OLD | NEW |
(Empty) | |
| 1 // Copyright 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/win/src/process_mitigations.h" |
| 6 |
| 7 #include <windows.h> |
| 8 |
| 9 #include "base/files/file_util.h" |
| 10 #include "base/path_service.h" |
| 11 #include "base/scoped_native_library.h" |
| 12 #include "base/test/test_timeouts.h" |
| 13 #include "base/win/windows_version.h" |
| 14 #include "sandbox/win/src/nt_internals.h" |
| 15 #include "sandbox/win/src/target_services.h" |
| 16 #include "sandbox/win/tests/common/controller.h" |
| 17 #include "sandbox/win/tests/integration_tests/integration_tests_common.h" |
| 18 #include "testing/gtest/include/gtest/gtest.h" |
| 19 |
| 20 namespace { |
| 21 |
| 22 //------------------------------------------------------------------------------ |
| 23 // Internal Defines & Functions |
| 24 //------------------------------------------------------------------------------ |
| 25 |
| 26 // API defined in winbase.h. |
| 27 using GetProcessDEPPolicyFunction = decltype(&GetProcessDEPPolicy); |
| 28 |
| 29 // API defined in processthreadsapi.h. |
| 30 using GetProcessMitigationPolicyFunction = |
| 31 decltype(&GetProcessMitigationPolicy); |
| 32 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
| 33 |
| 34 // APIs defined in wingdi.h. |
| 35 using AddFontMemResourceExFunction = decltype(&AddFontMemResourceEx); |
| 36 using RemoveFontMemResourceExFunction = decltype(&RemoveFontMemResourceEx); |
| 37 |
| 38 //------------------------------------------------------------------------------ |
| 39 // NonSystemFont test helper function. |
| 40 // |
| 41 // 1. Pick font file and set up sandbox to allow read access to it. |
| 42 // 2. Trigger test child process (with or without mitigation enabled). |
| 43 //------------------------------------------------------------------------------ |
| 44 void TestWin10NonSystemFont(bool is_success_test) { |
| 45 base::FilePath font_path; |
| 46 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); |
| 47 // Arial font should always be available |
| 48 font_path = font_path.Append(L"arial.ttf"); |
| 49 |
| 50 sandbox::TestRunner runner; |
| 51 EXPECT_TRUE(runner.AddFsRule(sandbox::TargetPolicy::FILES_ALLOW_READONLY, |
| 52 font_path.value().c_str())); |
| 53 |
| 54 if (!is_success_test) { |
| 55 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 56 // Turn on the non-system font disable mitigation. |
| 57 EXPECT_EQ(policy->SetProcessMitigations( |
| 58 sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 59 sandbox::SBOX_ALL_OK); |
| 60 } |
| 61 |
| 62 std::wstring test_command = L"CheckWin10FontLoad \""; |
| 63 test_command += font_path.value().c_str(); |
| 64 test_command += L"\""; |
| 65 |
| 66 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED |
| 67 : sandbox::SBOX_TEST_FAILED), |
| 68 runner.RunTest(test_command.c_str())); |
| 69 } |
| 70 |
| 71 } // namespace |
| 72 |
| 73 namespace sandbox { |
| 74 |
| 75 // File on disk, defined in extension point tests. |
| 76 extern const wchar_t g_hook_dll_file[]; |
| 77 // Mutex to acquire before touching above resource. |
| 78 extern const wchar_t g_extension_point_test_mutex[]; |
| 79 |
| 80 // Common function used for timeout with Win APIs like ::WaitForSingleObject(). |
| 81 DWORD SboxTestEventTimeout() { |
| 82 if (::IsDebuggerPresent()) |
| 83 return INFINITE; |
| 84 |
| 85 return static_cast<DWORD>( |
| 86 (TestTimeouts::action_timeout()).InMillisecondsRoundedUp()); |
| 87 } |
| 88 |
| 89 //------------------------------------------------------------------------------ |
| 90 // Exported functions called by child test processes. |
| 91 //------------------------------------------------------------------------------ |
| 92 |
| 93 //------------------------------------------------------------------------------ |
| 94 // Common test function for checking that a policy was enabled. |
