OLD | NEW |
| (Empty) |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "base/files/file_util.h" | |
6 #include "base/files/scoped_temp_dir.h" | |
7 #include "base/memory/scoped_ptr.h" | |
8 #include "base/path_service.h" | |
9 #include "base/process/launch.h" | |
10 #include "base/strings/stringprintf.h" | |
11 #include "base/win/scoped_handle.h" | |
12 #include "base/win/windows_version.h" | |
13 #include "sandbox/win/src/nt_internals.h" | |
14 #include "sandbox/win/src/process_mitigations.h" | |
15 #include "sandbox/win/src/sandbox.h" | |
16 #include "sandbox/win/src/sandbox_factory.h" | |
17 #include "sandbox/win/src/target_services.h" | |
18 #include "sandbox/win/src/win_utils.h" | |
19 #include "sandbox/win/tests/common/controller.h" | |
20 #include "testing/gtest/include/gtest/gtest.h" | |
21 | |
22 namespace { | |
23 | |
24 // API defined in winbase.h. | |
25 typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction; | |
26 | |
27 // API defined in processthreadsapi.h. | |
28 typedef decltype( | |
29 GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction; | |
30 GetProcessMitigationPolicyFunction get_process_mitigation_policy; | |
31 | |
32 // APIs defined in wingdi.h. | |
33 typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction; | |
34 typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction; | |
35 | |
36 #if !defined(_WIN64) | |
37 bool CheckWin8DepPolicy() { | |
38 PROCESS_MITIGATION_DEP_POLICY policy = {}; | |
39 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy, | |
40 &policy, sizeof(policy))) { | |
41 return false; | |
42 } | |
43 return policy.Enable && policy.Permanent; | |
44 } | |
45 #endif // !defined(_WIN64) | |
46 | |
47 #if defined(NDEBUG) | |
48 bool CheckWin8AslrPolicy() { | |
49 PROCESS_MITIGATION_ASLR_POLICY policy = {}; | |
50 if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy, | |
51 &policy, sizeof(policy))) { | |
52 return false; | |
53 } | |
54 return policy.EnableForceRelocateImages && policy.DisallowStrippedImages; | |
55 } | |
56 #endif // defined(NDEBUG) | |
57 | |
58 bool CheckWin8StrictHandlePolicy() { | |
59 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {}; | |
60 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
61 ProcessStrictHandleCheckPolicy, | |
62 &policy, sizeof(policy))) { | |
63 return false; | |
64 } | |
65 return policy.RaiseExceptionOnInvalidHandleReference && | |
66 policy.HandleExceptionsPermanentlyEnabled; | |
67 } | |
68 | |
69 bool CheckWin8Win32CallPolicy() { | |
70 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; | |
71 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
72 ProcessSystemCallDisablePolicy, | |
73 &policy, sizeof(policy))) { | |
74 return false; | |
75 } | |
76 return policy.DisallowWin32kSystemCalls; | |
77 } | |
78 | |
79 bool CheckWin8DllExtensionPolicy() { | |
80 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | |
81 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
82 ProcessExtensionPointDisablePolicy, | |
83 &policy, sizeof(policy))) { | |
84 return false; | |
85 } | |
86 return policy.DisableExtensionPoints; | |
87 } | |
88 | |
89 bool CheckWin10FontPolicy() { | |
90 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; | |
91 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
92 ProcessFontDisablePolicy, &policy, | |
93 sizeof(policy))) { | |
94 return false; | |
95 } | |
96 return policy.DisableNonSystemFonts; | |
97 } | |
98 | |
99 bool CheckWin10ImageLoadNoRemotePolicy() { | |
100 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
101 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
102 ProcessImageLoadPolicy, &policy, | |
103 sizeof(policy))) { | |
104 return false; | |
105 } | |
106 return policy.NoRemoteImages; | |
107 } | |
108 | |
109 void TestWin10ImageLoadRemote(bool is_success_test) { | |
110 // ***Insert your manual testing share UNC path here! | |
111 // E.g.: \\\\hostname\\sharename\\calc.exe | |
112 std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\""; | |
113 | |
114 sandbox::TestRunner runner; | |
115 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
116 | |
117 // Set a policy that would normally allow for process creation. | |
118 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
119 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
120 runner.SetDisableCsrss(false); | |
121 | |
122 if (!is_success_test) { | |
123 // Enable the NoRemote mitigation. | |
124 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
125 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
126 sandbox::SBOX_ALL_OK); | |
127 } | |
128 | |
129 std::wstring test = L"TestChildProcess "; | |
130 test += unc.c_str(); | |
131 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED | |
