Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(412)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/process_mitigations_test.cc

Issue 2369563002: Add header comments documenting extra constraints for some sandbox mitigations: MITIGATION_RELOCATE… (Closed)
Patch Set: Add unit test that ASLR works in debug as long as it's delayed Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | sandbox/win/src/security_level.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/process_mitigations_test.cc
diff --git a/sandbox/win/src/process_mitigations_test.cc b/sandbox/win/src/process_mitigations_test.cc
index d546bbf9423a21721bd4266a1a56977a2f19bae0..78709068610dfb4113207602078a6e43fe96f715 100644
--- a/sandbox/win/src/process_mitigations_test.cc
+++ b/sandbox/win/src/process_mitigations_test.cc
@@ -70,7 +70,6 @@ bool CheckWin8DepPolicy() {
}
#endif // !defined(_WIN64)
-#if defined(NDEBUG)
bool CheckWin8AslrPolicy() {
PROCESS_MITIGATION_ASLR_POLICY policy = {};
if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy,
@@ -79,7 +78,6 @@ bool CheckWin8AslrPolicy() {
}
return policy.EnableForceRelocateImages && policy.DisallowStrippedImages;
}
-#endif // defined(NDEBUG)
bool CheckWin8StrictHandlePolicy() {
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {};
@@ -843,7 +841,7 @@ SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) {
//------------------------------------------------------------------------------
// Win8 Checks:
// MITIGATION_DEP(_NO_ATL_THUNK)
-// MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only
+// MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR
// MITIGATION_STRICT_HANDLE_CHECKS
// >= Win8
//------------------------------------------------------------------------------
@@ -860,10 +858,8 @@ SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t** argv) {
return SBOX_TEST_FIRST_ERROR;
#endif
-#if defined(NDEBUG) // ASLR cannot be forced in debug builds.
if (!CheckWin8AslrPolicy())
return SBOX_TEST_SECOND_ERROR;
-#endif
if (!CheckWin8StrictHandlePolicy())
return SBOX_TEST_THIRD_ERROR;
@@ -878,16 +874,24 @@ TEST(ProcessMitigationsTest, CheckWin8) {
TestRunner runner;
sandbox::TargetPolicy* policy = runner.GetPolicy();
+ // ASLR cannot be forced on start in debug builds.
+ constexpr sandbox::MitigationFlags kDebugDelayedMitigations =
+ MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED;
+
sandbox::MitigationFlags mitigations =
MITIGATION_DEP | MITIGATION_DEP_NO_ATL_THUNK;
-#if defined(NDEBUG) // ASLR cannot be forced in debug builds.
- mitigations |= MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED;
+#if defined(NDEBUG)
+ mitigations |= kDebugDelayedMitigations;
#endif
EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK);
mitigations |= MITIGATION_STRICT_HANDLE_CHECKS;
+#if !defined(NDEBUG)
+ mitigations |= kDebugDelayedMitigations;
Will Harris 2016/09/26 18:31:38 do you really mean to add these mitigations twice,
Joe Mason 2016/09/26 19:39:57 That's NDEBUG, this is !NDEBUG. "DebugDelayedMitig
+#endif
+
EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK);
EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
« no previous file with comments | « no previous file | sandbox/win/src/security_level.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698