| 95 // - Use enum TestPolicy defined in integration_tests_common.h to specify which |
| 96 // policy to check - passed as arg1. |
| 97 //------------------------------------------------------------------------------ |
| 98 SBOX_TESTS_COMMAND int CheckPolicy(int argc, wchar_t** argv) { |
| 99 if (argc < 1) |
| 100 return SBOX_TEST_INVALID_PARAMETER; |
| 101 int test = ::_wtoi(argv[0]); |
| 102 if (!test) |
| 103 return SBOX_TEST_INVALID_PARAMETER; |
| 104 |
| 105 get_process_mitigation_policy = |
| 106 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| 107 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| 108 if (!get_process_mitigation_policy) |
| 109 return SBOX_TEST_NOT_FOUND; |
| 110 |
| 111 switch (test) { |
| 112 //-------------------------------------------------- |
| 113 // MITIGATION_DEP |
| 114 // MITIGATION_DEP_NO_ATL_THUNK |
| 115 //-------------------------------------------------- |
| 116 case (TESTPOLICY_DEP): { |
| 117 #if !defined(_WIN64) |
| 118 // DEP - always enabled on 64-bit. |
| 119 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
| 120 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 121 ProcessDEPPolicy, &policy, |
| 122 sizeof(policy))) { |
| 123 return SBOX_TEST_NOT_FOUND; |
| 124 } |
| 125 if (!policy.Enable || !policy.Permanent) |
| 126 return SBOX_TEST_FAILED; |
| 127 #endif // !defined(_WIN64) |
| 128 break; |
| 129 } |
| 130 //-------------------------------------------------- |
| 131 // MITIGATION_RELOCATE_IMAGE |
| 132 // MITIGATION_RELOCATE_IMAGE_REQUIRED |
| 133 //-------------------------------------------------- |
| 134 case (TESTPOLICY_ASLR): { |
| 135 PROCESS_MITIGATION_ASLR_POLICY policy2 = {}; |
| 136 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 137 ProcessASLRPolicy, &policy2, |
| 138 sizeof(policy2))) { |
| 139 return SBOX_TEST_NOT_FOUND; |
| 140 } |
| 141 if (!policy2.EnableForceRelocateImages || !policy2.DisallowStrippedImages) |
| 142 return SBOX_TEST_FAILED; |
| 143 |
| 144 break; |
| 145 } |
| 146 //-------------------------------------------------- |
| 147 // MITIGATION_STRICT_HANDLE_CHECKS |
| 148 //-------------------------------------------------- |
| 149 case (TESTPOLICY_STRICTHANDLE): { |
| 150 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy3 = {}; |
| 151 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 152 ProcessStrictHandleCheckPolicy, |
| 153 &policy3, sizeof(policy3))) { |
| 154 return SBOX_TEST_NOT_FOUND; |
| 155 } |
| 156 if (!policy3.RaiseExceptionOnInvalidHandleReference || |
| 157 !policy3.HandleExceptionsPermanentlyEnabled) { |
| 158 return SBOX_TEST_FAILED; |
| 159 } |
| 160 |
| 161 break; |
| 162 } |
| 163 //-------------------------------------------------- |
| 164 // MITIGATION_WIN32K_DISABLE |
| 165 //-------------------------------------------------- |
| 166 case (TESTPOLICY_WIN32K): { |
| 167 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; |
| 168 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 169 ProcessSystemCallDisablePolicy, |
| 170 &policy, sizeof(policy))) { |
| 171 return SBOX_TEST_NOT_FOUND; |
| 172 } |
| 173 if (!policy.DisallowWin32kSystemCalls) |
| 174 return SBOX_TEST_FAILED; |
| 175 |
| 176 break; |
| 177 } |
| 178 //-------------------------------------------------- |
| 179 // MITIGATION_EXTENSION_POINT_DISABLE |
| 180 //-------------------------------------------------- |
| 181 case (TESTPOLICY_EXTENSIONPOINT): { |
| 182 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
| 183 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 184 ProcessExtensionPointDisablePolicy, |
| 185 &policy, sizeof(policy))) { |
| 186 return SBOX_TEST_NOT_FOUND; |
| 187 } |
| 188 if (!policy.DisableExtensionPoints) |
| 189 return SBOX_TEST_FAILED; |
| 190 |
| 191 break; |
| 192 } |
| 193 //-------------------------------------------------- |
| 194 // MITIGATION_NONSYSTEM_FONT_DISABLE |
| 195 //-------------------------------------------------- |
