OLD | NEW |
(Empty) | |
| 1 // Copyright 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/win/src/process_mitigations.h" |
| 6 |
| 7 #include <windows.h> |
| 8 |
| 9 #include "base/files/file_util.h" |
| 10 #include "base/path_service.h" |
| 11 #include "base/scoped_native_library.h" |
| 12 #include "base/test/test_timeouts.h" |
| 13 #include "base/win/windows_version.h" |
| 14 #include "sandbox/win/src/nt_internals.h" |
| 15 #include "sandbox/win/src/target_services.h" |
| 16 #include "sandbox/win/tests/common/controller.h" |
| 17 #include "sandbox/win/tests/integration_tests/integration_tests_common.h" |
| 18 #include "testing/gtest/include/gtest/gtest.h" |
| 19 |
| 20 namespace { |
| 21 |
| 22 //------------------------------------------------------------------------------ |
| 23 // Internal Defines & Functions |
| 24 //------------------------------------------------------------------------------ |
| 25 |
| 26 // API defined in winbase.h. |
| 27 using GetProcessDEPPolicyFunction = decltype(&GetProcessDEPPolicy); |
| 28 |
| 29 // API defined in processthreadsapi.h. |
| 30 using GetProcessMitigationPolicyFunction = |
| 31 decltype(&GetProcessMitigationPolicy); |
| 32 GetProcessMitigationPolicyFunction get_process_mitigation_policy; |
| 33 |
| 34 // APIs defined in wingdi.h. |
| 35 using AddFontMemResourceExFunction = decltype(&AddFontMemResourceEx); |
| 36 using RemoveFontMemResourceExFunction = decltype(&RemoveFontMemResourceEx); |
| 37 |
| 38 //------------------------------------------------------------------------------ |
| 39 // NonSystemFont test helper function. |
| 40 // |
| 41 // 1. Pick font file and set up sandbox to allow read access to it. |
| 42 // 2. Trigger test child process (with or without mitigation enabled). |
| 43 //------------------------------------------------------------------------------ |
| 44 void TestWin10NonSystemFont(bool is_success_test) { |
| 45 base::FilePath font_path; |
| 46 EXPECT_TRUE(base::PathService::Get(base::DIR_WINDOWS_FONTS, &font_path)); |
| 47 // Arial font should always be available |
| 48 font_path = font_path.Append(L"arial.ttf"); |
| 49 |
| 50 sandbox::TestRunner runner; |
| 51 EXPECT_TRUE(runner.AddFsRule(sandbox::TargetPolicy::FILES_ALLOW_READONLY, |
| 52 font_path.value().c_str())); |
| 53 |
| 54 if (!is_success_test) { |
| 55 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 56 // Turn on the non-system font disable mitigation. |
| 57 EXPECT_EQ(policy->SetProcessMitigations( |
| 58 sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 59 sandbox::SBOX_ALL_OK); |
| 60 } |
| 61 |
| 62 base::string16 test_command = L"CheckWin10FontLoad \""; |
| 63 test_command += font_path.value().c_str(); |
| 64 test_command += L"\""; |
| 65 |
| 66 EXPECT_EQ((is_success_test ? sandbox::SBOX_TEST_SUCCEEDED |
| 67 : sandbox::SBOX_TEST_FAILED), |
| 68 runner.RunTest(test_command.c_str())); |
| 69 } |
| 70 |
| 71 } // namespace |
| 72 |
| 73 namespace sandbox { |
| 74 |
| 75 //------------------------------------------------------------------------------ |
| 76 // Exported functions called by child test processes. |
| 77 //------------------------------------------------------------------------------ |
| 78 |
| 79 //------------------------------------------------------------------------------ |
| 80 // Common test function for checking that a policy was enabled. |
| 81 // - Use enum TestPolicy defined in integration_tests_common.h to specify which |
| 82 // policy to check - passed as arg1. |
| 83 //------------------------------------------------------------------------------ |
| 84 SBOX_TESTS_COMMAND int CheckPolicy(int argc, wchar_t** argv) { |
| 85 if (argc < 1) |
| 86 return SBOX_TEST_INVALID_PARAMETER; |
| 87 int test = ::_wtoi(argv[0]); |
| 88 if (!test) |
| 89 return SBOX_TEST_INVALID_PARAMETER; |
| 90 |
| 91 get_process_mitigation_policy = |