132 : sandbox::SBOX_TEST_FAILED), | |
133 runner.RunTest(test.c_str())); | |
134 } | |
135 | |
136 bool CheckWin10ImageLoadNoLowLabelPolicy() { | |
137 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; | |
138 if (!get_process_mitigation_policy(::GetCurrentProcess(), | |
139 ProcessImageLoadPolicy, &policy, | |
140 sizeof(policy))) { | |
141 return false; | |
142 } | |
143 return policy.NoLowMandatoryLabelImages; | |
144 } | |
145 | |
146 void TestWin10ImageLoadLowLabel(bool is_success_test) { | |
147 // Setup a mandatory low executable for this test (calc.exe). | |
148 // If anything fails during setup, ASSERT to end test. | |
149 base::FilePath orig_path; | |
150 ASSERT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path)); | |
151 orig_path = orig_path.Append(L"calc.exe"); | |
152 | |
153 base::ScopedTempDir temp_dir; | |
154 ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); | |
155 base::FilePath new_path = temp_dir.path(); | |
156 new_path = new_path.Append(L"lowIL_calc.exe"); | |
157 | |
158 // Test file will be cleaned up by the ScopedTempDir. | |
159 ASSERT_TRUE(base::CopyFileW(orig_path, new_path)); | |
160 | |
161 std::wstring cmd_line = L"icacls \""; | |
162 cmd_line += new_path.value().c_str(); | |
163 cmd_line += L"\" /setintegritylevel Low"; | |
164 | |
165 base::LaunchOptions options = base::LaunchOptionsForTest(); | |
166 base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options); | |
167 ASSERT_TRUE(setup_proc.IsValid()); | |
168 | |
169 int exit_code = 1; | |
170 if (!setup_proc.WaitForExitWithTimeout(base::TimeDelta::FromSeconds(10), | |
171 &exit_code)) { | |
172 // Might have timed out, or might have failed. | |
173 // Terminate to make sure we clean up any mess. | |
174 setup_proc.Terminate(0, false); | |
175 ASSERT_TRUE(false); | |
176 } | |
177 // Make sure icacls was successful. | |
178 ASSERT_EQ(0, exit_code); | |
179 | |
180 sandbox::TestRunner runner; | |
181 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
182 | |
183 // Set a policy that would normally allow for process creation. | |
184 policy->SetJobLevel(sandbox::JOB_NONE, 0); | |
185 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); | |
186 runner.SetDisableCsrss(false); | |
187 | |
188 if (!is_success_test) { | |
189 // Enable the NoLowLabel mitigation. | |
190 EXPECT_EQ(policy->SetDelayedProcessMitigations( | |
191 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
192 sandbox::SBOX_ALL_OK); | |
193 } | |
194 | |
195 std::wstring test = L"TestChildProcess "; | |
196 test += new_path.value().c_str(); | |
197 | |
198 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED | |
199 : sandbox::SBOX_TEST_FAILED), | |
200 runner.RunTest(test.c_str())); | |
201 } | |
202 | |
203 } // namespace | |
204 | |
205 namespace sandbox { | |
206 | |
207 // A shared helper test command that will attempt to CreateProcess with a given | |
208 // command line. The second optional parameter will cause the child process to | |
209 // return that as an exit code on termination. | |
210 // | |
211 // ***Make sure you've enabled basic process creation in the | |
212 // test sandbox settings via: | |
213 // sandbox::TargetPolicy::SetJobLevel(), | |
214 // sandbox::TargetPolicy::SetTokenLevel(), | |
215 // and TestRunner::SetDisableCsrss(). | |
216 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { | |
217 if (argc < 1) | |
218 return SBOX_TEST_INVALID_PARAMETER; | |
219 | |
220 int desired_exit_code = 0; | |
221 | |
222 if (argc == 2) { | |
223 desired_exit_code = wcstoul(argv[1], nullptr, 0); | |
224 } | |
225 | |
226 std::wstring cmd = argv[0]; | |
227 base::LaunchOptions options = base::LaunchOptionsForTest(); | |
228 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options); | |
229 | |
230 if (setup_proc.IsValid()) { | |
231 setup_proc.Terminate(desired_exit_code, false); | |
232 return SBOX_TEST_SUCCEEDED; | |
233 } | |
234 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED". | |
235 return SBOX_TEST_FAILED; | |
236 } | |
237 | |
238 //------------------------------------------------------------------------------ | |
239 // Win8 Checks: | |
240 // MITIGATION_DEP(_NO_ATL_THUNK) | |
241 // MITIGATION_EXTENSION_DLL_DISABLE | |
242 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only | |
243 // MITIGATION_STRICT_HANDLE_CHECKS | |
244 // >= Win8 | |
245 //------------------------------------------------------------------------------ | |
246 | |
247 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) { | |
248 get_process_mitigation_policy = | |
249 reinterpret_cast<GetProcessMitigationPolicyFunction>( | |
250 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | |
251 "GetProcessMitigationPolicy")); | |
