Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(489)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/process_mitigations_unittest.cc

Issue 2944493002: [Windows Sandbox Tests] Process Mitigations. (Closed)
Patch Set: Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« sandbox/win/BUILD.gn ('K') | « sandbox/win/src/process_mitigations_test.cc ('k') | sandbox/win/src/process_mitigations_unittest_extensionpoints.cc » ('j') | sandbox/win/src/process_mitigations_unittest_extensionpoints.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/process_mitigations.h"
6
7 #include <windows.h>
8
9 #include "base/files/file_util.h"
10 #include "base/path_service.h"
11 #include "base/scoped_native_library.h"
12 #include "base/test/test_timeouts.h"
13 #include "base/win/windows_version.h"
14 #include "sandbox/win/src/nt_internals.h"
15 #include "sandbox/win/src/target_services.h"
16 #include "sandbox/win/tests/common/controller.h"
17 #include "sandbox/win/tests/integration_tests/integration_tests_common.h"
18 #include "testing/gtest/include/gtest/gtest.h"
19
20 namespace {
21
22 //------------------------------------------------------------------------------
23 // Internal Defines & Functions
24 //------------------------------------------------------------------------------
25
26 // API defined in winbase.h.
27 using GetProcessDEPPolicyFunction = decltype(&GetProcessDEPPolicy);
28
29 // API defined in processthreadsapi.h.
30 using GetProcessMitigationPolicyFunction =
31 decltype(&GetProcessMitigationPolicy);
32 GetProcessMitigationPolicyFunction get_process_mitigation_policy;
33
34 // APIs defined in wingdi.h.
35 using AddFontMemResourceExFunction = decltype(&AddFontMemResourceEx);
36 using RemoveFontMemResourceExFunction = decltype(&RemoveFontMemResourceEx);
37
38 //------------------------------------------------------------------------------
39 // NonSystemFont test helper function.
40 //
41 // 1. Pick font file and set up sandbox to allow read access to it.
42 // 2. Trigger test child process (with or without mitigation enabled).
43 //------------------------------------------------------------------------------
44 void TestWin10NonSystemFont(bool is_success_test) {
45 base::FilePath font_path;
46 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path));
47 // Arial font should always be available
48 font_path = font_path.Append(L"arial.ttf");
49
50 sandbox::TestRunner runner;
51 EXPECT_TRUE(runner.AddFsRule(sandbox::TargetPolicy::FILES_ALLOW_READONLY,
52 font_path.value().c_str()));
53
54 if (!is_success_test) {
55 sandbox::TargetPolicy* policy = runner.GetPolicy();
56 // Turn on the non-system font disable mitigation.
57 EXPECT_EQ(policy->SetProcessMitigations(
58 sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE),
59 sandbox::SBOX_ALL_OK);
60 }
61
62 std::wstring test_command = L"CheckWin10FontLoad \"";
63 test_command += font_path.value().c_str();
64 test_command += L"\"";
65
66 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED
67 : sandbox::SBOX_TEST_FAILED),
68 runner.RunTest(test_command.c_str()));
69 }
70
71 } // namespace
72
73 namespace sandbox {
74
75 // File on disk, defined in extension point tests.
76 extern const wchar_t g_hook_dll_file[];
77 // Mutex to acquire before touching above resource.
78 extern const wchar_t g_extension_point_test_mutex[];
79
80 // Common function used for timeout with Win APIs like ::WaitForSingleObject().
81 DWORD SboxTestEventTimeout() {
82 if (::IsDebuggerPresent())
83 return INFINITE;
84
85 return static_cast<DWORD>(
86 (TestTimeouts::action_timeout()).InMillisecondsRoundedUp());
87 }
88
89 //------------------------------------------------------------------------------
90 // Exported functions called by child test processes.
91 //------------------------------------------------------------------------------
92
93 //------------------------------------------------------------------------------
94 // Common test function for checking that a policy was enabled.
95 // - Use enum TestPolicy defined in integration_tests_common.h to specify which
96 // policy to check - passed as arg1.
