sandbox/win/src/process_mitigations_test.cc - Issue 318603003: Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes.

Side by Side Diff: sandbox/win/src/process_mitigations_test.cc

Issue 318603003: Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "base/strings/stringprintf.h"	5 #include "base/strings/stringprintf.h"

6 #include "base/win/scoped_handle.h"	6 #include "base/win/scoped_handle.h"

7	7

8 #include "base/win/windows_version.h"	8 #include "base/win/windows_version.h"

9 #include "sandbox/win/src/nt_internals.h"	9 #include "sandbox/win/src/nt_internals.h"

10 #include "sandbox/win/src/process_mitigations.h"	10 #include "sandbox/win/src/process_mitigations.h"

(...skipping 70 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
81	81

82 } // namespace	82 } // namespace

83	83

84 namespace sandbox {	84 namespace sandbox {

85	85

86 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {	86 SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {

87 get_process_mitigation_policy =	87 get_process_mitigation_policy =

88 reinterpret_cast<GetProcessMitigationPolicyFunction>(	88 reinterpret_cast<GetProcessMitigationPolicyFunction>(

89 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),	89 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),

90 "GetProcessMitigationPolicy"));	90 "GetProcessMitigationPolicy"));

91

92 if (!get_process_mitigation_policy)	91 if (!get_process_mitigation_policy)

93 return SBOX_TEST_NOT_FOUND;	92 return SBOX_TEST_NOT_FOUND;

94	93

95 if (!CheckWin8DepPolicy())	94 if (!CheckWin8DepPolicy())

96 return SBOX_TEST_FIRST_ERROR;	95 return SBOX_TEST_FIRST_ERROR;

97	96

98 #if defined(NDEBUG) // ASLR cannot be forced in debug builds.	97 #if defined(NDEBUG) // ASLR cannot be forced in debug builds.

99 if (!CheckWin8AslrPolicy())	98 if (!CheckWin8AslrPolicy())

100 return SBOX_TEST_SECOND_ERROR;	99 return SBOX_TEST_SECOND_ERROR;

101 #endif	100 #endif

102	101

103 if (!CheckWin8StrictHandlePolicy())	102 if (!CheckWin8StrictHandlePolicy())

104 return SBOX_TEST_THIRD_ERROR;	103 return SBOX_TEST_THIRD_ERROR;

105	104

106 if (!CheckWin8Win32CallPolicy())

107 return SBOX_TEST_FOURTH_ERROR;

108

109 if (!CheckWin8DllExtensionPolicy())	105 if (!CheckWin8DllExtensionPolicy())

110 return SBOX_TEST_FIFTH_ERROR;	106 return SBOX_TEST_FIFTH_ERROR;

111	107

112 return SBOX_TEST_SUCCEEDED;	108 return SBOX_TEST_SUCCEEDED;

113 }	109 }

114	110

115 TEST(ProcessMitigationsTest, CheckWin8) {	111 TEST(ProcessMitigationsTest, CheckWin8) {

116 if (base::win::GetVersion() < base::win::VERSION_WIN8)	112 if (base::win::GetVersion() < base::win::VERSION_WIN8)

117 return;	113 return;

118	114

(...skipping 75 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
194	190

195 EXPECT_EQ(policy->SetProcessMitigations(	191 EXPECT_EQ(policy->SetProcessMitigations(

196 MITIGATION_DEP \|	192 MITIGATION_DEP \|

197 MITIGATION_DEP_NO_ATL_THUNK \|	193 MITIGATION_DEP_NO_ATL_THUNK \|

198 MITIGATION_SEHOP),	194 MITIGATION_SEHOP),

199 SBOX_ALL_OK);	195 SBOX_ALL_OK);

200 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));	196 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));

201 }	197 }

202 #endif	198 #endif

203	199

	200 SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) {

	201 get_process_mitigation_policy =

	202 reinterpret_cast<GetProcessMitigationPolicyFunction>(

	203 ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),

	204 "GetProcessMitigationPolicy"));

	205 if (!get_process_mitigation_policy)

	206 return SBOX_TEST_NOT_FOUND;

	207

	208 if (!CheckWin8Win32CallPolicy())

	209 return SBOX_TEST_FIRST_ERROR;

	210 return SBOX_TEST_SUCCEEDED;

	211 }

	212

	213 // This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation on

	214 // the target process causes the launch to fail in process initialization.

	215 // The test process itself links against user32/gdi32.

	216 TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownFailure) {

	217 if (base::win::GetVersion() < base::win::VERSION_WIN8)

	218 return;

	219

	220 TestRunner runner;

	221 sandbox::TargetPolicy* policy = runner.GetPolicy();

	222

	223 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),

	224 SBOX_ALL_OK);

	225 EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));

	226 }

	227

	228 // This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation

	229 // along with the policy to fake user32 and gdi32 initialization successfully

	230 // launches the target process.

	231 // The test process itself links against user32/gdi32.

	232 TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownSuccess) {

	233 if (base::win::GetVersion() < base::win::VERSION_WIN8)

	234 return;

	235

	236 TestRunner runner;

	237 sandbox::TargetPolicy* policy = runner.GetPolicy();

	238

	239 EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),

	240 SBOX_ALL_OK);
	rvargas (doing something else) 2014/06/10 23:03:08 nit: indent under first arg (policy->) nit: indent under first arg (policy->) ananta 2014/06/10 23:15:57 Done. Show quoted text On 2014/06/10 23:03:08, rvargas wrote: > nit: indent under first arg (policy->) Done.
	241 EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,

	242 sandbox::TargetPolicy::FAKE_USER_GDI_INIT,

	243 NULL), sandbox::SBOX_ALL_OK);
	rvargas (doing something else) 2014/06/10 23:03:08 nit: move NULL to the previous line, and the resul nit: move NULL to the previous line, and the result to indent under policy-> ananta 2014/06/10 23:15:57 Done. Show quoted text On 2014/06/10 23:03:08, rvargas wrote: > nit: move NULL to the previous line, and the result to indent under policy-> Done.
	244 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));

	245 }

	246

204 } // namespace sandbox	247 } // namespace sandbox

205	248

OLD	NEW

« no previous file with comments | « sandbox/win/src/ipc_tags.h ('k') | sandbox/win/src/process_mitigations_win32k_dispatcher.h » ('j') | sandbox/win/src/sandbox_policy.h » ('J')