Google Git
Sign in
chromium / chromium / src / dd80deebf7337ea86234a5f14ea6f35fbbb131f8 / . / sandbox / win / src / process_policy_test.cc
blob: 8d5dcbe3fbe260d1ce301cefaf4179e3e1638977 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <memory>
#include <string>
#include "base/memory/free_deleter.h"
#include "base/strings/string16.h"
#include "base/strings/sys_string_conversions.h"
#include "base/win/scoped_handle.h"
#include "base/win/scoped_process_information.h"
#include "base/win/windows_version.h"
#include "build/build_config.h"
#include "sandbox/win/src/process_thread_interception.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "sandbox/win/src/sandbox_policy.h"
#include "sandbox/win/tests/common/controller.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace {
// Creates a process with the |exe| and |command| parameter using the
// unicode and ascii version of the api.
sandbox::SboxTestResult CreateProcessHelper(const base::string16& exe,
const base::string16& command) {
base::win::ScopedProcessInformation pi;
STARTUPINFOW si = {sizeof(si)};
const wchar_t* exe_name = nullptr;
if (!exe.empty())
exe_name = exe.c_str();
std::unique_ptr<wchar_t, base::FreeDeleter> writable_command(
_wcsdup(command.c_str()));
// Create the process with the unicode version of the API.
sandbox::SboxTestResult ret1 = sandbox::SBOX_TEST_FAILED;
PROCESS_INFORMATION temp_process_info = {};
if (::CreateProcessW(
exe_name, command.empty() ? nullptr : writable_command.get(), nullptr,
nullptr, false, 0, nullptr, nullptr, &si, &temp_process_info)) {
pi.Set(temp_process_info);
ret1 = sandbox::SBOX_TEST_SUCCEEDED;
} else {
DWORD last_error = GetLastError();
if ((ERROR_NOT_ENOUGH_QUOTA == last_error) ||
(ERROR_ACCESS_DENIED == last_error) ||
(ERROR_FILE_NOT_FOUND == last_error)) {
ret1 = sandbox::SBOX_TEST_DENIED;
} else {
ret1 = sandbox::SBOX_TEST_FAILED;
}
}
pi.Close();
// Do the same with the ansi version of the api
STARTUPINFOA sia = {sizeof(sia)};
sandbox::SboxTestResult ret2 = sandbox::SBOX_TEST_FAILED;
std::string narrow_cmd_line =
base::SysWideToMultiByte(command.c_str(), CP_UTF8);
if (::CreateProcessA(
exe_name ? base::SysWideToMultiByte(exe_name, CP_UTF8).c_str()
: nullptr,
command.empty() ? nullptr : &narrow_cmd_line[0], nullptr, nullptr,
false, 0, nullptr, nullptr, &sia, &temp_process_info)) {
pi.Set(temp_process_info);
ret2 = sandbox::SBOX_TEST_SUCCEEDED;
} else {
DWORD last_error = GetLastError();
if ((ERROR_NOT_ENOUGH_QUOTA == last_error) ||
(ERROR_ACCESS_DENIED == last_error) ||
(ERROR_FILE_NOT_FOUND == last_error)) {
ret2 = sandbox::SBOX_TEST_DENIED;
} else {
ret2 = sandbox::SBOX_TEST_FAILED;
}
}
if (ret1 == ret2)
return ret1;
return sandbox::SBOX_TEST_FAILED;
}
} // namespace
namespace sandbox {
SBOX_TESTS_COMMAND int Process_RunApp1(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
base::string16 path = MakePathToSys(argv[0], false);
// TEST 1: Try with the path in the app_name.
return CreateProcessHelper(path, base::string16());
}
SBOX_TESTS_COMMAND int Process_RunApp2(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
base::string16 path = MakePathToSys(argv[0], false);
// TEST 2: Try with the path in the cmd_line.
base::string16 cmd_line = L"\"";
cmd_line += path;
cmd_line += L"\"";
return CreateProcessHelper(base::string16(), cmd_line);
}
SBOX_TESTS_COMMAND int Process_RunApp3(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
// TEST 3: Try file name in the cmd_line.
return CreateProcessHelper(base::string16(), argv[0]);
}
SBOX_TESTS_COMMAND int Process_RunApp4(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
// TEST 4: Try file name in the app_name and current directory sets correctly.
