Implement sandbox hooks to forward OPM related GDI system calls.

sandbox/win/src/process_mitigations_test.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <map>
+#include <string>
+
 #include "base/files/file_util.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
 #include "base/strings/stringprintf.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
 #include "sandbox/win/src/process_mitigations.h"
@@ skipping 178 matching lines @@
   }
 
   std::wstring test = L"TestChildProcess ";
   test += new_path.value().c_str();
 
   EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED
                              : sandbox::SBOX_TEST_FAILED),
             runner.RunTest(test.c_str()));
 }
 
+BOOL CALLBACK MonitorEnumCallback(HMONITOR monitor,
+                                  HDC hdc_monitor,
+                                  LPRECT rect_monitor,
+                                  LPARAM data) {
+  std::map<HMONITOR, base::string16>& monitors =
+      *reinterpret_cast<std::map<HMONITOR, base::string16>*>(data);
+  MONITORINFOEXW monitor_info = {};
+  monitor_info.cbSize = sizeof(monitor_info);
+
+  if (!GetMonitorInfoW(monitor, reinterpret_cast<MONITORINFO*>(&monitor_info)))
+    return FALSE;
+  monitors[monitor] = monitor_info.szDevice;
+  return TRUE;
+}
+
+std::map<HMONITOR, std::wstring> EnumerateMonitors() {
+  std::map<HMONITOR, std::wstring> result;
+  ::EnumDisplayMonitors(nullptr, nullptr, MonitorEnumCallback,
+                        reinterpret_cast<LPARAM>(&result));
+  return result;
+}
+
+std::wstring MonitorListToString(
+    const std::map<HMONITOR, std::wstring>& monitors) {
+  std::wstring monitors_string;
+  for (const auto& monitor : monitors) {
+    base::StringAppendF(&monitors_string, L" %p %s", monitor.first,
+                        monitor.second.c_str());
+  }
+  return monitors_string;
+}
+
 }  // namespace
 
 namespace sandbox {
 
 // A shared helper test command that will attempt to CreateProcess with a given
 // command line. The second optional parameter will cause the child process to
 // return that as an exit code on termination.
 //
 // ***Make sure you've enabled basic process creation in the
 // test sandbox settings via:
@@ skipping 160 matching lines @@
           ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
                            "GetProcessMitigationPolicy"));
   if (!get_process_mitigation_policy)
     return SBOX_TEST_NOT_FOUND;
 
   if (!CheckWin8Win32CallPolicy())
     return SBOX_TEST_FIRST_ERROR;
   return SBOX_TEST_SUCCEEDED;
 }
 
+SBOX_TESTS_COMMAND int CheckOPMGetDisplayMonitors(int argc, wchar_t** argv) {
+  if (argc == 0 || (argc & 1) != 0)
+    return SBOX_TEST_FIRST_ERROR;
+
+  std::map<HMONITOR, base::string16> monitors = EnumerateMonitors();
+  std::map<HMONITOR, base::string16> monitors_to_test;
+
+  for (int index = 0; index < argc; index += 2) {
+    HMONITOR monitor =
+        reinterpret_cast<HMONITOR>(wcstoull(argv[index], nullptr, 16));
+    monitors_to_test[monitor] = argv[index + 1];
+  }
+
+  if (monitors.size() != monitors_to_test.size())
+    return SBOX_TEST_SECOND_ERROR;
+
+  for (auto it = monitors.begin(); it != monitors.end(); ++it) {
+    auto result = monitors_to_test.find(it->first);
+    if (result == monitors_to_test.end())
+      return SBOX_TEST_THIRD_ERROR;
+    if (result->second != it->second)
+      return SBOX_TEST_FOURTH_ERROR;
+  }
+  return SBOX_TEST_SUCCEEDED;
+}
+
 // This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation on
 // the target process causes the launch to fail in process initialization.
 // The test process itself links against user32/gdi32.
 TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownFailure) {
   if (base::win::GetVersion() < base::win::VERSION_WIN8)
     return;
 
   TestRunner runner;
   sandbox::TargetPolicy* policy = runner.GetPolicy();
 
@@ skipping 12 matching lines @@
 
   TestRunner runner;
   sandbox::TargetPolicy* policy = runner.GetPolicy();
 
   EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
             SBOX_ALL_OK);
   EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
                             sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL),
             sandbox::SBOX_ALL_OK);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
+
+  // Also check that we can't access redirected APIs.
+  std::map<HMONITOR, std::wstring> monitors = EnumerateMonitors();
+  std::wstring test_command =
+      L"CheckOPMGetDisplayMonitors" + MonitorListToString(monitors);
+  EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
+}
+
+// This test validates the even though we're running under win32k lockdown
+// we can use the IPC redirection to enumerate the list of monitors.
+TEST(ProcessMitigationsTest, CheckWin8OpmRedirectionSuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
+            SBOX_ALL_OK);
+  EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
+                            sandbox::TargetPolicy::IMPLEMENT_OPM_APIS, NULL),
+            sandbox::SBOX_ALL_OK);
+  policy->SetEnableOPMRedirection();
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
+
+  std::map<HMONITOR, std::wstring> monitors = EnumerateMonitors();
+  std::wstring test_command =
+      L"CheckOPMGetDisplayMonitors" + MonitorListToString(monitors);
+  printf("%ls\n", test_command.c_str());
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
 }
 
 //------------------------------------------------------------------------------
 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE)
 // >= Win10
 //------------------------------------------------------------------------------
 
 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) {
   get_process_mitigation_policy =
       reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
@@ skipping 301 matching lines @@
   cmd = cmd.Append(L"calc.exe");
 
   std::wstring test_command(base::StringPrintf(L"TestChildProcess %ls 0x%08X",
                                                cmd.value().c_str(),
                                                STATUS_ACCESS_VIOLATION));
 
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
 }
 
 }  // namespace sandbox