| 92 reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress( |
| 93 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy")); |
| 94 if (!get_process_mitigation_policy) |
| 95 return SBOX_TEST_NOT_FOUND; |
| 96 |
| 97 switch (test) { |
| 98 //-------------------------------------------------- |
| 99 // MITIGATION_DEP |
| 100 // MITIGATION_DEP_NO_ATL_THUNK |
| 101 //-------------------------------------------------- |
| 102 case (TESTPOLICY_DEP): { |
| 103 #if !defined(_WIN64) |
| 104 // DEP - always enabled on 64-bit. |
| 105 PROCESS_MITIGATION_DEP_POLICY policy = {}; |
| 106 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 107 ProcessDEPPolicy, &policy, |
| 108 sizeof(policy))) { |
| 109 return SBOX_TEST_NOT_FOUND; |
| 110 } |
| 111 if (!policy.Enable || !policy.Permanent) |
| 112 return SBOX_TEST_FAILED; |
| 113 #endif // !defined(_WIN64) |
| 114 break; |
| 115 } |
| 116 //-------------------------------------------------- |
| 117 // MITIGATION_RELOCATE_IMAGE |
| 118 // MITIGATION_RELOCATE_IMAGE_REQUIRED |
| 119 //-------------------------------------------------- |
| 120 case (TESTPOLICY_ASLR): { |
| 121 PROCESS_MITIGATION_ASLR_POLICY policy2 = {}; |
| 122 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 123 ProcessASLRPolicy, &policy2, |
| 124 sizeof(policy2))) { |
| 125 return SBOX_TEST_NOT_FOUND; |
| 126 } |
| 127 if (!policy2.EnableForceRelocateImages || !policy2.DisallowStrippedImages) |
| 128 return SBOX_TEST_FAILED; |
| 129 |
| 130 break; |
| 131 } |
| 132 //-------------------------------------------------- |
| 133 // MITIGATION_STRICT_HANDLE_CHECKS |
| 134 //-------------------------------------------------- |
| 135 case (TESTPOLICY_STRICTHANDLE): { |
| 136 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy3 = {}; |
| 137 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 138 ProcessStrictHandleCheckPolicy, |
| 139 &policy3, sizeof(policy3))) { |
| 140 return SBOX_TEST_NOT_FOUND; |
| 141 } |
| 142 if (!policy3.RaiseExceptionOnInvalidHandleReference || |
| 143 !policy3.HandleExceptionsPermanentlyEnabled) { |
| 144 return SBOX_TEST_FAILED; |
| 145 } |
| 146 |
| 147 break; |
| 148 } |
| 149 //-------------------------------------------------- |
| 150 // MITIGATION_WIN32K_DISABLE |
| 151 //-------------------------------------------------- |
| 152 case (TESTPOLICY_WIN32K): { |
| 153 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; |
| 154 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 155 ProcessSystemCallDisablePolicy, |
| 156 &policy, sizeof(policy))) { |
| 157 return SBOX_TEST_NOT_FOUND; |
| 158 } |
| 159 if (!policy.DisallowWin32kSystemCalls) |
| 160 return SBOX_TEST_FAILED; |
| 161 |
| 162 break; |
| 163 } |
| 164 //-------------------------------------------------- |
| 165 // MITIGATION_EXTENSION_POINT_DISABLE |
| 166 //-------------------------------------------------- |
| 167 case (TESTPOLICY_EXTENSIONPOINT): { |
| 168 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
| 169 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 170 ProcessExtensionPointDisablePolicy, |
| 171 &policy, sizeof(policy))) { |
| 172 return SBOX_TEST_NOT_FOUND; |
| 173 } |
| 174 if (!policy.DisableExtensionPoints) |
| 175 return SBOX_TEST_FAILED; |
| 176 |
| 177 break; |
| 178 } |
| 179 //-------------------------------------------------- |
| 180 // MITIGATION_NONSYSTEM_FONT_DISABLE |
| 181 //-------------------------------------------------- |
| 182 case (TESTPOLICY_NONSYSFONT): { |
| 183 PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {}; |
| 184 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 185 ProcessFontDisablePolicy, &policy, |
| 186 sizeof(policy))) { |
| 187 return SBOX_TEST_NOT_FOUND; |
| 188 } |
| 189 if (!policy.DisableNonSystemFonts) |
| 190 return SBOX_TEST_FAILED; |
| 191 |
| 192 break; |
| 193 } |