base::string16 system32 = MakePathToSys(L"", false);
wchar_t current_directory[MAX_PATH + 1];
DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory);
if (!ret)
return SBOX_TEST_FIRST_ERROR;
if (ret >= MAX_PATH)
return SBOX_TEST_FAILED;
current_directory[ret] = L'\\';
current_directory[ret + 1] = L'\0';
if (!::SetCurrentDirectory(system32.c_str()))
return SBOX_TEST_SECOND_ERROR;
const int result4 = CreateProcessHelper(argv[0], base::string16());
return ::SetCurrentDirectory(current_directory) ? result4 : SBOX_TEST_FAILED;
}
SBOX_TESTS_COMMAND int Process_RunApp5(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
base::string16 path = MakePathToSys(argv[0], false);
// TEST 5: Try with the path in the cmd_line and arguments.
base::string16 cmd_line = L"\"";
cmd_line += path;
cmd_line += L"\" /I";
return CreateProcessHelper(base::string16(), cmd_line);
}
SBOX_TESTS_COMMAND int Process_RunApp6(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
// TEST 6: Try with the file_name in the cmd_line and arguments.
base::string16 cmd_line = argv[0];
cmd_line += L" /I";
return CreateProcessHelper(base::string16(), cmd_line);
}
// Creates a process and checks if it's possible to get a handle to it's token.
SBOX_TESTS_COMMAND int Process_GetChildProcessToken(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
base::string16 path = MakePathToSys(argv[0], false);
STARTUPINFOW si = {sizeof(si)};
PROCESS_INFORMATION temp_process_info = {};
if (!::CreateProcessW(path.c_str(), nullptr, nullptr, nullptr, false,
CREATE_SUSPENDED, nullptr, nullptr, &si,
&temp_process_info)) {
return SBOX_TEST_FAILED;
}
base::win::ScopedProcessInformation pi(temp_process_info);
HANDLE token = nullptr;
bool result =
::OpenProcessToken(pi.process_handle(), TOKEN_IMPERSONATE, &token);
DWORD error = ::GetLastError();
base::win::ScopedHandle token_handle(token);
if (!::TerminateProcess(pi.process_handle(), 0))
return SBOX_TEST_FAILED;
if (result && token)
return SBOX_TEST_SUCCEEDED;
if (ERROR_ACCESS_DENIED == error)
return SBOX_TEST_DENIED;
return SBOX_TEST_FAILED;
}
// Creates a suspended process using CreateProcessA then kill it.
SBOX_TESTS_COMMAND int Process_CreateProcessA(int argc, wchar_t** argv) {
if (argc != 1)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
STARTUPINFOA si = {sizeof(si)};
base::string16 path = MakePathToSys(argv[0], false);
PROCESS_INFORMATION temp_process_info = {};
// Create suspended to avoid popping calc.
if (!::CreateProcessA(base::SysWideToMultiByte(path, CP_UTF8).c_str(),
nullptr, nullptr, nullptr, false, CREATE_SUSPENDED,
nullptr, nullptr, &si, &temp_process_info)) {
return SBOX_TEST_FAILED;
}
base::win::ScopedProcessInformation pi(temp_process_info);
if (!::TerminateProcess(pi.process_handle(), 0))
return SBOX_TEST_FAILED;
return SBOX_TEST_SUCCEEDED;
}
SBOX_TESTS_COMMAND int Process_OpenToken(int argc, wchar_t** argv) {
HANDLE token;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) {
if (ERROR_ACCESS_DENIED == ::GetLastError()) {
return SBOX_TEST_DENIED;
}
} else {
::CloseHandle(token);
return SBOX_TEST_SUCCEEDED;
}
return SBOX_TEST_FAILED;
}
SBOX_TESTS_COMMAND int Process_Crash(int argc, wchar_t** argv) {
__debugbreak();
return SBOX_TEST_FAILED;
}
// Generate a event name, used to test thread creation.
std::wstring GenerateEventName(DWORD pid) {
wchar_t buff[30] = {0};
int res = swprintf_s(buff, sizeof(buff) / sizeof(buff[0]),
L"ProcessPolicyTest_%08x", pid);
if (-1 != res) {
return std::wstring(buff);
}
return std::wstring();
}
// This is the function that is called when testing thread creation.
// It is expected to set an event that the caller is waiting on.