| 196 case (TESTPOLICY_NONSYSFONT): { |
| 197 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; |
| 198 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 199 ProcessFontDisablePolicy, &policy, |
| 200 sizeof(policy))) { |
| 201 return SBOX_TEST_NOT_FOUND; |
| 202 } |
| 203 if (!policy.DisableNonSystemFonts) |
| 204 return SBOX_TEST_FAILED; |
| 205 |
| 206 break; |
| 207 } |
| 208 //-------------------------------------------------- |
| 209 // MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 210 //-------------------------------------------------- |
| 211 case (TESTPOLICY_LOADNOREMOTE): { |
| 212 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| 213 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 214 ProcessImageLoadPolicy, &policy, |
| 215 sizeof(policy))) { |
| 216 return SBOX_TEST_NOT_FOUND; |
| 217 } |
| 218 if (!policy.NoRemoteImages) |
| 219 return SBOX_TEST_FAILED; |
| 220 |
| 221 break; |
| 222 } |
| 223 //-------------------------------------------------- |
| 224 // MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 225 //-------------------------------------------------- |
| 226 case (TESTPOLICY_LOADNOLOW): { |
| 227 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| 228 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 229 ProcessImageLoadPolicy, &policy, |
| 230 sizeof(policy))) { |
| 231 return SBOX_TEST_NOT_FOUND; |
| 232 } |
| 233 if (!policy.NoLowMandatoryLabelImages) |
| 234 return SBOX_TEST_FAILED; |
| 235 |
| 236 break; |
| 237 } |
| 238 default: |
| 239 return SBOX_TEST_INVALID_PARAMETER; |
| 240 } |
| 241 |
| 242 return SBOX_TEST_SUCCEEDED; |
| 243 } |
| 244 |
| 245 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t** argv) { |
| 246 GetProcessDEPPolicyFunction get_process_dep_policy = |
| 247 reinterpret_cast<GetProcessDEPPolicyFunction>(::GetProcAddress( |
| 248 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessDEPPolicy")); |
| 249 if (get_process_dep_policy) { |
| 250 BOOL is_permanent = FALSE; |
| 251 DWORD dep_flags = 0; |
| 252 |
| 253 if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags, |
| 254 &is_permanent)) { |
| 255 return SBOX_TEST_FIRST_ERROR; |
| 256 } |
| 257 |
| 258 if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent) |
| 259 return SBOX_TEST_SECOND_ERROR; |
| 260 |
| 261 } else { |
| 262 NtQueryInformationProcessFunction query_information_process = NULL; |
| 263 ResolveNTFunctionPtr("NtQueryInformationProcess", |
| 264 &query_information_process); |
| 265 if (!query_information_process) |
| 266 return SBOX_TEST_NOT_FOUND; |
| 267 |
| 268 ULONG size = 0; |
| 269 ULONG dep_flags = 0; |
| 270 if (!SUCCEEDED(query_information_process(::GetCurrentProcess(), |
| 271 ProcessExecuteFlags, &dep_flags, |
| 272 sizeof(dep_flags), &size))) { |
| 273 return SBOX_TEST_THIRD_ERROR; |
| 274 } |
| 275 |
| 276 static const int MEM_EXECUTE_OPTION_DISABLE = 2; |
| 277 static const int MEM_EXECUTE_OPTION_PERMANENT = 8; |
| 278 dep_flags &= 0xff; |
| 279 |
| 280 if (dep_flags != |
| 281 (MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT)) { |
| 282 return SBOX_TEST_FOURTH_ERROR; |
| 283 } |
| 284 } |
| 285 |
| 286 return SBOX_TEST_SUCCEEDED; |
| 287 } |
| 288 |
| 289 // ForceMsSigned tests: |
| 290 // Try to load the DLL given in arg1. |
| 291 SBOX_TESTS_COMMAND int TestDllLoad(int argc, wchar_t** argv) { |
| 292 if (argc < 1 || argv[0] == nullptr) |
| 293 return SBOX_TEST_INVALID_PARAMETER; |
| 294 |
| 295 std::wstring dll = argv[0]; |
| 296 base::ScopedNativeLibrary test_dll((base::FilePath(dll))); |
| 297 if (test_dll.is_valid()) |
| 298 return SBOX_TEST_SUCCEEDED; |
| 299 |
| 300 // Note: GetLastError() does not get an accurate failure code |
| 301 // at this point. |
| 302 return SBOX_TEST_FAILED; |
| 303 } |
| 304 |
| 305 // This test attempts a non-system font load. |
| 306 // |
| 307 // 1) Load gdi32.dll for required font APIs. |