| 194 //-------------------------------------------------- |
| 195 // MITIGATION_IMAGE_LOAD_NO_REMOTE |
| 196 //-------------------------------------------------- |
| 197 case (TESTPOLICY_LOADNOREMOTE): { |
| 198 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| 199 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 200 ProcessImageLoadPolicy, &policy, |
| 201 sizeof(policy))) { |
| 202 return SBOX_TEST_NOT_FOUND; |
| 203 } |
| 204 if (!policy.NoRemoteImages) |
| 205 return SBOX_TEST_FAILED; |
| 206 |
| 207 break; |
| 208 } |
| 209 //-------------------------------------------------- |
| 210 // MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
| 211 //-------------------------------------------------- |
| 212 case (TESTPOLICY_LOADNOLOW): { |
| 213 PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {}; |
| 214 if (!get_process_mitigation_policy(::GetCurrentProcess(), |
| 215 ProcessImageLoadPolicy, &policy, |
| 216 sizeof(policy))) { |
| 217 return SBOX_TEST_NOT_FOUND; |
| 218 } |
| 219 if (!policy.NoLowMandatoryLabelImages) |
| 220 return SBOX_TEST_FAILED; |
| 221 |
| 222 break; |
| 223 } |
| 224 default: |
| 225 return SBOX_TEST_INVALID_PARAMETER; |
| 226 } |
| 227 |
| 228 return SBOX_TEST_SUCCEEDED; |
| 229 } |
| 230 |
| 231 SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t** argv) { |
| 232 GetProcessDEPPolicyFunction get_process_dep_policy = |
| 233 reinterpret_cast<GetProcessDEPPolicyFunction>(::GetProcAddress( |
| 234 ::GetModuleHandleW(L"kernel32.dll"), "GetProcessDEPPolicy")); |
| 235 if (get_process_dep_policy) { |
| 236 BOOL is_permanent = FALSE; |
| 237 DWORD dep_flags = 0; |
| 238 |
| 239 if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags, |
| 240 &is_permanent)) { |
| 241 return SBOX_TEST_FIRST_ERROR; |
| 242 } |
| 243 |
| 244 if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent) |
| 245 return SBOX_TEST_SECOND_ERROR; |
| 246 |
| 247 } else { |
| 248 NtQueryInformationProcessFunction query_information_process = NULL; |
| 249 ResolveNTFunctionPtr("NtQueryInformationProcess", |
| 250 &query_information_process); |
| 251 if (!query_information_process) |
| 252 return SBOX_TEST_NOT_FOUND; |
| 253 |
| 254 ULONG size = 0; |
| 255 ULONG dep_flags = 0; |
| 256 if (!SUCCEEDED(query_information_process(::GetCurrentProcess(), |
| 257 ProcessExecuteFlags, &dep_flags, |
| 258 sizeof(dep_flags), &size))) { |
| 259 return SBOX_TEST_THIRD_ERROR; |
| 260 } |
| 261 |
| 262 static const int MEM_EXECUTE_OPTION_DISABLE = 2; |
| 263 static const int MEM_EXECUTE_OPTION_PERMANENT = 8; |
| 264 dep_flags &= 0xff; |
| 265 |
| 266 if (dep_flags != |
| 267 (MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT)) { |
| 268 return SBOX_TEST_FOURTH_ERROR; |
| 269 } |
| 270 } |
| 271 |
| 272 return SBOX_TEST_SUCCEEDED; |
| 273 } |
| 274 |
| 275 // ForceMsSigned tests: |
| 276 // Try to load the DLL given in arg1. |
| 277 SBOX_TESTS_COMMAND int TestDllLoad(int argc, wchar_t** argv) { |
| 278 if (argc < 1 || argv[0] == nullptr) |
| 279 return SBOX_TEST_INVALID_PARAMETER; |
| 280 |
| 281 base::string16 dll = argv[0]; |
| 282 base::ScopedNativeLibrary test_dll((base::FilePath(dll))); |
| 283 if (test_dll.is_valid()) |
| 284 return SBOX_TEST_SUCCEEDED; |
| 285 |
| 286 // Note: GetLastError() does not get an accurate failure code |
| 287 // at this point. |
| 288 return SBOX_TEST_FAILED; |
| 289 } |
| 290 |
| 291 // This test attempts a non-system font load. |
| 292 // |
| 293 // 1) Load gdi32.dll for required font APIs. |
| 294 // 2) Load file contents of font file passed in arg1 into memory. |
| 295 // 3) Call API to try loading a non-system font. |
| 296 // |
| 297 // Arg1: Full path to font file to try loading. |
| 298 SBOX_TESTS_COMMAND int CheckWin10FontLoad(int argc, wchar_t** argv) { |
| 299 if (argc < 1) |
| 300 return SBOX_TEST_INVALID_PARAMETER; |
| 301 |
