OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/win/src/process_mitigations.h" |
| 6 |
| 7 #include <windows.h> |
| 8 |
| 9 #include "base/files/file_util.h" |
| 10 #include "base/files/scoped_temp_dir.h" |
| 11 #include "base/path_service.h" |
| 12 #include "base/scoped_native_library.h" |
| 13 #include "base/strings/stringprintf.h" |
| 14 #include "base/test/test_timeouts.h" |
| 15 #include "base/win/windows_version.h" |
| 16 #include "sandbox/win/src/sandbox.h" |
| 17 #include "sandbox/win/src/target_services.h" |
| 18 #include "sandbox/win/tests/common/controller.h" |
| 19 #include "sandbox/win/tests/integration_tests/integration_tests_common.h" |
| 20 #include "testing/gtest/include/gtest/gtest.h" |
| 21 |
| 22 namespace { |
| 23 |
| 24 //------------------------------------------------------------------------------ |
| 25 // Internal Defines & Functions |
| 26 //------------------------------------------------------------------------------ |
| 27 |
| 28 //------------------------------------------------------------------------------ |
| 29 // ImageLoadRemote test helper function. |
| 30 // |
| 31 // Trigger test child process (with or without mitigation enabled). |
| 32 //------------------------------------------------------------------------------ |
| 33 void TestWin10ImageLoadRemote(bool is_success_test) { |
| 34 // ***Insert a manual testing share UNC path here! |
| 35 // E.g.: \\\\hostname\\sharename\\calc.exe |
| 36 base::string16 unc = L"\"\\\\hostname\\sharename\\calc.exe\""; |
| 37 |
| 38 sandbox::TestRunner runner; |
| 39 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 40 |
| 41 // Set a policy that would normally allow for process creation. |
| 42 policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| 43 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); |
| 44 runner.SetDisableCsrss(false); |
| 45 |
| 46 if (!is_success_test) { |
| 47 // Enable the NoRemote mitigation. |
| 48 EXPECT_EQ(policy->SetDelayedProcessMitigations( |
| 49 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| 50 sandbox::SBOX_ALL_OK); |
| 51 } |
| 52 |
| 53 base::string16 test = L"TestChildProcess "; |
| 54 test += unc.c_str(); |
| 55 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED |
| 56 : sandbox::SBOX_TEST_FAILED), |
| 57 runner.RunTest(test.c_str())); |
| 58 } |
| 59 |
| 60 //------------------------------------------------------------------------------ |
| 61 // ImageLoadLow test helper function. |
| 62 // |
| 63 // 1. Set up a copy of calc, using icacls to make it low integrity. |
| 64 // 2. Trigger test child process (with or without mitigation enabled). |
| 65 //------------------------------------------------------------------------------ |
| 66 void TestWin10ImageLoadLowLabel(bool is_success_test) { |
| 67 // Setup a mandatory low executable for this test (calc.exe). |
| 68 // If anything fails during setup, ASSERT to end test. |
| 69 base::FilePath orig_path; |
| 70 ASSERT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &orig_path)); |
| 71 orig_path = orig_path.Append(L"calc.exe"); |
| 72 |
| 73 base::ScopedTempDir temp_dir; |
| 74 ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); |
| 75 base::FilePath new_path = temp_dir.GetPath(); |
| 76 new_path = new_path.Append(L"lowIL_calc.exe"); |
| 77 |
| 78 // Test file will be cleaned up by the ScopedTempDir. |
| 79 ASSERT_TRUE(base::CopyFileW(orig_path, new_path)); |
| 80 |
| 81 base::string16 cmd_line = L"icacls \""; |
| 82 cmd_line += new_path.value().c_str(); |
| 83 cmd_line += L"\" /setintegritylevel Low"; |
| 84 |
| 85 base::LaunchOptions options = base::LaunchOptionsForTest(); |
| 86 base::Process setup_proc = base::LaunchProcess(cmd_line.c_str(), options); |
| 87 ASSERT_TRUE(setup_proc.IsValid()); |
| 88 |
| 89 int exit_code = 1; |
| 90 if (!setup_proc.WaitForExitWithTimeout(TestTimeouts::action_max_timeout(), |
| 91 &exit_code)) { |
| 92 // Might have timed out, or might have failed. |
| 93 // Terminate to make sure we clean up any mess. |
| 94 setup_proc.Terminate(0, false); |
| 95 ASSERT_TRUE(false); |
| 96 } |
| 97 // Make sure icacls was successful. |
| 98 ASSERT_EQ(0, exit_code); |
| 99 |
| 100 sandbox::TestRunner runner; |
| 101 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 102 |
| 103 // Set a policy that would normally allow for process creation. |
| 104 policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| 105 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, sandbox::USER_UNPROTECTED); |
| 106 runner.SetDisableCsrss(false); |
| 107 |
| 108 if (!is_success_test) { |
| 109 // Enable the NoLowLabel mitigation. |
| 110 EXPECT_EQ(policy->SetDelayedProcessMitigations( |
| 111 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| 112 sandbox::SBOX_ALL_OK); |
| 113 } |
| 114 |
| 115 base::string16 test = L"TestChildProcess \""; |
| 116 test += new_path.value().c_str(); |
| 117 test += L"\" false"; |
| 118 |
| 119 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED |
| 120 : sandbox::SBOX_TEST_FAILED), |
