Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(277)

Unified Diff: sandbox/win/src/process_mitigations_test.cc

Issue 1851213002: Remove sandbox on Windows. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: fix nacl compile issues Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/win/src/process_mitigations.cc ('k') | sandbox/win/src/process_mitigations_win32k_dispatcher.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/process_mitigations_test.cc
diff --git a/sandbox/win/src/process_mitigations_test.cc b/sandbox/win/src/process_mitigations_test.cc
deleted file mode 100644
index 783cc68e869aee7fc8b7ae4864fbffc0cbb27e7a..0000000000000000000000000000000000000000
--- a/sandbox/win/src/process_mitigations_test.cc
+++ /dev/null
@@ -1,735 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/files/file_util.h"
-#include "base/files/scoped_temp_dir.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/path_service.h"
-#include "base/process/launch.h"
-#include "base/strings/stringprintf.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/process_mitigations.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/target_services.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace {
-
-// API defined in winbase.h.
-typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction;
-
-// API defined in processthreadsapi.h.
-typedef decltype(
- GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction;
-GetProcessMitigationPolicyFunction get_process_mitigation_policy;
-
-// APIs defined in wingdi.h.
-typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction;
-typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction;
-
-#if !defined(_WIN64)
-bool CheckWin8DepPolicy() {
- PROCESS_MITIGATION_DEP_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.Enable && policy.Permanent;
-}
-#endif // !defined(_WIN64)
-
-#if defined(NDEBUG)
-bool CheckWin8AslrPolicy() {
- PROCESS_MITIGATION_ASLR_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.EnableForceRelocateImages && policy.DisallowStrippedImages;
-}
-#endif // defined(NDEBUG)
-
-bool CheckWin8StrictHandlePolicy() {
- PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessStrictHandleCheckPolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.RaiseExceptionOnInvalidHandleReference &&
- policy.HandleExceptionsPermanentlyEnabled;
-}
-
-bool CheckWin8Win32CallPolicy() {
- PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessSystemCallDisablePolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.DisallowWin32kSystemCalls;
-}
-
-bool CheckWin8DllExtensionPolicy() {
- PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessExtensionPointDisablePolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.DisableExtensionPoints;
-}
-
-bool CheckWin10FontPolicy() {
- PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessFontDisablePolicy, &policy,
- sizeof(policy))) {
- return false;
- }
- return policy.DisableNonSystemFonts;
-}
-
-bool CheckWin10ImageLoadNoRemotePolicy() {
- PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessImageLoadPolicy, &policy,
- sizeof(policy))) {
- return false;
- }
- return policy.NoRemoteImages;
-}
-
-void TestWin10ImageLoadRemote(bool is_success_test) {
- // ***Insert your manual testing share UNC path here!
- // E.g.: \\\\hostname\\sharename\\calc.exe
- std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\"";
-
- sandbox::TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- // Set a policy that would normally allow for process creation.
- policy->SetJobLevel(sandbox::JOB_NONE, 0);
- policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
- runner.SetDisableCsrss(false);
-
- if (!is_success_test) {
- // Enable the NoRemote mitigation.
- EXPECT_EQ(policy->SetDelayedProcessMitigations(
- sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE),
- sandbox::SBOX_ALL_OK);
- }
-
- std::wstring test = L"TestChildProcess ";
- test += unc.c_str();
- EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED
- : sandbox::SBOX_TEST_FAILED),
- runner.RunTest(test.c_str()));
-}
-
-bool CheckWin10ImageLoadNoLowLabelPolicy() {
- PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessImageLoadPolicy, &policy,
- sizeof(policy))) {
- return false;
- }
- return policy.NoLowMandatoryLabelImages;
-}
-
-void TestWin10ImageLoadLowLabel(bool is_success_test) {
- // Setup a mandatory low executable for this test (calc.exe).
- // If anything fails during setup, ASSERT to end test.
- base::FilePath orig_path;
- ASSERT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path));
- orig_path = orig_path.Append(L"calc.exe");
-
- base::ScopedTempDir temp_dir;
- ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
- base::FilePath new_path = temp_dir.path();
- new_path = new_path.Append(L"lowIL_calc.exe");
-
- // Test file will be cleaned up by the ScopedTempDir.
- ASSERT_TRUE(base::CopyFileW(orig_path, new_path));
-
- std::wstring cmd_line = L"icacls \"";
- cmd_line += new_path.value().c_str();
- cmd_line += L"\" /setintegritylevel Low";
-
- base::LaunchOptions options = base::LaunchOptionsForTest();
- base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options);
- ASSERT_TRUE(setup_proc.IsValid());
-
- int exit_code = 1;
- if (!setup_proc.WaitForExitWithTimeout(base::TimeDelta::FromSeconds(10),
- &exit_code)) {
- // Might have timed out, or might have failed.