DWORD WINAPI TestThreadFunc(LPVOID lpdwThreadParam) {
std::wstring event_name = GenerateEventName(
static_cast<DWORD>(reinterpret_cast<uintptr_t>(lpdwThreadParam)));
if (!event_name.length())
return 1;
HANDLE event = ::OpenEvent(EVENT_ALL_ACCESS | EVENT_MODIFY_STATE, false,
event_name.c_str());
if (!event)
return 1;
if (!SetEvent(event))
return 1;
return 0;
}
SBOX_TESTS_COMMAND int Process_CreateThread(int argc, wchar_t** argv) {
DWORD pid = ::GetCurrentProcessId();
std::wstring event_name = GenerateEventName(pid);
if (!event_name.length())
return SBOX_TEST_FIRST_ERROR;
HANDLE event = ::CreateEvent(nullptr, true, false, event_name.c_str());
if (!event)
return SBOX_TEST_SECOND_ERROR;
DWORD thread_id = 0;
HANDLE thread = nullptr;
thread = ::CreateThread(nullptr, 0, &TestThreadFunc,
reinterpret_cast<LPVOID>(static_cast<uintptr_t>(pid)),
0, &thread_id);
if (!thread)
return SBOX_TEST_THIRD_ERROR;
if (!thread_id)
return SBOX_TEST_FOURTH_ERROR;
if (WaitForSingleObject(thread, INFINITE) != WAIT_OBJECT_0)
return SBOX_TEST_FIFTH_ERROR;
DWORD exit_code = 0;
if (!GetExitCodeThread(thread, &exit_code))
return SBOX_TEST_SIXTH_ERROR;
if (exit_code)
return SBOX_TEST_SEVENTH_ERROR;
if (WaitForSingleObject(event, INFINITE) != WAIT_OBJECT_0)
return SBOX_TEST_FAILED;
return SBOX_TEST_SUCCEEDED;
}
// Creates a process and checks its exit code. Succeeds on exit code 0.
SBOX_TESTS_COMMAND int Process_CheckExitCode(int argc, wchar_t** argv) {
if (argc != 3)
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
if (!argv || !argv[0] || !argv[1] || !argv[2])
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
base::string16 path = MakePathToSys(argv[0], false);
base::string16 cmdline = argv[1];
base::string16 cwd = argv[2];
STARTUPINFOW si = {sizeof(si)};
PROCESS_INFORMATION temp_process_info = {};
if (!::CreateProcessW(path.c_str(), &cmdline[0], nullptr, nullptr, false, 0,
nullptr, cwd.c_str(), &si, &temp_process_info)) {
return SBOX_TEST_FAILED;
}
base::win::ScopedProcessInformation pi(temp_process_info);
DWORD ret = WaitForSingleObject(pi.process_handle(), 1000);
if (ret != WAIT_OBJECT_0)
return SBOX_TEST_FAILED;
DWORD exit_code;
if (!GetExitCodeProcess(pi.process_handle(), &exit_code))
return SBOX_TEST_FAILED;
if (exit_code != 0)
return SBOX_TEST_FAILED;
return SBOX_TEST_SUCCEEDED;
}
TEST(ProcessPolicyTest, TestAllAccess) {
// Check if the "all access" rule fails to be added when the token is too
// powerful.
TestRunner runner;
// Check the failing case.
runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN);
EXPECT_EQ(SBOX_ERROR_UNSUPPORTED,
runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_ALL_EXEC,
L"this is not important"));
// Check the working case.
runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_INTERACTIVE);
EXPECT_EQ(SBOX_ALL_OK,
runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_ALL_EXEC,
L"this is not important"));
}
TEST(ProcessPolicyTest, CreateProcessAW) {
TestRunner runner;
base::string16 maybe_virtual_exe_path = MakePathToSys(L"findstr.exe", false);
base::string16 non_virtual_exe_path = MakePathToSys32(L"findstr.exe", false);
ASSERT_TRUE(!maybe_virtual_exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_MIN_EXEC,
maybe_virtual_exe_path.c_str()));
if (non_virtual_exe_path != maybe_virtual_exe_path) {
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_MIN_EXEC,
non_virtual_exe_path.c_str()));
}
// Need to add directory rules for the directories that we use in
// SetCurrentDirectory.
EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY, L""));
wchar_t current_directory[MAX_PATH];
DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory);
ASSERT_TRUE(0 != ret && ret < MAX_PATH);
wcscat_s(current_directory, MAX_PATH, L"\\");
EXPECT_TRUE(
runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY, current_directory));
EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp1 calc.exe"));
EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp2 calc.exe"));
EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp3 calc.exe"));
EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp4 calc.exe"));
EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp5 calc.exe"));
EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp6 calc.exe"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_RunApp1 findstr.exe"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_RunApp2 findstr.exe"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_RunApp3 findstr.exe"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_RunApp4 findstr.exe"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_RunApp5 findstr.exe"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_RunApp6 findstr.exe"));
}
// Tests that the broker correctly handles a process crashing within the job.