97 //------------------------------------------------------------------------------
98 SBOX_TESTS_COMMAND int CheckPolicy(int argc, wchar_t** argv) {
99 if (argc < 1)
100 return SBOX_TEST_INVALID_PARAMETER;
101 int test = ::_wtoi(argv[0]);
102 if (!test)
103 return SBOX_TEST_INVALID_PARAMETER;
104
105 get_process_mitigation_policy =
106 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
107 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
108 if (!get_process_mitigation_policy)
109 return SBOX_TEST_NOT_FOUND;
110
111 switch (test) {
112 //--------------------------------------------------
113 // MITIGATION_DEP
114 // MITIGATION_DEP_NO_ATL_THUNK
115 //--------------------------------------------------
116 case (TESTPOLICY_DEP): {
117 #if !defined(_WIN64)
118 // DEP - always enabled on 64-bit.
119 PROCESS_MITIGATION_DEP_POLICY policy = {};
120 if (!get_process_mitigation_policy(::GetCurrentProcess(),
121 ProcessDEPPolicy, &policy,
122 sizeof(policy))) {
123 return SBOX_TEST_NOT_FOUND;
124 }
125 if (!policy.Enable || !policy.Permanent)
126 return SBOX_TEST_FAILED;
127 #endif // !defined(_WIN64)
128 break;
129 }
130 //--------------------------------------------------
131 // MITIGATION_RELOCATE_IMAGE
132 // MITIGATION_RELOCATE_IMAGE_REQUIRED
133 //--------------------------------------------------
134 case (TESTPOLICY_ASLR): {
135 PROCESS_MITIGATION_ASLR_POLICY policy2 = {};
136 if (!get_process_mitigation_policy(::GetCurrentProcess(),
137 ProcessASLRPolicy, &policy2,
138 sizeof(policy2))) {
139 return SBOX_TEST_NOT_FOUND;
140 }
141 if (!policy2.EnableForceRelocateImages || !policy2.DisallowStrippedImages)
142 return SBOX_TEST_FAILED;
143
144 break;
145 }
146 //--------------------------------------------------
147 // MITIGATION_STRICT_HANDLE_CHECKS
148 //--------------------------------------------------
149 case (TESTPOLICY_STRICTHANDLE): {
150 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy3 = {};
151 if (!get_process_mitigation_policy(::GetCurrentProcess(),
152 ProcessStrictHandleCheckPolicy,
153 &policy3, sizeof(policy3))) {
154 return SBOX_TEST_NOT_FOUND;
155 }
156 if (!policy3.RaiseExceptionOnInvalidHandleReference ||
157 !policy3.HandleExceptionsPermanentlyEnabled) {
158 return SBOX_TEST_FAILED;
159 }
160
161 break;
162 }
163 //--------------------------------------------------
164 // MITIGATION_WIN32K_DISABLE
165 //--------------------------------------------------
166 case (TESTPOLICY_WIN32K): {
167 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {};
168 if (!get_process_mitigation_policy(::GetCurrentProcess(),
169 ProcessSystemCallDisablePolicy,
170 &policy, sizeof(policy))) {
171 return SBOX_TEST_NOT_FOUND;
172 }
173 if (!policy.DisallowWin32kSystemCalls)
174 return SBOX_TEST_FAILED;
175
176 break;
177 }
178 //--------------------------------------------------
179 // MITIGATION_EXTENSION_POINT_DISABLE
180 //--------------------------------------------------
181 case (TESTPOLICY_EXTENSIONPOINT): {
182 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
183 if (!get_process_mitigation_policy(::GetCurrentProcess(),
184 ProcessExtensionPointDisablePolicy,
185 &policy, sizeof(policy))) {
186 return SBOX_TEST_NOT_FOUND;
187 }
188 if (!policy.DisableExtensionPoints)
189 return SBOX_TEST_FAILED;
190
191 break;
192 }
193 //--------------------------------------------------
194 // MITIGATION_NONSYSTEM_FONT_DISABLE
195 //--------------------------------------------------
196 case (TESTPOLICY_NONSYSFONT): {
197 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {};
198 if (!get_process_mitigation_policy(::GetCurrentProcess(),
199 ProcessFontDisablePolicy, &policy,
200 sizeof(policy))) {
201 return SBOX_TEST_NOT_FOUND;
202 }
203 if (!policy.DisableNonSystemFonts)
204 return SBOX_TEST_FAILED;
205
206 break;
207 }
208 //--------------------------------------------------
209 // MITIGATION_IMAGE_LOAD_NO_REMOTE
