The Tor Browser: security/sandbox/win/src/file_policy

security/sandbox/win/src/file_policy_test.cc@6474c204b198 (annotated)

security/sandbox/win/src/file_policy_test.cc

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include <algorithm>
 #include <cctype>
 #include <windows.h>
 #include <winioctl.h>
 #include "base/win/scoped_handle.h"
 #include "sandbox/win/src/nt_internals.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_policy.h"
 #include "sandbox/win/src/win_utils.h"
 #include "sandbox/win/tests/common/controller.h"
 #include "sandbox/win/tests/common/test_utils.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #define BINDNTDLL(name) \
   name ## Function name = reinterpret_cast<name ## Function>( \
     ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), #name))
 namespace sandbox {
 const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE;
 // Creates a file using different desired access. Returns if the call succeeded
 // or not.  The first argument in argv is the filename. If the second argument
 // is "read", we try read only access. Otherwise we try read-write access.
 SBOX_TESTS_COMMAND int File_Create(int argc, wchar_t **argv) {
   if (argc != 2)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   bool read = (_wcsicmp(argv[0], L"Read") == 0);
   if (read) {
     base::win::ScopedHandle file1(CreateFile(
         argv[1], GENERIC_READ, kSharing, NULL, OPEN_EXISTING, 0, NULL));
     base::win::ScopedHandle file2(CreateFile(
         argv[1], FILE_EXECUTE, kSharing, NULL, OPEN_EXISTING, 0, NULL));
     if (file1.Get() && file2.Get())
       return SBOX_TEST_SUCCEEDED;
     return SBOX_TEST_DENIED;
   } else {
     base::win::ScopedHandle file1(CreateFile(
         argv[1], GENERIC_ALL, kSharing, NULL, OPEN_EXISTING, 0, NULL));
     base::win::ScopedHandle file2(CreateFile(
         argv[1], GENERIC_READ | FILE_WRITE_DATA, kSharing, NULL, OPEN_EXISTING,
 , NULL));
     if (file1.Get() && file2.Get())
       return SBOX_TEST_SUCCEEDED;
     return SBOX_TEST_DENIED;
   }
 }
 SBOX_TESTS_COMMAND int File_Win32Create(int argc, wchar_t **argv) {
   if (argc != 1) {
     SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   }
   std::wstring full_path = MakePathToSys(argv[0], false);
   if (full_path.empty()) {
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   }
   HANDLE file = ::CreateFileW(full_path.c_str(), GENERIC_READ, kSharing,
                               NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
   if (INVALID_HANDLE_VALUE != file) {
     ::CloseHandle(file);
     return SBOX_TEST_SUCCEEDED;
   } else {
     if (ERROR_ACCESS_DENIED == ::GetLastError()) {
       return SBOX_TEST_DENIED;
     } else {
       return SBOX_TEST_FAILED;
     }
   }
   return SBOX_TEST_SUCCEEDED;
 }
 // Creates the file in parameter using the NtCreateFile api and returns if the
 // call succeeded or not.
 SBOX_TESTS_COMMAND int File_CreateSys32(int argc, wchar_t **argv) {
   BINDNTDLL(NtCreateFile);
   BINDNTDLL(RtlInitUnicodeString);
   if (!NtCreateFile || !RtlInitUnicodeString)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   if (argc != 1)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   std::wstring file(argv[0]);
   if (0 != _wcsnicmp(file.c_str(), kNTObjManPrefix, kNTObjManPrefixLen))
     file = MakePathToSys(argv[0], true);
   UNICODE_STRING object_name;
   RtlInitUnicodeString(&object_name, file.c_str());
   OBJECT_ATTRIBUTES obj_attributes = {0};
   InitializeObjectAttributes(&obj_attributes, &object_name,
                              OBJ_CASE_INSENSITIVE, NULL, NULL);
   HANDLE handle;
   IO_STATUS_BLOCK io_block = {0};
   NTSTATUS status = NtCreateFile(&handle, FILE_READ_DATA, &obj_attributes,
                                  &io_block, NULL, 0, kSharing, FILE_OPEN,
 , NULL, 0);
   if (NT_SUCCESS(status)) {
     ::CloseHandle(handle);
     return SBOX_TEST_SUCCEEDED;
   } else if (STATUS_ACCESS_DENIED == status) {
     return SBOX_TEST_DENIED;
   } else if (STATUS_OBJECT_NAME_NOT_FOUND == status) {
     return SBOX_TEST_NOT_FOUND;
   }
   return SBOX_TEST_FAILED;
 }
 // Opens the file in parameter using the NtOpenFile api and returns if the
 // call succeeded or not.