| 308 // 2) Load file contents of font file passed in arg1 into memory. |
| 309 // 3) Call API to try loading a non-system font. |
| 310 // |
| 311 // Arg1: Full path to font file to try loading. |
| 312 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { |
| 313 if (argc < 1) |
| 314 return SBOX_TEST_INVALID_PARAMETER; |
| 315 |
| 316 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); |
| 317 if (!gdi_module) |
| 318 return SBOX_TEST_NOT_FOUND; |
| 319 |
| 320 AddFontMemResourceExFunction add_font_mem_resource = |
| 321 reinterpret_cast<AddFontMemResourceExFunction>( |
| 322 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); |
| 323 |
| 324 RemoveFontMemResourceExFunction rem_font_mem_resource = |
| 325 reinterpret_cast<RemoveFontMemResourceExFunction>( |
| 326 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); |
| 327 |
| 328 if (!add_font_mem_resource || !rem_font_mem_resource) |
| 329 return SBOX_TEST_NOT_FOUND; |
| 330 |
| 331 // Open font file passed in as an argument. |
| 332 base::File file(base::FilePath(argv[0]), |
| 333 base::File::FLAG_OPEN | base::File::FLAG_READ); |
| 334 if (!file.IsValid()) |
| 335 // Failed to open the font file passed in. |
| 336 return SBOX_TEST_NOT_FOUND; |
| 337 |
| 338 std::vector<char> font_data; |
| 339 int64_t len = file.GetLength(); |
| 340 if (len < 0) |
| 341 return SBOX_TEST_NOT_FOUND; |
| 342 font_data.resize(len); |
| 343 |
| 344 int read = file.Read(0, &font_data[0], len); |
| 345 file.Close(); |
| 346 |
| 347 if (read != len) |
| 348 return SBOX_TEST_NOT_FOUND; |
| 349 |
| 350 DWORD font_count = 0; |
| 351 HANDLE font_handle = add_font_mem_resource( |
| 352 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); |
| 353 |
| 354 if (font_handle) { |
| 355 rem_font_mem_resource(font_handle); |
| 356 return SBOX_TEST_SUCCEEDED; |
| 357 } |
| 358 |
| 359 return SBOX_TEST_FAILED; |
| 360 } |
| 361 |
| 362 // Common helper test for CreateProcess. |
| 363 // Arg1: The process commandline to create. |
| 364 // Arg2: Will process end on its own: |
| 365 // - "true" for a process expected to finish on its own (wait for it). |
| 366 // - "false" for a process that will require terminating. |
| 367 // Arg3: [OPTIONAL] Expected or forced exit code: |
| 368 // - If arg2 is "true", this is the expected exit code (default 0). |
| 369 // - If arg2 is "false", terminate the process with this exit code (default 0). |
| 370 // |
| 371 // ***Make sure you've enabled basic process creation in the |
| 372 // test sandbox settings via: |
| 373 // sandbox::TargetPolicy::SetJobLevel(), |
| 374 // sandbox::TargetPolicy::SetTokenLevel(), |
| 375 // and TestRunner::SetDisableCsrss(). |
| 376 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { |
| 377 if (argc < 2 || argc > 3) |
| 378 return SBOX_TEST_INVALID_PARAMETER; |
| 379 |
| 380 bool process_finishes = true; |
| 381 std::wstring arg2 = argv[1]; |
| 382 if (arg2.compare(L"false") == 0) |
| 383 process_finishes = false; |
| 384 |
| 385 int desired_exit_code = 0; |
| 386 if (argc == 3) { |
| 387 desired_exit_code = wcstoul(argv[2], nullptr, 0); |
| 388 } |
| 389 |
| 390 std::wstring cmd = argv[0]; |
| 391 base::LaunchOptions options = base::LaunchOptionsForTest(); |
| 392 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options); |
| 393 |
| 394 if (setup_proc.IsValid()) { |
| 395 if (process_finishes) { |
| 396 // Wait for process exit and compare exit code. |
| 397 int exit_code = 1; |
| 398 if (!setup_proc.WaitForExitWithTimeout(TestTimeouts::action_max_timeout(), |
| 399 &exit_code)) { |
| 400 // Unexpected failure. |
| 401 setup_proc.Terminate(0, false); |
| 402 return SBOX_TEST_TIMED_OUT; |
| 403 } |
| 404 if (exit_code != desired_exit_code) |
| 405 return SBOX_TEST_FAILED; |
| 406 return SBOX_TEST_SUCCEEDED; |
| 407 } else { |
| 408 // Terminate process with requested exit code. |