210 //--------------------------------------------------
211 case (TESTPOLICY_LOADNOREMOTE): {
212 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
213 if (!get_process_mitigation_policy(::GetCurrentProcess(),
214 ProcessImageLoadPolicy, &policy,
215 sizeof(policy))) {
216 return SBOX_TEST_NOT_FOUND;
217 }
218 if (!policy.NoRemoteImages)
219 return SBOX_TEST_FAILED;
220
221 break;
222 }
223 //--------------------------------------------------
224 // MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
225 //--------------------------------------------------
226 case (TESTPOLICY_LOADNOLOW): {
227 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
228 if (!get_process_mitigation_policy(::GetCurrentProcess(),
229 ProcessImageLoadPolicy, &policy,
230 sizeof(policy))) {
231 return SBOX_TEST_NOT_FOUND;
232 }
233 if (!policy.NoLowMandatoryLabelImages)
234 return SBOX_TEST_FAILED;
235
236 break;
237 }
238 default:
239 return SBOX_TEST_INVALID_PARAMETER;
240 }
241
242 return SBOX_TEST_SUCCEEDED;
243 }
244
245 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t** argv) {
246 GetProcessDEPPolicyFunction get_process_dep_policy =
247 reinterpret_cast<GetProcessDEPPolicyFunction>(::GetProcAddress(
248 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessDEPPolicy"));
249 if (get_process_dep_policy) {
250 BOOL is_permanent = FALSE;
251 DWORD dep_flags = 0;
252
253 if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags,
254 &is_permanent)) {
255 return SBOX_TEST_FIRST_ERROR;
256 }
257
258 if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent)
259 return SBOX_TEST_SECOND_ERROR;
260
261 } else {
262 NtQueryInformationProcessFunction query_information_process = NULL;
263 ResolveNTFunctionPtr("NtQueryInformationProcess",
264 &query_information_process);
265 if (!query_information_process)
266 return SBOX_TEST_NOT_FOUND;
267
268 ULONG size = 0;
269 ULONG dep_flags = 0;
270 if (!SUCCEEDED(query_information_process(::GetCurrentProcess(),
271 ProcessExecuteFlags, &dep_flags,
272 sizeof(dep_flags), &size))) {
273 return SBOX_TEST_THIRD_ERROR;
274 }
275
276 static const int MEM_EXECUTE_OPTION_DISABLE = 2;
277 static const int MEM_EXECUTE_OPTION_PERMANENT = 8;
278 dep_flags &= 0xff;
279
280 if (dep_flags !=
281 (MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT)) {
282 return SBOX_TEST_FOURTH_ERROR;
283 }
284 }
285
286 return SBOX_TEST_SUCCEEDED;
287 }
288
289 // ForceMsSigned tests:
290 // Try to load the DLL given in arg1.
291 SBOX_TESTS_COMMAND int TestDllLoad(int argc, wchar_t** argv) {
292 if (argc < 1 || argv[0] == nullptr)
293 return SBOX_TEST_INVALID_PARAMETER;
294
295 std::wstring dll = argv[0];
296 base::ScopedNativeLibrary test_dll((base::FilePath(dll)));
297 if (test_dll.is_valid())
298 return SBOX_TEST_SUCCEEDED;
299
300 // Note: GetLastError() does not get an accurate failure code
301 // at this point.
302 return SBOX_TEST_FAILED;
303 }
304
305 // This test attempts a non-system font load.
306 //
307 // 1) Load gdi32.dll for required font APIs.
308 // 2) Load file contents of font file passed in arg1 into memory.
309 // 3) Call API to try loading a non-system font.
310 //
311 // Arg1: Full path to font file to try loading.
312 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) {
313 if (argc < 1)
314 return SBOX_TEST_INVALID_PARAMETER;
315
316 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll");
317 if (!gdi_module)
318 return SBOX_TEST_NOT_FOUND;
319
320 AddFontMemResourceExFunction add_font_mem_resource =
321 reinterpret_cast<AddFontMemResourceExFunction>(
322 ::GetProcAddress(gdi_module, "AddFontMemResourceEx"));
323
324 RemoveFontMemResourceExFunction rem_font_mem_resource =
325 reinterpret_cast<RemoveFontMemResourceExFunction>(
326 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx"));
327
328 if (!add_font_mem_resource || !rem_font_mem_resource)
329 return SBOX_TEST_NOT_FOUND;
330
331 // Open font file passed in as an argument.