| 302 HMODULE gdi_module = ::LoadLibraryW(L"gdi32.dll"); |
| 303 if (!gdi_module) |
| 304 return SBOX_TEST_NOT_FOUND; |
| 305 |
| 306 AddFontMemResourceExFunction add_font_mem_resource = |
| 307 reinterpret_cast<AddFontMemResourceExFunction>( |
| 308 ::GetProcAddress(gdi_module, "AddFontMemResourceEx")); |
| 309 |
| 310 RemoveFontMemResourceExFunction rem_font_mem_resource = |
| 311 reinterpret_cast<RemoveFontMemResourceExFunction>( |
| 312 ::GetProcAddress(gdi_module, "RemoveFontMemResourceEx")); |
| 313 |
| 314 if (!add_font_mem_resource || !rem_font_mem_resource) |
| 315 return SBOX_TEST_NOT_FOUND; |
| 316 |
| 317 // Open font file passed in as an argument. |
| 318 base::File file(base::FilePath(argv[0]), |
| 319 base::File::FLAG_OPEN | base::File::FLAG_READ); |
| 320 if (!file.IsValid()) |
| 321 // Failed to open the font file passed in. |
| 322 return SBOX_TEST_NOT_FOUND; |
| 323 |
| 324 std::vector<char> font_data; |
| 325 int64_t len = file.GetLength(); |
| 326 if (len < 0) |
| 327 return SBOX_TEST_NOT_FOUND; |
| 328 font_data.resize(len); |
| 329 |
| 330 int read = file.Read(0, &font_data[0], len); |
| 331 file.Close(); |
| 332 |
| 333 if (read != len) |
| 334 return SBOX_TEST_NOT_FOUND; |
| 335 |
| 336 DWORD font_count = 0; |
| 337 HANDLE font_handle = add_font_mem_resource( |
| 338 &font_data[0], static_cast<DWORD>(font_data.size()), NULL, &font_count); |
| 339 |
| 340 if (font_handle) { |
| 341 rem_font_mem_resource(font_handle); |
| 342 return SBOX_TEST_SUCCEEDED; |
| 343 } |
| 344 |
| 345 return SBOX_TEST_FAILED; |
| 346 } |
| 347 |
| 348 // Common helper test for CreateProcess. |
| 349 // Arg1: The process commandline to create. |
| 350 // Arg2: Will process end on its own: |
| 351 // - "true" for a process expected to finish on its own (wait for it). |
| 352 // - "false" for a process that will require terminating. |
| 353 // Arg3: [OPTIONAL] Expected or forced exit code: |
| 354 // - If arg2 is "true", this is the expected exit code (default 0). |
| 355 // - If arg2 is "false", terminate the process with this exit code (default 0). |
| 356 // |
| 357 // ***Make sure you've enabled basic process creation in the |
| 358 // test sandbox settings via: |
| 359 // sandbox::TargetPolicy::SetJobLevel(), |
| 360 // sandbox::TargetPolicy::SetTokenLevel(), |
| 361 // and TestRunner::SetDisableCsrss(). |
| 362 SBOX_TESTS_COMMAND int TestChildProcess(int argc, wchar_t** argv) { |
| 363 if (argc < 2 || argc > 3) |
| 364 return SBOX_TEST_INVALID_PARAMETER; |
| 365 |
| 366 bool process_finishes = true; |
| 367 base::string16 arg2 = argv[1]; |
| 368 if (arg2.compare(L"false") == 0) |
| 369 process_finishes = false; |
| 370 |
| 371 int desired_exit_code = 0; |
| 372 if (argc == 3) { |
| 373 desired_exit_code = wcstoul(argv[2], nullptr, 0); |
| 374 } |
| 375 |
| 376 base::string16 cmd = argv[0]; |
| 377 base::LaunchOptions options = base::LaunchOptionsForTest(); |
| 378 base::Process setup_proc = base::LaunchProcess(cmd.c_str(), options); |
| 379 |
| 380 if (setup_proc.IsValid()) { |
| 381 if (process_finishes) { |
| 382 // Wait for process exit and compare exit code. |
| 383 int exit_code = 1; |
| 384 if (!setup_proc.WaitForExitWithTimeout(TestTimeouts::action_max_timeout(), |
| 385 &exit_code)) { |
| 386 // Unexpected failure. |
| 387 setup_proc.Terminate(0, false); |
| 388 return SBOX_TEST_TIMED_OUT; |
| 389 } |
| 390 if (exit_code != desired_exit_code) |
| 391 return SBOX_TEST_FAILED; |
| 392 return SBOX_TEST_SUCCEEDED; |
| 393 } else { |
| 394 // Terminate process with requested exit code. |
| 395 setup_proc.Terminate(desired_exit_code, false); |
| 396 return SBOX_TEST_SUCCEEDED; |
| 397 } |
| 398 } |
| 399 // Process failed to be created. |
| 400 // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED". |
| 401 return SBOX_TEST_FAILED; |
| 402 } |
| 403 |
| 404 //------------------------------------------------------------------------------ |