 SBOX_TESTS_COMMAND int File_OpenSys32(int argc, wchar_t **argv) {
   BINDNTDLL(NtOpenFile);
   BINDNTDLL(RtlInitUnicodeString);
   if (!NtOpenFile || !RtlInitUnicodeString)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   if (argc != 1)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   std::wstring file = MakePathToSys(argv[0], true);
   UNICODE_STRING object_name;
   RtlInitUnicodeString(&object_name, file.c_str());
   OBJECT_ATTRIBUTES obj_attributes = {0};
   InitializeObjectAttributes(&obj_attributes, &object_name,
                              OBJ_CASE_INSENSITIVE, NULL, NULL);
   HANDLE handle;
   IO_STATUS_BLOCK io_block = {0};
   NTSTATUS status = NtOpenFile(&handle, FILE_READ_DATA, &obj_attributes,
                                &io_block, kSharing, 0);
   if (NT_SUCCESS(status)) {
     ::CloseHandle(handle);
     return SBOX_TEST_SUCCEEDED;
   } else if (STATUS_ACCESS_DENIED == status) {
     return SBOX_TEST_DENIED;
   } else if (STATUS_OBJECT_NAME_NOT_FOUND == status) {
     return SBOX_TEST_NOT_FOUND;
   }
   return SBOX_TEST_FAILED;
 }
 SBOX_TESTS_COMMAND int File_GetDiskSpace(int argc, wchar_t **argv) {
   std::wstring sys_path = MakePathToSys(L"", false);
   if (sys_path.empty()) {
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   }
   ULARGE_INTEGER free_user = {0};
   ULARGE_INTEGER total = {0};
   ULARGE_INTEGER free_total = {0};
   if (::GetDiskFreeSpaceExW(sys_path.c_str(), &free_user, &total,
                             &free_total)) {
     if ((total.QuadPart != 0) && (free_total.QuadPart !=0)) {
       return SBOX_TEST_SUCCEEDED;
     }
   } else {
     if (ERROR_ACCESS_DENIED == ::GetLastError()) {
       return SBOX_TEST_DENIED;
     } else {
       return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
     }
   }
   return SBOX_TEST_SUCCEEDED;
 }
 // Move a file using the MoveFileEx api and returns if the call succeeded or
 // not.
 SBOX_TESTS_COMMAND int File_Rename(int argc, wchar_t **argv) {
   if (argc != 2)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   if (::MoveFileEx(argv[0], argv[1], 0))
     return SBOX_TEST_SUCCEEDED;
   if (::GetLastError() != ERROR_ACCESS_DENIED)
     return SBOX_TEST_FAILED;
   return SBOX_TEST_DENIED;
 }
 // Query the attributes of file in parameter using the NtQueryAttributesFile api
 // and NtQueryFullAttributesFile and returns if the call succeeded or not. The
 // second argument in argv is "d" or "f" telling if we expect the attributes to
 // specify a file or a directory. The expected attribute has to match the real
 // attributes for the call to be successful.