| 121 runner.RunTest(test.c_str())); |
| 122 } |
| 123 |
| 124 } // namespace |
| 125 |
| 126 namespace sandbox { |
| 127 |
| 128 //------------------------------------------------------------------------------ |
| 129 // Exported Image Load Tests |
| 130 //------------------------------------------------------------------------------ |
| 131 |
| 132 //------------------------------------------------------------------------------ |
| 133 // Disable image load from remote devices (MITIGATION_IMAGE_LOAD_NO_REMOTE). |
| 134 // >= Win10_TH2 |
| 135 //------------------------------------------------------------------------------ |
| 136 |
| 137 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 138 // mitigation enables the setting on a process. |
| 139 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoRemotePolicySuccess) { |
| 140 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 141 return; |
| 142 |
| 143 base::string16 test_command = L"CheckPolicy "; |
| 144 test_command += std::to_wstring(TESTPOLICY_LOADNOREMOTE); |
| 145 |
| 146 //--------------------------------- |
| 147 // 1) Test setting pre-startup. |
| 148 //--------------------------------- |
| 149 TestRunner runner; |
| 150 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 151 |
| 152 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| 153 SBOX_ALL_OK); |
| 154 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 155 |
| 156 //--------------------------------- |
| 157 // 2) Test setting post-startup. |
| 158 //--------------------------------- |
| 159 TestRunner runner2; |
| 160 sandbox::TargetPolicy* policy2 = runner2.GetPolicy(); |
| 161 |
| 162 EXPECT_EQ( |
| 163 policy2->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE), |
| 164 SBOX_ALL_OK); |
| 165 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str())); |
| 166 } |
| 167 |
| 168 // This test validates that we CAN create a new process from |
| 169 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 170 // mitigation is NOT set. |
| 171 // |
| 172 // MANUAL testing only. |
| 173 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) { |
| 174 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 175 return; |
| 176 |
| 177 TestWin10ImageLoadRemote(true); |
| 178 } |
| 179 |
| 180 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 181 // mitigation prevents creating a new process from a remote |
| 182 // UNC device. |
| 183 // |
| 184 // MANUAL testing only. |
| 185 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) { |
| 186 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 187 return; |
| 188 |
| 189 TestWin10ImageLoadRemote(false); |
| 190 } |
| 191 |
| 192 //------------------------------------------------------------------------------ |
| 193 // Disable image load when "mandatory low label" (integrity level). |
| 194 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL) |
| 195 // >= Win10_TH2 |
| 196 //------------------------------------------------------------------------------ |
| 197 |
| 198 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 199 // mitigation enables the setting on a process. |
| 200 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelPolicySuccess) { |
| 201 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 202 return; |
| 203 |
| 204 base::string16 test_command = L"CheckPolicy "; |
| 205 test_command += std::to_wstring(TESTPOLICY_LOADNOLOW); |
| 206 |
| 207 //--------------------------------- |
| 208 // 1) Test setting pre-startup. |
| 209 //--------------------------------- |
| 210 TestRunner runner; |
| 211 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 212 |
| 213 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| 214 SBOX_ALL_OK); |
| 215 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 216 |
| 217 //--------------------------------- |
| 218 // 2) Test setting post-startup. |
| 219 //--------------------------------- |
| 220 TestRunner runner2; |
| 221 sandbox::TargetPolicy* policy2 = runner2.GetPolicy(); |
| 222 |
| 223 EXPECT_EQ( |
| 224 policy2->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_LOW_LABEL), |
| 225 SBOX_ALL_OK); |
| 226 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str())); |
| 227 } |
| 228 |
| 229 // This test validates that we CAN create a new process with |
| 230 // low mandatory label (IL), if the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 231 // mitigation is NOT set. |
| 232 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelSuccess) { |
| 233 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 234 return; |
| 235 |
| 236 TestWin10ImageLoadLowLabel(true); |
| 237 } |
| 238 |
| 239 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 240 // mitigation prevents creating a new process with low mandatory label (IL). |
| 241 TEST(ProcessMitigationsTest, CheckWin10ImageLoadNoLowLabelFailure) { |
| 242 if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2) |
| 243 return; |
| 244 |
| 245 TestWin10ImageLoadLowLabel(false); |
| 246 } |
| 247 |
| 248 } // namespace sandbox |
OLD | NEW |