252 if (!get_process_mitigation_policy) | |
253 return SBOX_TEST_NOT_FOUND; | |
254 | |
255 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | |
256 if (!CheckWin8DepPolicy()) | |
257 return SBOX_TEST_FIRST_ERROR; | |
258 #endif | |
259 | |
260 #if defined(NDEBUG) // ASLR cannot be forced in debug builds. | |
261 if (!CheckWin8AslrPolicy()) | |
262 return SBOX_TEST_SECOND_ERROR; | |
263 #endif | |
264 | |
265 if (!CheckWin8StrictHandlePolicy()) | |
266 return SBOX_TEST_THIRD_ERROR; | |
267 | |
268 if (!CheckWin8DllExtensionPolicy()) | |
269 return SBOX_TEST_FIFTH_ERROR; | |
270 | |
271 return SBOX_TEST_SUCCEEDED; | |
272 } | |
273 | |
274 TEST(ProcessMitigationsTest, CheckWin8) { | |
275 if (base::win::GetVersion() < base::win::VERSION_WIN8) | |
276 return; | |
277 | |
278 TestRunner runner; | |
279 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
280 | |
281 sandbox::MitigationFlags mitigations = MITIGATION_DEP | | |
282 MITIGATION_DEP_NO_ATL_THUNK | | |
283 MITIGATION_EXTENSION_DLL_DISABLE; | |
284 #if defined(NDEBUG) // ASLR cannot be forced in debug builds. | |
285 mitigations |= MITIGATION_RELOCATE_IMAGE | | |
286 MITIGATION_RELOCATE_IMAGE_REQUIRED; | |
287 #endif | |
288 | |
289 EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK); | |
290 | |
291 mitigations |= MITIGATION_STRICT_HANDLE_CHECKS; | |
292 | |
293 EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK); | |
294 | |
295 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8")); | |
296 } | |
297 | |
298 //------------------------------------------------------------------------------ | |
299 // DEP (MITIGATION_DEP) | |
300 // < Win8 x86 | |
301 //------------------------------------------------------------------------------ | |
302 | |
303 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) { | |
304 GetProcessDEPPolicyFunction get_process_dep_policy = | |
305 reinterpret_cast<GetProcessDEPPolicyFunction>( | |
306 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | |
307 "GetProcessDEPPolicy")); | |
308 if (get_process_dep_policy) { | |
309 BOOL is_permanent = FALSE; | |
310 DWORD dep_flags = 0; | |
311 | |
312 if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags, | |
313 &is_permanent)) { | |
314 return SBOX_TEST_FIRST_ERROR; | |
315 } | |
316 | |
317 if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent) | |
318 return SBOX_TEST_SECOND_ERROR; | |
319 | |
320 } else { | |
321 NtQueryInformationProcessFunction query_information_process = NULL; | |
322 ResolveNTFunctionPtr("NtQueryInformationProcess", | |
323 &query_information_process); | |
324 if (!query_information_process) | |
325 return SBOX_TEST_NOT_FOUND; | |
326 | |
327 ULONG size = 0; | |
328 ULONG dep_flags = 0; | |
329 if (!SUCCEEDED(query_information_process(::GetCurrentProcess(), | |
330 ProcessExecuteFlags, &dep_flags, | |
331 sizeof(dep_flags), &size))) { | |
332 return SBOX_TEST_THIRD_ERROR; | |
333 } | |
334 | |
335 static const int MEM_EXECUTE_OPTION_DISABLE = 2; | |
336 static const int MEM_EXECUTE_OPTION_PERMANENT = 8; | |
337 dep_flags &= 0xff; | |
338 | |
339 if (dep_flags != (MEM_EXECUTE_OPTION_DISABLE | | |
340 MEM_EXECUTE_OPTION_PERMANENT)) { | |
341 return SBOX_TEST_FOURTH_ERROR; | |
342 } | |
343 } | |
344 | |
345 return SBOX_TEST_SUCCEEDED; | |
346 } | |
347 | |
348 #if !defined(_WIN64) // DEP is always enabled on 64-bit. | |
349 TEST(ProcessMitigationsTest, CheckDep) { | |
350 if (base::win::GetVersion() > base::win::VERSION_WIN7) | |
351 return; | |
352 | |
353 TestRunner runner; | |
354 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
355 | |
356 EXPECT_EQ(policy->SetProcessMitigations( | |
357 MITIGATION_DEP | | |
358 MITIGATION_DEP_NO_ATL_THUNK | | |
359 MITIGATION_SEHOP), | |
360 SBOX_ALL_OK); | |
361 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); | |
362 } | |
363 #endif | |
364 | |
365 //------------------------------------------------------------------------------ | |
366 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE) | |
367 // >= Win8 | |
368 //------------------------------------------------------------------------------ | |
369 | |
370 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) { | |
371 get_process_mitigation_policy = | |
372 reinterpret_cast<GetProcessMitigationPolicyFunction>( | |
373 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), | |
374 "GetProcessMitigationPolicy")); | |
375 if (!get_process_mitigation_policy) | |
376 return SBOX_TEST_NOT_FOUND; | |
377 | |
378 if (!CheckWin8Win32CallPolicy()) | |
379 return SBOX_TEST_FIRST_ERROR; | |
380 return SBOX_TEST_SUCCEEDED; | |
381 } | |
382 | |
383 // This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation on | |