| 409 setup_proc.Terminate(desired_exit_code, false); |
| 410 return SBOX_TEST_SUCCEEDED; |
| 411 } |
| 412 } |
| 413 // Process failed to be created. |
| 414 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED". |
| 415 return SBOX_TEST_FAILED; |
| 416 } |
| 417 |
| 418 //------------------------------------------------------------------------------ |
| 419 // Exported Mitigation Tests |
| 420 //------------------------------------------------------------------------------ |
| 421 |
| 422 //------------------------------------------------------------------------------ |
| 423 // DEP (MITIGATION_DEP and MITIGATION_DEP_NO_ATL_THUNK) |
| 424 // Win7 x86 |
| 425 //------------------------------------------------------------------------------ |
| 426 |
| 427 #if !defined(_WIN64) |
| 428 // DEP is always enabled on 64-bit. Only test on x86. |
| 429 TEST(ProcessMitigationsTest, CheckDepWin7) { |
| 430 if (base::win::GetVersion() > base::win::VERSION_WIN7) |
| 431 return; |
| 432 |
| 433 TestRunner runner; |
| 434 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 435 |
| 436 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP | |
| 437 MITIGATION_DEP_NO_ATL_THUNK | |
| 438 MITIGATION_SEHOP), |
| 439 SBOX_ALL_OK); |
| 440 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
| 441 } |
| 442 #endif // !defined(_WIN64) |
| 443 |
| 444 //------------------------------------------------------------------------------ |
| 445 // DEP (MITIGATION_DEP and MITIGATION_DEP_NO_ATL_THUNK) |
| 446 // >= Win8 x86 |
| 447 //------------------------------------------------------------------------------ |
| 448 |
| 449 #if !defined(_WIN64) |
| 450 // DEP is always enabled on 64-bit. Only test on x86. |
| 451 |
| 452 // This test validates that setting the MITIGATION_DEP* |
| 453 // mitigations enables the setting on a process. |
| 454 TEST(ProcessMitigationsTest, CheckDepWin8PolicySuccess) { |
| 455 if (base::win::GetVersion() < base::win::VERSION_WIN8) |
| 456 return; |
| 457 |
| 458 std::wstring test_command = L"CheckPolicy "; |
| 459 test_command += std::to_wstring(TESTPOLICY_DEP); |
| 460 |
| 461 //--------------------------------- |
| 462 // 1) Test setting pre-startup. |
| 463 //--------------------------------- |
| 464 TestRunner runner; |
| 465 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 466 |
| 467 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP | |
| 468 MITIGATION_DEP_NO_ATL_THUNK), |
| 469 SBOX_ALL_OK); |
| 470 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 471 |
| 472 //--------------------------------- |
| 473 // 2) Test setting post-startup. |
| 474 //--------------------------------- |
| 475 TestRunner runner2; |
| 476 sandbox::TargetPolicy* policy2 = runner2.GetPolicy(); |
| 477 |
| 478 EXPECT_EQ(policy2->SetDelayedProcessMitigations(MITIGATION_DEP | |
| 479 MITIGATION_DEP_NO_ATL_THUNK), |
| 480 SBOX_ALL_OK); |
| 481 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str())); |
| 482 } |
| 483 |
| 484 #endif // !defined(_WIN64) |
| 485 |
| 486 //------------------------------------------------------------------------------ |
| 487 // ASLR |
| 488 // - MITIGATION_RELOCATE_IMAGE |
| 489 // - MITIGATION_RELOCATE_IMAGE_REQUIRED |
| 490 // - MITIGATION_BOTTOM_UP_ASLR |
| 491 // - MITIGATION_HIGH_ENTROPY_ASLR |
| 492 // >= Win8 |
| 493 //------------------------------------------------------------------------------ |
| 494 |
| 495 TEST(ProcessMitigationsTest, CheckWin8AslrPolicySuccess) { |
| 496 if (base::win::GetVersion() < base::win::VERSION_WIN8) |
| 497 return; |
| 498 |
| 499 std::wstring test_command = L"CheckPolicy "; |
| 500 test_command += std::to_wstring(TESTPOLICY_ASLR); |
| 501 |
| 502 TestRunner runner; |
| 503 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 504 |
| 505 //--------------------------------- |
| 506 // 1) Test setting pre-startup. |
| 507 // **Can only set ASLR pre-startup in release build. |