332 base::File file(base::FilePath(argv[0]),
333 base::File::FLAG_OPEN | base::File::FLAG_READ);
334 if (!file.IsValid())
335 // Failed to open the font file passed in.
336 return SBOX_TEST_NOT_FOUND;
337
338 std::vector<char> font_data;
339 int64_t len = file.GetLength();
340 if (len < 0)
341 return SBOX_TEST_NOT_FOUND;
342 font_data.resize(len);
343
344 int read = file.Read(0, &font_data[0], len);
345 file.Close();
346
347 if (read != len)
348 return SBOX_TEST_NOT_FOUND;
349
350 DWORD font_count = 0;
351 HANDLE font_handle = add_font_mem_resource(
352 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count);
353
354 if (font_handle) {
355 rem_font_mem_resource(font_handle);
356 return SBOX_TEST_SUCCEEDED;
357 }
358
359 return SBOX_TEST_FAILED;
360 }
361
362 // Common helper test for CreateProcess.
363 // Arg1: The process commandline to create.
364 // Arg2: Will process end on its own:
365 // - "true" for a process expected to finish on its own (wait for it).
366 // - "false" for a process that will require terminating.
367 // Arg3: [OPTIONAL] Expected or forced exit code:
368 // - If arg2 is "true", this is the expected exit code (default 0).
369 // - If arg2 is "false", terminate the process with this exit code (default 0).
370 //
371 // ***Make sure you've enabled basic process creation in the
372 // test sandbox settings via:
373 // sandbox::TargetPolicy::SetJobLevel(),
374 // sandbox::TargetPolicy::SetTokenLevel(),
375 // and TestRunner::SetDisableCsrss().
376 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) {
377 if (argc < 2 || argc > 3)
378 return SBOX_TEST_INVALID_PARAMETER;
379
380 bool process_finishes = true;
381 std::wstring arg2 = argv[1];
382 if (arg2.compare(L"false") == 0)
383 process_finishes = false;
384
385 int desired_exit_code = 0;
386 if (argc == 3) {
387 desired_exit_code = wcstoul(argv[2], nullptr, 0);
388 }
389
390 std::wstring cmd = argv[0];
391 base::LaunchOptions options = base::LaunchOptionsForTest();
392 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options);
393
394 if (setup_proc.IsValid()) {
395 if (process_finishes) {
396 // Wait for process exit and compare exit code.
397 int exit_code = 1;
398 if (!setup_proc.WaitForExitWithTimeout(TestTimeouts::action_max_timeout(),
399 &exit_code)) {
400 // Unexpected failure.
401 setup_proc.Terminate(0, false);
402 return SBOX_TEST_TIMED_OUT;
403 }
404 if (exit_code != desired_exit_code)
405 return SBOX_TEST_FAILED;
406 return SBOX_TEST_SUCCEEDED;
407 } else {
408 // Terminate process with requested exit code.
409 setup_proc.Terminate(desired_exit_code, false);
410 return SBOX_TEST_SUCCEEDED;
411 }
412 }
413 // Process failed to be created.
414 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED".
415 return SBOX_TEST_FAILED;
416 }
417
418 //------------------------------------------------------------------------------
419 // Exported Mitigation Tests
420 //------------------------------------------------------------------------------
421
422 //------------------------------------------------------------------------------
423 // DEP (MITIGATION_DEP and MITIGATION_DEP_NO_ATL_THUNK)
424 // Win7 x86
425 //------------------------------------------------------------------------------
426
427 #if !defined(_WIN64)
428 // DEP is always enabled on 64-bit. Only test on x86.
429 TEST(ProcessMitigationsTest, CheckDepWin7) {
430 if (base::win::GetVersion() > base::win::VERSION_WIN7)
431 return;
432
433 TestRunner runner;
434 sandbox::TargetPolicy* policy = runner.GetPolicy();
435
436 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP |
437 MITIGATION_DEP_NO_ATL_THUNK |
438 MITIGATION_SEHOP),
439 SBOX_ALL_OK);
440 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
441 }
442 #endif // !defined(_WIN64)
443
444 //------------------------------------------------------------------------------
445 // DEP (MITIGATION_DEP and MITIGATION_DEP_NO_ATL_THUNK)
446 // >= Win8 x86
447 //------------------------------------------------------------------------------
448
449 #if !defined(_WIN64)
450 // DEP is always enabled on 64-bit. Only test on x86.