384 // the target process causes the launch to fail in process initialization. | |
385 // The test process itself links against user32/gdi32. | |
386 TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownFailure) { | |
387 if (base::win::GetVersion() < base::win::VERSION_WIN8) | |
388 return; | |
389 | |
390 TestRunner runner; | |
391 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
392 | |
393 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | |
394 SBOX_ALL_OK); | |
395 EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | |
396 } | |
397 | |
398 // This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation | |
399 // along with the policy to fake user32 and gdi32 initialization successfully | |
400 // launches the target process. | |
401 // The test process itself links against user32/gdi32. | |
402 TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownSuccess) { | |
403 if (base::win::GetVersion() < base::win::VERSION_WIN8) | |
404 return; | |
405 | |
406 TestRunner runner; | |
407 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
408 | |
409 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE), | |
410 SBOX_ALL_OK); | |
411 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, | |
412 sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL), | |
413 sandbox::SBOX_ALL_OK); | |
414 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown")); | |
415 } | |
416 | |
417 //------------------------------------------------------------------------------ | |
418 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) | |
419 // >= Win10 | |
420 //------------------------------------------------------------------------------ | |
421 | |
422 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) { | |
423 get_process_mitigation_policy = | |
424 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
425 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
426 if (!get_process_mitigation_policy) | |
427 return SBOX_TEST_NOT_FOUND; | |
428 | |
429 if (!CheckWin10FontPolicy()) | |
430 return SBOX_TEST_FIRST_ERROR; | |
431 return SBOX_TEST_SUCCEEDED; | |
432 } | |
433 | |
434 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { | |
435 if (argc < 1) | |
436 return SBOX_TEST_INVALID_PARAMETER; | |
437 | |
438 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); | |
439 if (!gdi_module) | |
440 return SBOX_TEST_NOT_FOUND; | |
441 | |
442 AddFontMemResourceExFunction add_font_mem_resource = | |
443 reinterpret_cast<AddFontMemResourceExFunction>( | |
444 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); | |
445 | |
446 RemoveFontMemResourceExFunction rem_font_mem_resource = | |
447 reinterpret_cast<RemoveFontMemResourceExFunction>( | |
448 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); | |
449 | |
450 if (!add_font_mem_resource || !rem_font_mem_resource) | |
451 return SBOX_TEST_NOT_FOUND; | |
452 | |
453 // Open font file passed in as an argument. | |
454 base::File file(base::FilePath(argv[0]), | |
455 base::File::FLAG_OPEN | base::File::FLAG_READ); | |
456 if (!file.IsValid()) | |
457 // Failed to open the font file passed in. | |
458 return SBOX_TEST_NOT_FOUND; | |
459 | |
460 std::vector<char> font_data; | |
461 int64_t len = file.GetLength(); | |
462 font_data.resize(len); | |
463 | |
464 int read = file.Read(0, &font_data[0], len); | |
465 file.Close(); | |
466 | |
467 if (read != len) | |
468 return SBOX_TEST_NOT_FOUND; | |
469 | |
470 DWORD font_count = 0; | |
471 HANDLE font_handle = add_font_mem_resource( | |
472 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); | |
473 | |
474 if (font_handle) { | |
475 rem_font_mem_resource(font_handle); | |
476 return SBOX_TEST_SUCCEEDED; | |
477 } | |
478 | |
479 return SBOX_TEST_FAILED; | |
480 } | |
481 | |
482 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
483 // mitigation enables the setting on a process. | |
484 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { | |
485 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
486 return; | |
487 | |
488 TestRunner runner; | |
489 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
490 | |
491 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
492 SBOX_ALL_OK); | |
493 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown")); | |
494 } | |
495 | |
496 // This test validates that we can load a non-system font | |
497 // if the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
498 // mitigation is NOT set. | |
499 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { | |
500 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
501 return; | |
502 | |
503 base::FilePath font_path; | |
504 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); | |
505 // Arial font should always be available | |