| 508 //--------------------------------- |
| 509 #if defined(NDEBUG) |
| 510 EXPECT_EQ(policy->SetProcessMitigations( |
| 511 MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED | |
| 512 MITIGATION_BOTTOM_UP_ASLR | MITIGATION_HIGH_ENTROPY_ASLR), |
| 513 SBOX_ALL_OK); |
| 514 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 515 |
| 516 //--------------------------------- |
| 517 // 2) Test setting post-startup. |
| 518 // **Bottom up and high entropy can only be set pre-startup. |
| 519 // **Can only set ASLR post-startup in debug build. |
| 520 //--------------------------------- |
| 521 #else |
| 522 EXPECT_EQ(policy->SetDelayedProcessMitigations( |
| 523 MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED), |
| 524 SBOX_ALL_OK); |
| 525 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 526 #endif // !defined(NDEBUG) |
| 527 } |
| 528 |
| 529 //------------------------------------------------------------------------------ |
| 530 // Strict handle checks (MITIGATION_STRICT_HANDLE_CHECKS) |
| 531 // >= Win8 |
| 532 //------------------------------------------------------------------------------ |
| 533 |
| 534 TEST(ProcessMitigationsTest, CheckWin8StrictHandlePolicySuccess) { |
| 535 if (base::win::GetVersion() < base::win::VERSION_WIN8) |
| 536 return; |
| 537 |
| 538 std::wstring test_command = L"CheckPolicy "; |
| 539 test_command += std::to_wstring(TESTPOLICY_STRICTHANDLE); |
| 540 |
| 541 //--------------------------------- |
| 542 // 1) Test setting post-startup. |
| 543 // ** Can only be set post-startup. |
| 544 //--------------------------------- |
| 545 TestRunner runner; |
| 546 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 547 |
| 548 EXPECT_EQ( |
| 549 policy->SetDelayedProcessMitigations(MITIGATION_STRICT_HANDLE_CHECKS), |
| 550 SBOX_ALL_OK); |
| 551 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 552 } |
| 553 |
| 554 //------------------------------------------------------------------------------ |
| 555 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) |
| 556 // >= Win10 |
| 557 //------------------------------------------------------------------------------ |
| 558 |
| 559 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 560 // mitigation enables the setting on a process. |
| 561 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { |
| 562 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 563 return; |
| 564 |
| 565 std::wstring test_command = L"CheckPolicy "; |
| 566 test_command += std::to_wstring(TESTPOLICY_NONSYSFONT); |
| 567 |
| 568 //--------------------------------- |
| 569 // 1) Test setting pre-startup. |
| 570 //--------------------------------- |
| 571 TestRunner runner; |
| 572 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 573 |
| 574 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 575 SBOX_ALL_OK); |
| 576 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 577 |
| 578 //--------------------------------- |
| 579 // 2) Test setting post-startup. |
| 580 //--------------------------------- |
| 581 TestRunner runner2; |
| 582 sandbox::TargetPolicy* policy2 = runner2.GetPolicy(); |
| 583 |
| 584 EXPECT_EQ( |
| 585 policy2->SetDelayedProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 586 SBOX_ALL_OK); |
| 587 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str())); |
| 588 } |
| 589 |
| 590 // This test validates that we can load a non-system font if the |
| 591 // MITIGATION_NON_SYSTEM_FONTS_DISABLE mitigation is NOT set. |
| 592 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { |
| 593 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 594 return; |
| 595 |
| 596 TestWin10NonSystemFont(true); |
| 597 } |
| 598 |
| 599 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 600 // mitigation prevents the loading of a non-system font. |
| 601 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { |
| 602 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 603 return; |
| 604 |
| 605 TestWin10NonSystemFont(false); |
| 606 } |
| 607 |
| 608 //------------------------------------------------------------------------------ |
| 609 // Disable child process creation. |
| 610 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). |
| 611 // - JobLevel <= JOB_LIMITED_USER which also triggers setting |
| 612 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to |
| 613 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in |
| 614 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). |
| 615 //------------------------------------------------------------------------------ |
| 616 |
| 617 // This test validates that we can spawn a child process if |
| 618 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is |
| 619 // not set. |
| 620 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { |
| 621 TestRunner runner; |
| 622 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 623 |
| 624 // Set a policy that would normally allow for process creation. |
| 625 policy->SetJobLevel(JOB_INTERACTIVE, 0); |
| 626 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 627 runner.SetDisableCsrss(false); |
| 628 |
| 629 base::FilePath cmd; |
| 630 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 631 cmd = cmd.Append(L"calc.exe"); |
| 632 |
| 633 std::wstring test_command = L"TestChildProcess \""; |
| 634 test_command += cmd.value().c_str(); |
| 635 test_command += L"\" false"; |
| 636 |
| 637 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 638 } |
| 639 |
| 640 // This test validates that setting the |
| 641 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents |
| 642 // the spawning of child processes. |
| 643 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { |
| 644 TestRunner runner; |
| 645 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 646 |
| 647 // Now set the job level to be <= JOB_LIMITED_USER |
| 648 // and ensure we can no longer create a child process. |
| 649 policy->SetJobLevel(JOB_LIMITED_USER, 0); |
| 650 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 651 runner.SetDisableCsrss(false); |
| 652 |
| 653 base::FilePath cmd; |
| 654 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 655 cmd = cmd.Append(L"calc.exe"); |
| 656 |
| 657 std::wstring test_command = L"TestChildProcess \""; |
| 658 test_command += cmd.value().c_str(); |
| 659 test_command += L"\" false"; |
| 660 |
| 661 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); |
| 662 } |
| 663 |
| 664 // This test validates that when the sandboxed target within a job spawns a |
| 665 // child process and the target process exits abnormally, the broker correctly |
| 666 // handles the JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS message. |
| 667 // Because this involves spawning a child process from the target process and is |
| 668 // very similar to the above CheckChildProcess* tests, this test is here rather |
| 669 // than elsewhere closer to the other Job tests. |
| 670 TEST(ProcessMitigationsTest, CheckChildProcessAbnormalExit) { |
| 671 TestRunner runner; |
| 672 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 673 |
| 674 // Set a policy that would normally allow for process creation. |
| 675 policy->SetJobLevel(JOB_INTERACTIVE, 0); |
| 676 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 677 runner.SetDisableCsrss(false); |
| 678 |
| 679 base::FilePath cmd; |
| 680 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 681 cmd = cmd.Append(L"calc.exe"); |
| 682 |
| 683 std::wstring test_command = L"TestChildProcess \""; |
| 684 test_command += cmd.value().c_str(); |
| 685 test_command += L"\" false "; |
| 686 test_command += std::to_wstring(STATUS_ACCESS_VIOLATION); |
| 687 |
| 688 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 689 } |
| 690 |
| 691 } // namespace sandbox |
OLD | NEW |