp_file_name8); | |
492 | |
493 wchar_t command[MAX_PATH * 2 + 20] = {}; | |
494 wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name1, | |
495 temp_file_name2); | |
496 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command)); | |
497 | |
498 wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name3, | |
499 temp_file_name4); | |
500 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); | |
501 | |
502 wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name5, | |
503 temp_file_name6); | |
504 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); | |
505 | |
506 wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name7, | |
507 temp_file_name8); | |
508 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); | |
509 | |
510 | |
511 // Delete all the files in case they are still there. | |
512 ::DeleteFile(temp_file_name1); | |
513 ::DeleteFile(temp_file_name2); | |
514 ::DeleteFile(temp_file_name3); | |
515 ::DeleteFile(temp_file_name4); | |
516 ::DeleteFile(temp_file_name5); | |
517 ::DeleteFile(temp_file_name6); | |
518 ::DeleteFile(temp_file_name7); | |
519 ::DeleteFile(temp_file_name8); | |
520 } | |
521 | |
522 TEST(FilePolicyTest, OpenSys32FilesDenyBecauseOfDir) { | |
523 TestRunner runner; | |
524 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY, | |
525 L"notepad.exe")); | |
526 | |
527 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create notepad.exe")); | |
528 | |
529 runner.SetTestState(BEFORE_REVERT); | |
530 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
531 runner.RunTest(L"File_Win32Create notepad.exe")); | |
532 } | |
533 | |
534 TEST(FilePolicyTest, OpenSys32FilesAllowNotepad) { | |
535 TestRunner runner; | |
536 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, | |
537 L"notepad.exe")); | |
538 | |
539 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
540 runner.RunTest(L"File_Win32Create notepad.exe")); | |
541 | |
542 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create calc.exe")); | |
543 | |
544 runner.SetTestState(BEFORE_REVERT); | |
545 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
546 runner.RunTest(L"File_Win32Create notepad.exe")); | |
547 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_Win32Create calc.exe")); | |
548 } | |
549 | |
550 TEST(FilePolicyTest, FileGetDiskSpace) { | |
551 TestRunner runner; | |
552 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_GetDiskSpace")); | |
553 runner.SetTestState(BEFORE_REVERT); | |
554 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace")); | |
555 | |
556 // Add an 'allow' rule in the windows\system32 such that GetDiskFreeSpaceEx | |
557 // succeeds (it does an NtOpenFile) but windows\system32\notepad.exe is | |
558 // denied since there is no wild card in the rule. | |
559 EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY, L"")); | |
560 runner.SetTestState(BEFORE_REVERT); | |
561 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace")); | |
562 | |
563 runner.SetTestState(AFTER_REVERT); | |
564 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace")); | |
565 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create notepad.exe")); | |
566 } | |
567 | |
568 TEST(FilePolicyTest, TestReparsePoint) { | |
569 TestRunner runner; | |
570 | |
571 // Create a temp file because we need write access to it. | |
572 wchar_t temp_directory[MAX_PATH]; | |
573 wchar_t temp_file_name[MAX_PATH]; | |
574 ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u); | |
575 ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u); | |
576 | |
577 // Delete the file and create a directory instead. | |
578 ASSERT_TRUE(::DeleteFile(temp_file_name)); | |
579 ASSERT_TRUE(::CreateDirectory(temp_file_name, NULL)); | |
580 | |
581 // Create a temporary file in the subfolder. | |
582 base::string16 subfolder = temp_file_name; | |
583 base::string16 temp_file_title = subfolder.substr(subfolder.rfind(L"\\") + 1); | |
584 base::string16 temp_file = subfolder + L"\\file_" + temp_file_title; | |
585 | |
586 HANDLE file = ::CreateFile(temp_file.c_str(), FILE_ALL_ACCESS, | |
587 FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, | |
588 CREATE_ALWAYS, 0, NULL); | |
589 ASSERT_TRUE(INVALID_HANDLE_VALUE != file); | |
590 ASSERT_TRUE(::CloseHandle(file)); | |
591 | |
592 // Create a temporary file in the temp directory. | |
593 base::string16 temp_dir = temp_directory; | |
594 base::string16 temp_file_in_temp = temp_dir + L"file_" + temp_file_title; | |
595 file = ::CreateFile(temp_file_in_temp.c_str(), FILE_ALL_ACCESS, | |
596 FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, | |
597 CREATE_ALWAYS, 0, NULL); | |
598 ASSERT_TRUE(file != NULL); | |
599 ASSERT_TRUE(::CloseHandle(file)); | |
600 | |
601 // Give write access to the temp directory. | |
602 base::string16 temp_dir_wildcard = temp_dir + L"*"; | |
603 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, | |
604 temp_dir_wildcard.c_str())); | |
605 | |
606 // Prepare the command to execute. | |
607 base::string16 command_write; | |
608 command_write += L"File_Create Write \""; | |
609 command_write += temp_file; | |
610 command_write += L"\""; | |
611 | |
612 // Verify that we have write access to the original file | |
613 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write.c_str())); | |
614 | |
615 // Replace the subfolder by a reparse point to %temp%. | |
616 ::DeleteFile(temp_file.c_str()); | |
617 HANDLE dir = ::CreateFile(subfolder.c_str(), FILE_ALL_ACCESS, | |
618 FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, | |
619 OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL); | |
620 EXPECT_TRUE(INVALID_HANDLE_VALUE != dir); | |
621 | |
622 base::string16 temp_dir_nt; | |
623 temp_dir_nt += L"\\??\\"; | |
624 temp_dir_nt += temp_dir; | |
625 EXPECT_TRUE(SetReparsePoint(dir, temp_dir_nt.c_str())); | |
626 EXPECT_TRUE(::CloseHandle(dir)); | |
627 | |
628 // Try to open the file again. | |
629 EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_write.c_str())); | |
630 | |
631 // Remove the reparse point. | |
632 dir = ::CreateFile(subfolder.c_str(), FILE_ALL_ACCESS, | |
633 FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, | |
634 FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, | |
635 NULL); | |
636 EXPECT_TRUE(INVALID_HANDLE_VALUE != dir); | |
637 EXPECT_TRUE(DeleteReparsePoint(dir)); | |
638 EXPECT_TRUE(::CloseHandle(dir)); | |
639 | |
640 // Cleanup. | |
641 EXPECT_TRUE(::DeleteFile(temp_file_in_temp.c_str())); | |
642 EXPECT_TRUE(::RemoveDirectory(subfolder.c_str())); | |
643 } | |
644 | |
645 TEST(FilePolicyTest, CheckExistingNTPrefixEscape) { | |
646 base::string16 name = L"\\??\\NAME"; | |
647 | |
648 base::string16 result = FixNTPrefixForMatch(name); | |
649 | |
650 EXPECT_STREQ(result.c_str(), L"\\/?/?\\NAME"); | |
651 } | |
652 | |
653 TEST(FilePolicyTest, CheckEscapedNTPrefixNoEscape) { | |
654 base::string16 name = L"\\/?/?\\NAME"; | |
655 | |
656 base::string16 result = FixNTPrefixForMatch(name); | |
657 | |
658 EXPECT_STREQ(result.c_str(), name.c_str()); | |
659 } | |
660 | |
661 TEST(FilePolicyTest, CheckMissingNTPrefixEscape) { | |
662 base::string16 name = L"C:\\NAME"; | |
663 | |
664 base::string16 result = FixNTPrefixForMatch(name); | |
665 | |
666 EXPECT_STREQ(result.c_str(), L"\\/?/?\\C:\\NAME"); | |
667 } | |
668 | |
669 } // namespace sandbox | |
OLD | NEW |