506 font_path = font_path.Append(L"arial.ttf"); | |
507 | |
508 TestRunner runner; | |
509 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
510 font_path.value().c_str())); | |
511 | |
512 std::wstring test_command = L"CheckWin10FontLoad \""; | |
513 test_command += font_path.value().c_str(); | |
514 test_command += L"\""; | |
515 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
516 } | |
517 | |
518 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE | |
519 // mitigation prevents the loading of a non-system font. | |
520 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { | |
521 if (base::win::GetVersion() < base::win::VERSION_WIN10) | |
522 return; | |
523 | |
524 base::FilePath font_path; | |
525 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); | |
526 // Arial font should always be available | |
527 font_path = font_path.Append(L"arial.ttf"); | |
528 | |
529 TestRunner runner; | |
530 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
531 EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, | |
532 font_path.value().c_str())); | |
533 | |
534 // Turn on the non-system font disable mitigation. | |
535 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), | |
536 SBOX_ALL_OK); | |
537 | |
538 std::wstring test_command = L"CheckWin10FontLoad \""; | |
539 test_command += font_path.value().c_str(); | |
540 test_command += L"\""; | |
541 | |
542 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); | |
543 } | |
544 | |
545 //------------------------------------------------------------------------------ | |
546 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). | |
547 // >= Win10_TH2 | |
548 //------------------------------------------------------------------------------ | |
549 | |
550 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) { | |
551 get_process_mitigation_policy = | |
552 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
553 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
554 if (!get_process_mitigation_policy) | |
555 return SBOX_TEST_NOT_FOUND; | |
556 | |
557 if (!CheckWin10ImageLoadNoRemotePolicy()) | |
558 return SBOX_TEST_FIRST_ERROR; | |
559 return SBOX_TEST_SUCCEEDED; | |
560 } | |
561 | |
562 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
563 // mitigation enables the setting on a process. | |
564 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { | |
565 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
566 return; | |
567 | |
568 TestRunner runner; | |
569 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
570 | |
571 EXPECT_EQ( | |
572 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), | |
573 SBOX_ALL_OK); | |
574 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
575 runner.RunTest(L"CheckWin10ImageLoadNoRemote")); | |
576 } | |
577 | |
578 // This test validates that we CAN create a new process from | |
579 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
580 // mitigation is NOT set. | |
581 // | |
582 // DISABLED for automated testing bots. Enable for manual testing. | |
583 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { | |
584 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
585 return; | |
586 | |
587 TestWin10ImageLoadRemote(true); | |
588 } | |
589 | |
590 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE | |
591 // mitigation prevents creating a new process from a remote | |
592 // UNC device. | |
593 // | |
594 // DISABLED for automated testing bots. Enable for manual testing. | |
595 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { | |
596 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
597 return; | |
598 | |
599 TestWin10ImageLoadRemote(false); | |
600 } | |
601 | |
602 //------------------------------------------------------------------------------ | |
603 // Disable image load when "mandatory low label" (integrity level). | |
604 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) | |
605 // >= Win10_TH2 | |
606 //------------------------------------------------------------------------------ | |
607 | |
608 SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) { | |
609 get_process_mitigation_policy = | |
610 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( | |
611 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); | |
612 if (!get_process_mitigation_policy) | |
613 return SBOX_TEST_NOT_FOUND; | |
614 | |
615 if (!CheckWin10ImageLoadNoLowLabelPolicy()) | |
616 return SBOX_TEST_FIRST_ERROR; | |
617 return SBOX_TEST_SUCCEEDED; | |
618 } | |
619 | |
620 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
621 // mitigation enables the setting on a process. | |
622 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { | |
623 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