// Fails on Windows ARM64: https://crbug.com/905526
#if defined(ARCH_CPU_ARM64)
#define MAYBE_CreateProcessCrashy DISABLED_CreateProcessCrashy
#else
#define MAYBE_CreateProcessCrashy CreateProcessCrashy
#endif
TEST(ProcessPolicyTest, MAYBE_CreateProcessCrashy) {
TestRunner runner;
EXPECT_EQ(static_cast<int>(STATUS_BREAKPOINT),
runner.RunTest(L"Process_Crash"));
}
TEST(ProcessPolicyTest, CreateProcessWithCWD) {
TestRunner runner;
base::string16 sys_path = MakePathToSys(L"", false);
while (!sys_path.empty() && sys_path.back() == L'\\')
sys_path.erase(sys_path.length() - 1);
base::string16 exe_path = MakePathToSys(L"cmd.exe", false);
base::string16 cmd_line =
L"\"/c if \\\"%CD%\\\" NEQ \\\"" + sys_path + L"\\\" exit 1\"";
ASSERT_TRUE(!exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_MIN_EXEC, exe_path.c_str()));
base::string16 command =
L"Process_CheckExitCode cmd.exe " + cmd_line + L" " + sys_path;
EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command.c_str()));
}
TEST(ProcessPolicyTest, OpenToken) {
TestRunner runner;
EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_OpenToken"));
}
TEST(ProcessPolicyTest, TestGetProcessTokenMinAccess) {
TestRunner runner;
base::string16 exe_path = MakePathToSys(L"findstr.exe", false);
ASSERT_TRUE(!exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_MIN_EXEC, exe_path.c_str()));
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
}
TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccess) {
TestRunner runner(JOB_UNPROTECTED, USER_INTERACTIVE, USER_INTERACTIVE);
base::string16 exe_path = MakePathToSys(L"findstr.exe", false);
ASSERT_TRUE(!exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_ALL_EXEC, exe_path.c_str()));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
}
TEST(ProcessPolicyTest, TestGetProcessTokenMinAccessNoJob) {
TestRunner runner(JOB_NONE, USER_RESTRICTED_SAME_ACCESS, USER_LOCKDOWN);
base::string16 exe_path = MakePathToSys(L"findstr.exe", false);
ASSERT_TRUE(!exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_MIN_EXEC, exe_path.c_str()));
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
}
TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccessNoJob) {
TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
base::string16 exe_path = MakePathToSys(L"findstr.exe", false);
ASSERT_TRUE(!exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_ALL_EXEC, exe_path.c_str()));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
}
TEST(ProcessPolicyTest, TestCreateProcessA) {
TestRunner runner;
sandbox::TargetPolicy* policy = runner.GetPolicy();
policy->SetJobLevel(JOB_NONE, 0);
policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
base::string16 exe_path = MakePathToSys(L"calc.exe", false);
ASSERT_TRUE(!exe_path.empty());
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
TargetPolicy::PROCESS_ALL_EXEC, exe_path.c_str()));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"Process_CreateProcessA calc.exe"));
}
// This tests that the CreateThread works with CSRSS not locked down.
// In other words, that the interception passes through OK.
TEST(ProcessPolicyTest, TestCreateThreadWithCsrss) {
TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
runner.SetDisableCsrss(false);
EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread"));
}
// This tests that the CreateThread works with CSRSS locked down.
// In other words, that the interception correctly works.
TEST(ProcessPolicyTest, TestCreateThreadWithoutCsrss) {
TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread"));
}
// This tests that our CreateThread interceptors works when called directly.
TEST(ProcessPolicyTest, TestCreateThreadOutsideSandbox) {
DWORD pid = ::GetCurrentProcessId();
std::wstring event_name = GenerateEventName(pid);
ASSERT_STRNE(nullptr, event_name.c_str());
HANDLE event = ::CreateEvent(nullptr, true, false, event_name.c_str());
EXPECT_NE(static_cast<HANDLE>(nullptr), event);
DWORD thread_id = 0;
HANDLE thread = nullptr;
thread = TargetCreateThread(
::CreateThread, nullptr, 0, &TestThreadFunc,
reinterpret_cast<LPVOID>(static_cast<uintptr_t>(pid)), 0, &thread_id);
EXPECT_NE(static_cast<HANDLE>(nullptr), thread);
EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(thread, INFINITE));
EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(event, INFINITE));
}
} // namespace sandbox