| 405 // Exported Mitigation Tests |
| 406 //------------------------------------------------------------------------------ |
| 407 |
| 408 //------------------------------------------------------------------------------ |
| 409 // DEP (MITIGATION_DEP and MITIGATION_DEP_NO_ATL_THUNK) |
| 410 // Win7 x86 |
| 411 //------------------------------------------------------------------------------ |
| 412 |
| 413 #if !defined(_WIN64) |
| 414 // DEP is always enabled on 64-bit. Only test on x86. |
| 415 TEST(ProcessMitigationsTest, CheckDepWin7) { |
| 416 if (base::win::GetVersion() > base::win::VERSION_WIN7) |
| 417 return; |
| 418 |
| 419 TestRunner runner; |
| 420 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 421 |
| 422 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP | |
| 423 MITIGATION_DEP_NO_ATL_THUNK | |
| 424 MITIGATION_SEHOP), |
| 425 SBOX_ALL_OK); |
| 426 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep")); |
| 427 } |
| 428 #endif // !defined(_WIN64) |
| 429 |
| 430 //------------------------------------------------------------------------------ |
| 431 // DEP (MITIGATION_DEP and MITIGATION_DEP_NO_ATL_THUNK) |
| 432 // >= Win8 x86 |
| 433 //------------------------------------------------------------------------------ |
| 434 |
| 435 #if !defined(_WIN64) |
| 436 // DEP is always enabled on 64-bit. Only test on x86. |
| 437 |
| 438 // This test validates that setting the MITIGATION_DEP* |
| 439 // mitigations enables the setting on a process. |
| 440 TEST(ProcessMitigationsTest, CheckDepWin8PolicySuccess) { |
| 441 if (base::win::GetVersion() < base::win::VERSION_WIN8) |
| 442 return; |
| 443 |
| 444 base::string16 test_command = L"CheckPolicy "; |
| 445 test_command += std::to_wstring(TESTPOLICY_DEP); |
| 446 |
| 447 //--------------------------------- |
| 448 // 1) Test setting pre-startup. |
| 449 //--------------------------------- |
| 450 TestRunner runner; |
| 451 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 452 |
| 453 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP | |
| 454 MITIGATION_DEP_NO_ATL_THUNK), |
| 455 SBOX_ALL_OK); |
| 456 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 457 |
| 458 //--------------------------------- |
| 459 // 2) Test setting post-startup. |
| 460 //--------------------------------- |
| 461 TestRunner runner2; |
| 462 sandbox::TargetPolicy* policy2 = runner2.GetPolicy(); |
| 463 |
| 464 EXPECT_EQ(policy2->SetDelayedProcessMitigations(MITIGATION_DEP | |
| 465 MITIGATION_DEP_NO_ATL_THUNK), |
| 466 SBOX_ALL_OK); |
| 467 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str())); |
| 468 } |
| 469 |
| 470 #endif // !defined(_WIN64) |
| 471 |
| 472 //------------------------------------------------------------------------------ |
| 473 // ASLR |
| 474 // - MITIGATION_RELOCATE_IMAGE |
| 475 // - MITIGATION_RELOCATE_IMAGE_REQUIRED |
| 476 // - MITIGATION_BOTTOM_UP_ASLR |
| 477 // - MITIGATION_HIGH_ENTROPY_ASLR |
| 478 // >= Win8 |
| 479 //------------------------------------------------------------------------------ |
| 480 |
| 481 TEST(ProcessMitigationsTest, CheckWin8AslrPolicySuccess) { |
| 482 if (base::win::GetVersion() < base::win::VERSION_WIN8) |
| 483 return; |
| 484 |
| 485 base::string16 test_command = L"CheckPolicy "; |
| 486 test_command += std::to_wstring(TESTPOLICY_ASLR); |
| 487 |
| 488 TestRunner runner; |
| 489 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 490 |
| 491 //--------------------------------- |
| 492 // 1) Test setting pre-startup. |
| 493 // **Can only set ASLR pre-startup in release build. |
| 494 //--------------------------------- |
| 495 #if defined(NDEBUG) |
| 496 EXPECT_EQ(policy->SetProcessMitigations( |
| 497 MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED | |
| 498 MITIGATION_BOTTOM_UP_ASLR | MITIGATION_HIGH_ENTROPY_ASLR), |