- // Terminate to make sure we clean up any mess.
- setup_proc.Terminate(0, false);
- ASSERT_TRUE(false);
- }
- // Make sure icacls was successful.
- ASSERT_EQ(0, exit_code);
-
- sandbox::TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- // Set a policy that would normally allow for process creation.
- policy->SetJobLevel(sandbox::JOB_NONE, 0);
- policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED);
- runner.SetDisableCsrss(false);
-
- if (!is_success_test) {
- // Enable the NoLowLabel mitigation.
- EXPECT_EQ(policy->SetDelayedProcessMitigations(
- sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL),
- sandbox::SBOX_ALL_OK);
- }
-
- std::wstring test = L"TestChildProcess ";
- test += new_path.value().c_str();
-
- EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED
- : sandbox::SBOX_TEST_FAILED),
- runner.RunTest(test.c_str()));
-}
-
-} // namespace
-
-namespace sandbox {
-
-// A shared helper test command that will attempt to CreateProcess with a given
-// command line. The second optional parameter will cause the child process to
-// return that as an exit code on termination.
-//
-// ***Make sure you've enabled basic process creation in the
-// test sandbox settings via:
-// sandbox::TargetPolicy::SetJobLevel(),
-// sandbox::TargetPolicy::SetTokenLevel(),
-// and TestRunner::SetDisableCsrss().
-SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) {
- if (argc < 1)
- return SBOX_TEST_INVALID_PARAMETER;
-
- int desired_exit_code = 0;
-
- if (argc == 2) {
- desired_exit_code = wcstoul(argv[1], nullptr, 0);
- }
-
- std::wstring cmd = argv[0];
- base::LaunchOptions options = base::LaunchOptionsForTest();
- base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options);
-
- if (setup_proc.IsValid()) {
- setup_proc.Terminate(desired_exit_code, false);
- return SBOX_TEST_SUCCEEDED;
- }
- // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED".
- return SBOX_TEST_FAILED;
-}
-
-//------------------------------------------------------------------------------
-// Win8 Checks:
-// MITIGATION_DEP(_NO_ATL_THUNK)
-// MITIGATION_EXTENSION_DLL_DISABLE
-// MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only
-// MITIGATION_STRICT_HANDLE_CHECKS
-// >= Win8
-//------------------------------------------------------------------------------
-
-SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(
- ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
- "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
-#if !defined(_WIN64) // DEP is always enabled on 64-bit.
- if (!CheckWin8DepPolicy())
- return SBOX_TEST_FIRST_ERROR;
-#endif
-
-#if defined(NDEBUG) // ASLR cannot be forced in debug builds.
- if (!CheckWin8AslrPolicy())
- return SBOX_TEST_SECOND_ERROR;
-#endif
-
- if (!CheckWin8StrictHandlePolicy())
- return SBOX_TEST_THIRD_ERROR;
-
- if (!CheckWin8DllExtensionPolicy())
- return SBOX_TEST_FIFTH_ERROR;
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-TEST(ProcessMitigationsTest, CheckWin8) {
- if (base::win::GetVersion() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- sandbox::MitigationFlags mitigations = MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK |
- MITIGATION_EXTENSION_DLL_DISABLE;
-#if defined(NDEBUG) // ASLR cannot be forced in debug builds.
- mitigations |= MITIGATION_RELOCATE_IMAGE |
- MITIGATION_RELOCATE_IMAGE_REQUIRED;
-#endif
-
- EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK);
-
- mitigations |= MITIGATION_STRICT_HANDLE_CHECKS;
-
- EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK);
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
-}
-
-//------------------------------------------------------------------------------
-// DEP (MITIGATION_DEP)
-// < Win8 x86
-//------------------------------------------------------------------------------
-
-SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
- GetProcessDEPPolicyFunction get_process_dep_policy =
- reinterpret_cast<GetProcessDEPPolicyFunction>(
- ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
- "GetProcessDEPPolicy"));
- if (get_process_dep_policy) {
- BOOL is_permanent = FALSE;
- DWORD dep_flags = 0;
-
- if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags,
- &is_permanent)) {
- return SBOX_TEST_FIRST_ERROR;
- }
-
- if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent)
- return SBOX_TEST_SECOND_ERROR;
-
- } else {
- NtQueryInformationProcessFunction query_information_process = NULL;
- ResolveNTFunctionPtr("NtQueryInformationProcess",
- &query_information_process);
- if (!query_information_process)
- return SBOX_TEST_NOT_FOUND;
-
- ULONG size = 0;
- ULONG dep_flags = 0;
- if (!SUCCEEDED(query_information_process(::GetCurrentProcess(),
- ProcessExecuteFlags, &dep_flags,
- sizeof(dep_flags), &size))) {
- return SBOX_TEST_THIRD_ERROR;
- }
-
- static const int MEM_EXECUTE_OPTION_DISABLE = 2;
- static const int MEM_EXECUTE_OPTION_PERMANENT = 8;
- dep_flags &= 0xff;
-
- if (dep_flags != (MEM_EXECUTE_OPTION_DISABLE |
- MEM_EXECUTE_OPTION_PERMANENT)) {
- return SBOX_TEST_FOURTH_ERROR;
- }
- }
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-#if !defined(_WIN64) // DEP is always enabled on 64-bit.