624 return; | |
625 | |
626 TestRunner runner; | |
627 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
628 | |
629 EXPECT_EQ( | |
630 policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), | |
631 SBOX_ALL_OK); | |
632 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | |
633 runner.RunTest(L"CheckWin10ImageLoadNoLowLabel")); | |
634 } | |
635 | |
636 // This test validates that we CAN create a new process with | |
637 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
638 // mitigation is NOT set. | |
639 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { | |
640 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
641 return; | |
642 | |
643 TestWin10ImageLoadLowLabel(true); | |
644 } | |
645 | |
646 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | |
647 // mitigation prevents creating a new process with low mandatory label (IL). | |
648 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { | |
649 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) | |
650 return; | |
651 | |
652 TestWin10ImageLoadLowLabel(false); | |
653 } | |
654 | |
655 //------------------------------------------------------------------------------ | |
656 // Disable child process creation. | |
657 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). | |
658 // - JobLevel <= JOB_LIMITED_USER which also triggers setting | |
659 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to | |
660 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in | |
661 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). | |
662 //------------------------------------------------------------------------------ | |
663 | |
664 // This test validates that we can spawn a child process if | |
665 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is | |
666 // not set. | |
667 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { | |
668 TestRunner runner; | |
669 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
670 | |
671 // Set a policy that would normally allow for process creation. | |
672 policy->SetJobLevel(JOB_INTERACTIVE, 0); | |
673 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
674 runner.SetDisableCsrss(false); | |
675 | |
676 base::FilePath cmd; | |
677 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
678 cmd = cmd.Append(L"calc.exe"); | |
679 | |
680 std::wstring test_command = L"TestChildProcess "; | |
681 test_command += cmd.value().c_str(); | |
682 | |
683 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
684 } | |
685 | |
686 // This test validates that setting the | |
687 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents | |
688 // the spawning of child processes. | |
689 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { | |
690 TestRunner runner; | |
691 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
692 | |
693 // Now set the job level to be <= JOB_LIMITED_USER | |
694 // and ensure we can no longer create a child process. | |
695 policy->SetJobLevel(JOB_LIMITED_USER, 0); | |
696 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
697 runner.SetDisableCsrss(false); | |
698 | |
699 base::FilePath cmd; | |
700 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
701 cmd = cmd.Append(L"calc.exe"); | |
702 | |
703 std::wstring test_command = L"TestChildProcess "; | |
704 test_command += cmd.value().c_str(); | |
705 | |
706 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); | |
707 } | |
708 | |
709 // This test validates that when the sandboxed target within a job spawns a | |
710 // child process and the target process exits abnormally, the broker correctly | |
711 // handles the JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS message. | |
712 // Because this involves spawning a child process from the target process and is | |
713 // very similar to the above CheckChildProcess* tests, this test is here rather | |
714 // than elsewhere closer to the other Job tests. | |
715 TEST(ProcessMitigationsTest, CheckChildProcessAbnormalExit) { | |
716 TestRunner runner; | |
717 sandbox::TargetPolicy* policy = runner.GetPolicy(); | |
718 | |
719 // Set a policy that would normally allow for process creation. | |
720 policy->SetJobLevel(JOB_INTERACTIVE, 0); | |
721 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); | |
722 runner.SetDisableCsrss(false); | |
723 | |
724 base::FilePath cmd; | |
725 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); | |
726 cmd = cmd.Append(L"calc.exe"); | |
727 | |
728 std::wstring test_command(base::StringPrintf(L"TestChildProcess %ls 0x%08X", | |
729 cmd.value().c_str(), | |
730 STATUS_ACCESS_VIOLATION)); | |
731 | |
732 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); | |
733 } | |
734 | |
735 } // namespace sandbox | |
OLD | NEW |