| 499 SBOX_ALL_OK); |
| 500 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 501 |
| 502 //--------------------------------- |
| 503 // 2) Test setting post-startup. |
| 504 // **Bottom up and high entropy can only be set pre-startup. |
| 505 // **Can only set ASLR post-startup in debug build. |
| 506 //--------------------------------- |
| 507 #else |
| 508 EXPECT_EQ(policy->SetDelayedProcessMitigations( |
| 509 MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED), |
| 510 SBOX_ALL_OK); |
| 511 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 512 #endif // !defined(NDEBUG) |
| 513 } |
| 514 |
| 515 //------------------------------------------------------------------------------ |
| 516 // Strict handle checks (MITIGATION_STRICT_HANDLE_CHECKS) |
| 517 // >= Win8 |
| 518 //------------------------------------------------------------------------------ |
| 519 |
| 520 TEST(ProcessMitigationsTest, CheckWin8StrictHandlePolicySuccess) { |
| 521 if (base::win::GetVersion() < base::win::VERSION_WIN8) |
| 522 return; |
| 523 |
| 524 base::string16 test_command = L"CheckPolicy "; |
| 525 test_command += std::to_wstring(TESTPOLICY_STRICTHANDLE); |
| 526 |
| 527 //--------------------------------- |
| 528 // 1) Test setting post-startup. |
| 529 // ** Can only be set post-startup. |
| 530 //--------------------------------- |
| 531 TestRunner runner; |
| 532 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 533 |
| 534 EXPECT_EQ( |
| 535 policy->SetDelayedProcessMitigations(MITIGATION_STRICT_HANDLE_CHECKS), |
| 536 SBOX_ALL_OK); |
| 537 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 538 } |
| 539 |
| 540 //------------------------------------------------------------------------------ |
| 541 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE) |
| 542 // >= Win10 |
| 543 //------------------------------------------------------------------------------ |
| 544 |
| 545 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 546 // mitigation enables the setting on a process. |
| 547 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownPolicySuccess) { |
| 548 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 549 return; |
| 550 |
| 551 base::string16 test_command = L"CheckPolicy "; |
| 552 test_command += std::to_wstring(TESTPOLICY_NONSYSFONT); |
| 553 |
| 554 //--------------------------------- |
| 555 // 1) Test setting pre-startup. |
| 556 //--------------------------------- |
| 557 TestRunner runner; |
| 558 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 559 |
| 560 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 561 SBOX_ALL_OK); |
| 562 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 563 |
| 564 //--------------------------------- |
| 565 // 2) Test setting post-startup. |
| 566 //--------------------------------- |
| 567 TestRunner runner2; |
| 568 sandbox::TargetPolicy* policy2 = runner2.GetPolicy(); |
| 569 |
| 570 EXPECT_EQ( |
| 571 policy2->SetDelayedProcessMitigations(MITIGATION_NONSYSTEM_FONT_DISABLE), |
| 572 SBOX_ALL_OK); |
| 573 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner2.RunTest(test_command.c_str())); |
| 574 } |
| 575 |
| 576 // This test validates that we can load a non-system font if the |
| 577 // MITIGATION_NON_SYSTEM_FONTS_DISABLE mitigation is NOT set. |
| 578 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadSuccess) { |
| 579 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 580 return; |
| 581 |
| 582 TestWin10NonSystemFont(true); |
| 583 } |
| 584 |
| 585 // This test validates that setting the MITIGATION_NON_SYSTEM_FONTS_DISABLE |
| 586 // mitigation prevents the loading of a non-system font. |
| 587 TEST(ProcessMitigationsTest, CheckWin10NonSystemFontLockDownLoadFailure) { |
| 588 if (base::win::GetVersion() < base::win::VERSION_WIN10) |
| 589 return; |
| 590 |
| 591 TestWin10NonSystemFont(false); |