-TEST(ProcessMitigationsTest, CheckDep) {
- if (base::win::GetVersion() > base::win::VERSION_WIN7)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(
- MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK |
- MITIGATION_SEHOP),
- SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
-}
-#endif
-
-//------------------------------------------------------------------------------
-// Win32k Lockdown (MITIGATION_WIN32K_DISABLE)
-// >= Win8
-//------------------------------------------------------------------------------
-
-SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(
- ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
- "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
- if (!CheckWin8Win32CallPolicy())
- return SBOX_TEST_FIRST_ERROR;
- return SBOX_TEST_SUCCEEDED;
-}
-
-// This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation on
-// the target process causes the launch to fail in process initialization.
-// The test process itself links against user32/gdi32.
-TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownFailure) {
- if (base::win::GetVersion() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
- SBOX_ALL_OK);
- EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
-}
-
-// This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation
-// along with the policy to fake user32 and gdi32 initialization successfully
-// launches the target process.
-// The test process itself links against user32/gdi32.
-TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownSuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
- SBOX_ALL_OK);
- EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
- sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL),
- sandbox::SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
-}
-
-//------------------------------------------------------------------------------
-// Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE)
-// >= Win10
-//------------------------------------------------------------------------------
-
-SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
- ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
- if (!CheckWin10FontPolicy())
- return SBOX_TEST_FIRST_ERROR;
- return SBOX_TEST_SUCCEEDED;
-}
-
-SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) {
- if (argc < 1)
- return SBOX_TEST_INVALID_PARAMETER;
-
- HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll");
- if (!gdi_module)
- return SBOX_TEST_NOT_FOUND;
-
- AddFontMemResourceExFunction add_font_mem_resource =
- reinterpret_cast<AddFontMemResourceExFunction>(
- ::GetProcAddress(gdi_module, "AddFontMemResourceEx"));
-
- RemoveFontMemResourceExFunction rem_font_mem_resource =
- reinterpret_cast<RemoveFontMemResourceExFunction>(
- ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx"));
-
- if (!add_font_mem_resource || !rem_font_mem_resource)
- return SBOX_TEST_NOT_FOUND;
-
- // Open font file passed in as an argument.
- base::File file(base::FilePath(argv[0]),
- base::File::FLAG_OPEN | base::File::FLAG_READ);
- if (!file.IsValid())
- // Failed to open the font file passed in.
- return SBOX_TEST_NOT_FOUND;
-
- std::vector<char> font_data;
- int64_t len = file.GetLength();
- font_data.resize(len);
-
- int read = file.Read(0, &font_data[0], len);
- file.Close();
-
- if (read != len)
- return SBOX_TEST_NOT_FOUND;
-
- DWORD font_count = 0;
- HANDLE font_handle = add_font_mem_resource(
- &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count);
-
- if (font_handle) {
- rem_font_mem_resource(font_handle);
- return SBOX_TEST_SUCCEEDED;
- }
-
- return SBOX_TEST_FAILED;
-}
-
-// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
-// mitigation enables the setting on a process.
-TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
- SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin10FontLockDown"));
-}
-
-// This test validates that we can load a non-system font
-// if the MITIGATION_NON_SYSTEM_FONTS_DISABLE
-// mitigation is NOT set.
-TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10)
- return;
-
- base::FilePath font_path;
- EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path));
- // Arial font should always be available
- font_path = font_path.Append(L"arial.ttf");
-
- TestRunner runner;
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
- font_path.value().c_str()));
-
- std::wstring test_command = L"CheckWin10FontLoad \"";
- test_command += font_path.value().c_str();
- test_command += L"\"";
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
-}
-
-// This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
-// mitigation prevents the loading of a non-system font.
-TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10)
- return;
-
- base::FilePath font_path;
- EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path));
- // Arial font should always be available
- font_path = font_path.Append(L"arial.ttf");
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
- font_path.value().c_str()));
-
- // Turn on the non-system font disable mitigation.
- EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
- SBOX_ALL_OK);
-
- std::wstring test_command = L"CheckWin10FontLoad \"";
- test_command += font_path.value().c_str();
- test_command += L"\"";
-
- EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str()));
-}
-
-//------------------------------------------------------------------------------
-// Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE).
-// >= Win10_TH2
-//------------------------------------------------------------------------------
-
-SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoRemote(int argc, wchar_t** argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
- ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
- if (!CheckWin10ImageLoadNoRemotePolicy())
- return SBOX_TEST_FIRST_ERROR;
- return SBOX_TEST_SUCCEEDED;
-}
-
-// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
-// mitigation enables the setting on a process.
-TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(
- policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE),
- SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"CheckWin10ImageLoadNoRemote"));
-}
-
-// This test validates that we CAN create a new process from
-// a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE
-// mitigation is NOT set.
-//
-// DISABLED for automated testing bots. Enable for manual testing.
-TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
- return;
-
- TestWin10ImageLoadRemote(true);
-}
-
-// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
-// mitigation prevents creating a new process from a remote
-// UNC device.
-//
-// DISABLED for automated testing bots. Enable for manual testing.
-TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
- return;
-
- TestWin10ImageLoadRemote(false);
-}
-
-//------------------------------------------------------------------------------
-// Disable image load when "mandatory low label" (integrity level).
-// (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)
-// >= Win10_TH2
-//------------------------------------------------------------------------------
-
-SBOX_TESTS_COMMAND int CheckWin10ImageLoadNoLowLabel(int argc, wchar_t** argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
- ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
- if (!CheckWin10ImageLoadNoLowLabelPolicy())
- return SBOX_TEST_FIRST_ERROR;
- return SBOX_TEST_SUCCEEDED;
-}
-
-// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
-// mitigation enables the setting on a process.
-TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(
- policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL),
- SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"CheckWin10ImageLoadNoLowLabel"));
-}
-
-// This test validates that we CAN create a new process with
-// low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
-// mitigation is NOT set.
-TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
- return;
-
- TestWin10ImageLoadLowLabel(true);
-}
-
-// This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
-// mitigation prevents creating a new process with low mandatory label (IL).
-TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) {
- if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
- return;
-
- TestWin10ImageLoadLowLabel(false);
-}
-
-//------------------------------------------------------------------------------
-// Disable child process creation.
-// - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2).
-// - JobLevel <= JOB_LIMITED_USER which also triggers setting
-// PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to
-// PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in
-// BrokerServicesBase::SpawnTarget (on >= WIN10_TH2).
-//------------------------------------------------------------------------------
-
-// This test validates that we can spawn a child process if
-// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is
-// not set.
-TEST(ProcessMitigationsTest, CheckChildProcessSuccess) {
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- // Set a policy that would normally allow for process creation.
- policy->SetJobLevel(JOB_INTERACTIVE, 0);
- policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
- runner.SetDisableCsrss(false);
-
- base::FilePath cmd;
- EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
- cmd = cmd.Append(L"calc.exe");
-
- std::wstring test_command = L"TestChildProcess ";
- test_command += cmd.value().c_str();
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
-}
-
-// This test validates that setting the
-// MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents
-// the spawning of child processes.
-TEST(ProcessMitigationsTest, CheckChildProcessFailure) {
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- // Now set the job level to be <= JOB_LIMITED_USER
- // and ensure we can no longer create a child process.
- policy->SetJobLevel(JOB_LIMITED_USER, 0);
- policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
- runner.SetDisableCsrss(false);
-
- base::FilePath cmd;
- EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
- cmd = cmd.Append(L"calc.exe");
-
- std::wstring test_command = L"TestChildProcess ";
- test_command += cmd.value().c_str();
-
- EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str()));
-}
-
-// This test validates that when the sandboxed target within a job spawns a
-// child process and the target process exits abnormally, the broker correctly
-// handles the JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS message.
-// Because this involves spawning a child process from the target process and is
-// very similar to the above CheckChildProcess* tests, this test is here rather
-// than elsewhere closer to the other Job tests.
-TEST(ProcessMitigationsTest, CheckChildProcessAbnormalExit) {
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- // Set a policy that would normally allow for process creation.
- policy->SetJobLevel(JOB_INTERACTIVE, 0);
- policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
- runner.SetDisableCsrss(false);
-
- base::FilePath cmd;
- EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
- cmd = cmd.Append(L"calc.exe");
-
- std::wstring test_command(base::StringPrintf(L"TestChildProcess %ls 0x%08X",
- cmd.value().c_str(),
- STATUS_ACCESS_VIOLATION));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
-}
-
-} // namespace sandbox
« no previous file with comments | « sandbox/win/src/process_mitigations.cc ('k') | sandbox/win/src/process_mitigations_win32k_dispatcher.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698