OLD | NEW |
| (Empty) |
1 // Copyright (c) 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "base/win/windows_version.h" | |
6 #include "sandbox/win/src/handle_closer.h" | |
7 #include "sandbox/win/src/sandbox.h" | |
8 #include "sandbox/win/src/sandbox_policy.h" | |
9 #include "sandbox/win/src/sandbox_factory.h" | |
10 #include "sandbox/win/tests/common/controller.h" | |
11 #include "testing/gtest/include/gtest/gtest.h" | |
12 | |
13 namespace sandbox { | |
14 | |
15 | |
16 SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) { | |
17 if (argc < 1 || argc > 2) { | |
18 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
19 } | |
20 if ((NULL == argv) || (NULL == argv[0])) { | |
21 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; | |
22 } | |
23 | |
24 HANDLE pipe = ::CreateNamedPipeW(argv[0], | |
25 PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, | |
26 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096, | |
27 4096, 2000, NULL); | |
28 if (INVALID_HANDLE_VALUE == pipe) | |
29 return SBOX_TEST_DENIED; | |
30 | |
31 // The second parameter allows us to enforce a whitelist for where the | |
32 // pipe should be in the object namespace after creation. | |
33 if (argc == 2) { | |
34 base::string16 handle_name; | |
35 if (GetHandleName(pipe, &handle_name)) { | |
36 if (handle_name.compare(0, wcslen(argv[1]), argv[1]) != 0) | |
37 return SBOX_TEST_FAILED; | |
38 } else { | |
39 return SBOX_TEST_FAILED; | |
40 } | |
41 } | |
42 | |
43 OVERLAPPED overlapped = {0}; | |
44 overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL); | |
45 BOOL result = ::ConnectNamedPipe(pipe, &overlapped); | |
46 | |
47 if (!result) { | |
48 DWORD error = ::GetLastError(); | |
49 if (ERROR_PIPE_CONNECTED != error && | |
50 ERROR_IO_PENDING != error) { | |
51 return SBOX_TEST_FAILED; | |
52 } | |
53 } | |
54 | |
55 if (!::CloseHandle(pipe)) | |
56 return SBOX_TEST_FAILED; | |
57 | |
58 ::CloseHandle(overlapped.hEvent); | |
59 return SBOX_TEST_SUCCEEDED; | |
60 } | |
61 | |
62 // Tests if we can create a pipe in the sandbox. | |
63 TEST(NamedPipePolicyTest, CreatePipe) { | |
64 TestRunner runner; | |
65 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a | |
66 // namedpipe name. Here we apply it like a wildcard. http://b/893603 | |
67 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, | |
68 TargetPolicy::NAMEDPIPES_ALLOW_ANY, | |
69 L"\\\\.\\pipe\\test*")); | |
70 | |
71 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
72 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); | |
73 | |
74 EXPECT_EQ(SBOX_TEST_DENIED, | |
75 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); | |
76 } | |
77 | |
78 // Tests if we can create a pipe with a path traversal in the sandbox. | |
79 TEST(NamedPipePolicyTest, CreatePipeTraversal) { | |
80 TestRunner runner; | |
81 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a | |
82 // namedpipe name. Here we apply it like a wildcard. http://b/893603 | |
83 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, | |
84 TargetPolicy::NAMEDPIPES_ALLOW_ANY, | |
85 L"\\\\.\\pipe\\test*")); | |
86 | |
87 EXPECT_EQ(SBOX_TEST_DENIED, | |
88 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\..\\bleh")); | |
89 EXPECT_EQ(SBOX_TEST_DENIED, | |
90 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/../bleh")); | |
91 EXPECT_EQ(SBOX_TEST_DENIED, | |
92 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\../bleh")); | |
93 EXPECT_EQ(SBOX_TEST_DENIED, | |
94 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/..\\bleh")); | |
95 } | |
96 | |
97 // This tests that path canonicalization is actually disabled if we use \\?\ | |
98 // syntax. | |
99 TEST(NamedPipePolicyTest, CreatePipeCanonicalization) { | |
100 // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to | |
101 // disable all string parsing and to send the string that follows it straight | |
102 // to the file system." | |
103 // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx | |
104 const wchar_t* argv[2] = { L"\\\\?\\pipe\\test\\..\\bleh", | |
105 L"\\Device\\NamedPipe\\test" }; | |
106 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
107 NamedPipe_Create(2, const_cast<wchar_t**>(argv))); | |
108 } | |
109 | |
110 // The same test as CreatePipe but this time using strict interceptions. | |
111 TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) { | |
112 TestRunner runner; | |
113 runner.GetPolicy()->SetStrictInterceptions(); | |
114 | |
115 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a | |
116 // namedpipe name. Here we apply it like a wildcard. http://b/893603 | |
117 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, | |
118 TargetPolicy::NAMEDPIPES_ALLOW_ANY, | |
119 L"\\\\.\\pipe\\test*")); | |
120 | |
121 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
122 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); | |
123 | |
124 EXPECT_EQ(SBOX_TEST_DENIED, | |
125 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); | |
126 } | |
127 | |
128 } // namespace sandbox | |
OLD | NEW |