| 592 } |
| 593 |
| 594 //------------------------------------------------------------------------------ |
| 595 // Disable child process creation. |
| 596 // - JobLevel <= JOB_LIMITED_USER (on < WIN10_TH2). |
| 597 // - JobLevel <= JOB_LIMITED_USER which also triggers setting |
| 598 // PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to |
| 599 // PROCESS_CREATION_CHILD_PROCESS_RESTRICTED in |
| 600 // BrokerServicesBase::SpawnTarget (on >= WIN10_TH2). |
| 601 //------------------------------------------------------------------------------ |
| 602 |
| 603 // This test validates that we can spawn a child process if |
| 604 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation is |
| 605 // not set. |
| 606 TEST(ProcessMitigationsTest, CheckChildProcessSuccess) { |
| 607 TestRunner runner; |
| 608 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 609 |
| 610 // Set a policy that would normally allow for process creation. |
| 611 policy->SetJobLevel(JOB_INTERACTIVE, 0); |
| 612 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 613 runner.SetDisableCsrss(false); |
| 614 |
| 615 base::FilePath cmd; |
| 616 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 617 cmd = cmd.Append(L"calc.exe"); |
| 618 |
| 619 base::string16 test_command = L"TestChildProcess \""; |
| 620 test_command += cmd.value().c_str(); |
| 621 test_command += L"\" false"; |
| 622 |
| 623 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 624 } |
| 625 |
| 626 // This test validates that setting the |
| 627 // MITIGATION_CHILD_PROCESS_CREATION_RESTRICTED mitigation prevents |
| 628 // the spawning of child processes. |
| 629 TEST(ProcessMitigationsTest, CheckChildProcessFailure) { |
| 630 TestRunner runner; |
| 631 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 632 |
| 633 // Now set the job level to be <= JOB_LIMITED_USER |
| 634 // and ensure we can no longer create a child process. |
| 635 policy->SetJobLevel(JOB_LIMITED_USER, 0); |
| 636 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 637 runner.SetDisableCsrss(false); |
| 638 |
| 639 base::FilePath cmd; |
| 640 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 641 cmd = cmd.Append(L"calc.exe"); |
| 642 |
| 643 base::string16 test_command = L"TestChildProcess \""; |
| 644 test_command += cmd.value().c_str(); |
| 645 test_command += L"\" false"; |
| 646 |
| 647 EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(test_command.c_str())); |
| 648 } |
| 649 |
| 650 // This test validates that when the sandboxed target within a job spawns a |
| 651 // child process and the target process exits abnormally, the broker correctly |
| 652 // handles the JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS message. |
| 653 // Because this involves spawning a child process from the target process and is |
| 654 // very similar to the above CheckChildProcess* tests, this test is here rather |
| 655 // than elsewhere closer to the other Job tests. |
| 656 TEST(ProcessMitigationsTest, CheckChildProcessAbnormalExit) { |
| 657 TestRunner runner; |
| 658 sandbox::TargetPolicy* policy = runner.GetPolicy(); |
| 659 |
| 660 // Set a policy that would normally allow for process creation. |
| 661 policy->SetJobLevel(JOB_INTERACTIVE, 0); |
| 662 policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); |
| 663 runner.SetDisableCsrss(false); |
| 664 |
| 665 base::FilePath cmd; |
| 666 EXPECT_TRUE(base::PathService::Get(base::DIR_SYSTEM, &cmd)); |
| 667 cmd = cmd.Append(L"calc.exe"); |
| 668 |
| 669 base::string16 test_command = L"TestChildProcess \""; |
| 670 test_command += cmd.value().c_str(); |
| 671 test_command += L"\" false "; |
| 672 test_command += std::to_wstring(STATUS_ACCESS_VIOLATION); |
| 673 |
| 674 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str())); |
| 675 } |
| 676 |
| 677 } // namespace sandbox |
OLD | NEW |