451
452 // This test validates that setting the MITIGATION_DEP*
453 // mitigations enables the setting on a process.
454 TEST(ProcessMitigationsTest, CheckDepWin8PolicySuccess) {
455 if (base::win::GetVersion() < base::win::VERSION_WIN8)
456 return;
457
458 std::wstring test_command = L"CheckPolicy ";
459 test_command += std::to_wstring(TESTPOLICY_DEP);
460
461 //---------------------------------
462 // 1) Test setting pre-startup.
463 //---------------------------------
464 TestRunner runner;
465 sandbox::TargetPolicy* policy = runner.GetPolicy();
466
467 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP |
468 MITIGATION_DEP_NO_ATL_THUNK),
469 SBOX_ALL_OK);
470 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
471
472 //---------------------------------
473 // 2) Test setting post-startup.
474 //---------------------------------
475 TestRunner runner2;
476 sandbox::TargetPolicy* policy2 = runner2.GetPolicy();
477
478 EXPECT_EQ(policy2->SetDelayedProcessMitigations(MITIGATION_DEP |
479 MITIGATION_DEP_NO_ATL_THUNK),
480 SBOX_ALL_OK);
481 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str()));
482 }
483
484 #endif // !defined(_WIN64)
485
486 //------------------------------------------------------------------------------
487 // ASLR
488 // - MITIGATION_RELOCATE_IMAGE
489 // - MITIGATION_RELOCATE_IMAGE_REQUIRED
490 // - MITIGATION_BOTTOM_UP_ASLR
491 // - MITIGATION_HIGH_ENTROPY_ASLR
492 // >= Win8
493 //------------------------------------------------------------------------------
494
495 TEST(ProcessMitigationsTest, CheckWin8AslrPolicySuccess) {
496 if (base::win::GetVersion() < base::win::VERSION_WIN8)
497 return;
498
499 std::wstring test_command = L"CheckPolicy ";
500 test_command += std::to_wstring(TESTPOLICY_ASLR);
501
502 TestRunner runner;
503 sandbox::TargetPolicy* policy = runner.GetPolicy();
504
505 //---------------------------------
506 // 1) Test setting pre-startup.
507 // **Can only set ASLR pre-startup in release build.
508 //---------------------------------
509 #if defined(NDEBUG)
510 EXPECT_EQ(policy->SetProcessMitigations(
511 MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED |
512 MITIGATION_BOTTOM_UP_ASLR | MITIGATION_HIGH_ENTROPY_ASLR),
513 SBOX_ALL_OK);
514 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
515
516 //---------------------------------
517 // 2) Test setting post-startup.
518 // **Bottom up and high entropy can only be set pre-startup.
519 // **Can only set ASLR post-startup in debug build.
520 //---------------------------------
521 #else
522 EXPECT_EQ(policy->SetDelayedProcessMitigations(
523 MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED),
524 SBOX_ALL_OK);
525 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
526 #endif // !defined(NDEBUG)
527 }
528
529 //------------------------------------------------------------------------------
530 // Strict handle checks (MITIGATION_STRICT_HANDLE_CHECKS)
531 // >= Win8
532 //------------------------------------------------------------------------------
533
534 TEST(ProcessMitigationsTest, CheckWin8StrictHandlePolicySuccess) {
535 if (base::win::GetVersion() < base::win::VERSION_WIN8)
536 return;
537
538 std::wstring test_command = L"CheckPolicy ";
539 test_command += std::to_wstring(TESTPOLICY_STRICTHANDLE);
540
541 //---------------------------------
542 // 1) Test setting post-startup.
543 // ** Can only be set post-startup.
544 //---------------------------------
545 TestRunner runner;
546 sandbox::TargetPolicy* policy = runner.GetPolicy();
547
548 EXPECT_EQ(
549 policy->SetDelayedProcessMitigations(MITIGATION_STRICT_HANDLE_CHECKS),
550 SBOX_ALL_OK);
551 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
552 }
553
554 //------------------------------------------------------------------------------
555 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE)
556 // >= Win10
557 //------------------------------------------------------------------------------
558
559 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
560 // mitigation enables the setting on a process.
561 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) {
562 if (base::win::GetVersion() < base::win::VERSION_WIN10)
563 return;
564
565 std::wstring test_command = L"CheckPolicy ";
566 test_command += std::to_wstring(TESTPOLICY_NONSYSFONT);
567
568 //---------------------------------
569 // 1) Test setting pre-startup.
570 //---------------------------------
571 TestRunner runner;
572 sandbox::TargetPolicy* policy = runner.GetPolicy();
573
574 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
575 SBOX_ALL_OK);
576 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
577
578 //---------------------------------
579 // 2) Test setting post-startup.
580 //---------------------------------
581 TestRunner runner2;
582 sandbox::TargetPolicy* policy2 = runner2.GetPolicy();
583
584 EXPECT_EQ(
585 policy2->SetDelayedProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE),
586 SBOX_ALL_OK);
587 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str()));
588 }
589
590 // This test validates that we can load a non-system font if the
591 // MITIGATION_NON_SYSTEM_FONTS_DISABLE mitigation is NOT set.
592 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) {
593 if (base::win::GetVersion() < base::win::VERSION_WIN10)
594 return;
595
596 TestWin10NonSystemFont(true);
597 }
598
599 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE
600 // mitigation prevents the loading of a non-system font.
601 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) {
602 if (base::win::GetVersion() < base::win::VERSION_WIN10)
603 return;
604
605 TestWin10NonSystemFont(false);
606 }
607
608 //------------------------------------------------------------------------------
609 // Disable child process creation.
610 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2).
611 // - JobLevel <= JOB_LIMITED_USER which also triggers setting
612 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to
613 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in
614 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2).
615 //------------------------------------------------------------------------------
616
617 // This test validates that we can spawn a child process if
618 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is
619 // not set.
620 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) {
621 TestRunner runner;
622 sandbox::TargetPolicy* policy = runner.GetPolicy();
623
624 // Set a policy that would normally allow for process creation.
625 policy->SetJobLevel(JOB_INTERACTIVE, 0);
626 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
627 runner.SetDisableCsrss(false);
628
629 base::FilePath cmd;
630 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
631 cmd = cmd.Append(L"calc.exe");
632
633 std::wstring test_command = L"TestChildProcess \"";
634 test_command += cmd.value().c_str();
635 test_command += L"\" false";
636
637 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
638 }
639
640 // This test validates that setting the
641 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents
642 // the spawning of child processes.
643 TEST(ProcessMitigationsTest, CheckChildProcessFailure) {
644 TestRunner runner;
645 sandbox::TargetPolicy* policy = runner.GetPolicy();
646
647 // Now set the job level to be <= JOB_LIMITED_USER
648 // and ensure we can no longer create a child process.
649 policy->SetJobLevel(JOB_LIMITED_USER, 0);
650 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
651 runner.SetDisableCsrss(false);
652
653 base::FilePath cmd;
654 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
655 cmd = cmd.Append(L"calc.exe");
656
657 std::wstring test_command = L"TestChildProcess \"";
658 test_command += cmd.value().c_str();
659 test_command += L"\" false";
660
661 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str()));
662 }
663
664 // This test validates that when the sandboxed target within a job spawns a
665 // child process and the target process exits abnormally, the broker correctly
666 // handles the JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS message.
667 // Because this involves spawning a child process from the target process and is
668 // very similar to the above CheckChildProcess* tests, this test is here rather
669 // than elsewhere closer to the other Job tests.
670 TEST(ProcessMitigationsTest, CheckChildProcessAbnormalExit) {
671 TestRunner runner;
672 sandbox::TargetPolicy* policy = runner.GetPolicy();
673
674 // Set a policy that would normally allow for process creation.
675 policy->SetJobLevel(JOB_INTERACTIVE, 0);
676 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
677 runner.SetDisableCsrss(false);
678
679 base::FilePath cmd;
680 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd));
681 cmd = cmd.Append(L"calc.exe");
682
683 std::wstring test_command = L"TestChildProcess \"";
684 test_command += cmd.value().c_str();
685 test_command += L"\" false ";
686 test_command += std::to_wstring(STATUS_ACCESS_VIOLATION);
687
688 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
689 }
690
691 } // namespace sandbox
OLDNEW
« sandbox/win/BUILD.gn ('K') | « sandbox/win/src/process_mitigations_test.cc ('k') | sandbox/win/src/process_mitigations_unittest_extensionpoints.cc » ('j') | sandbox/win/src/process_mitigations_unittest_extensionpoints.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698