 SBOX_TESTS_COMMAND int File_QueryAttributes(int argc, wchar_t **argv) {
   BINDNTDLL(NtQueryAttributesFile);
   BINDNTDLL(NtQueryFullAttributesFile);
   BINDNTDLL(RtlInitUnicodeString);
   if (!NtQueryAttributesFile || !NtQueryFullAttributesFile ||
       !RtlInitUnicodeString)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   if (argc != 2)
     return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
   bool expect_directory = (L'd' == argv[1][0]);
   UNICODE_STRING object_name;
   std::wstring file = MakePathToSys(argv[0], true);
   RtlInitUnicodeString(&object_name, file.c_str());
   OBJECT_ATTRIBUTES obj_attributes = {0};
   InitializeObjectAttributes(&obj_attributes, &object_name,
                              OBJ_CASE_INSENSITIVE, NULL, NULL);
   FILE_BASIC_INFORMATION info = {0};
   FILE_NETWORK_OPEN_INFORMATION full_info = {0};
   NTSTATUS status1 = NtQueryAttributesFile(&obj_attributes, &info);
   NTSTATUS status2 = NtQueryFullAttributesFile(&obj_attributes, &full_info);
   if (status1 != status2)
     return SBOX_TEST_FAILED;
   if (NT_SUCCESS(status1)) {
     if (info.FileAttributes != full_info.FileAttributes)
       return SBOX_TEST_FAILED;
     bool is_directory1 = (info.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0;
     if (expect_directory == is_directory1)
       return SBOX_TEST_SUCCEEDED;
   } else if (STATUS_ACCESS_DENIED == status1) {
     return SBOX_TEST_DENIED;
   } else if (STATUS_OBJECT_NAME_NOT_FOUND == status1) {
     return SBOX_TEST_NOT_FOUND;
   }
   return SBOX_TEST_FAILED;
 }
 TEST(FilePolicyTest, DenyNtCreateCalc) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY,
                                   L"calc.exe"));
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_CreateSys32 calc.exe"));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe"));
 }
 TEST(FilePolicyTest, AllowNtCreateCalc) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"calc.exe"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe"));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe"));
 }
 TEST(FilePolicyTest, AllowNtCreateWithNativePath) {
   std::wstring calc = MakePathToSys(L"calc.exe", false);
   std::wstring nt_path;
   ASSERT_TRUE(GetNtPathFromWin32Path(calc, &nt_path));
   TestRunner runner;
   runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, nt_path.c_str());
   wchar_t buff[MAX_PATH];
   ::wsprintfW(buff, L"File_CreateSys32 %s", nt_path.c_str());
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(buff));
   std::transform(nt_path.begin(), nt_path.end(), nt_path.begin(), std::tolower);
   ::wsprintfW(buff, L"File_CreateSys32 %s", nt_path.c_str());
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(buff));
 }
 TEST(FilePolicyTest, AllowReadOnly) {
   TestRunner runner;
   // Create a temp file because we need write access to it.
   wchar_t temp_directory[MAX_PATH];
   wchar_t temp_file_name[MAX_PATH];
   ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
   EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
                                temp_file_name));
   wchar_t command_read[MAX_PATH + 20] = {0};
   wsprintf(command_read, L"File_Create Read \"%ls\"", temp_file_name);
   wchar_t command_write[MAX_PATH + 20] = {0};
   wsprintf(command_write, L"File_Create Write \"%ls\"", temp_file_name);
   // Verify that we have read access after revert.
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_read));
   // Verify that we don't have write access after revert.
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_write));
   // Verify that we really have write access to the file.
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write));
   DeleteFile(temp_file_name);
 }
 TEST(FilePolicyTest, AllowWildcard) {
   TestRunner runner;
   // Create a temp file because we need write access to it.
   wchar_t temp_directory[MAX_PATH];
   wchar_t temp_file_name[MAX_PATH];
   ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
   wcscat_s(temp_directory, MAX_PATH, L"*");
   EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_directory));
   wchar_t command_write[MAX_PATH + 20] = {0};
   wsprintf(command_write, L"File_Create Write \"%ls\"", temp_file_name);
   // Verify that we have write access after revert.
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write));
   DeleteFile(temp_file_name);
 }
 TEST(FilePolicyTest, AllowNtCreatePatternRule) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"App*.dll"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_OpenSys32 appmgmts.dll"));
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_OpenSys32 appwiz.cpl"));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_OpenSys32 appmgmts.dll"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_OpenSys32 appwiz.cpl"));
 }
 TEST(FilePolicyTest, CheckNotFound) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"n*.dll"));
   EXPECT_EQ(SBOX_TEST_NOT_FOUND,
             runner.RunTest(L"File_OpenSys32 notfound.dll"));
 }
 TEST(FilePolicyTest, CheckNoLeak) {
   TestRunner runner;
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_CreateSys32 notfound.exe"));
 }
 TEST(FilePolicyTest, TestQueryAttributesFile) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY,
                                   L"appmgmts.dll"));
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY,
                                   L"notfound.exe"));
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"drivers"));
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_QUERY,
                                   L"ipconfig.exe"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_QueryAttributes drivers d"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_QueryAttributes appmgmts.dll f"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_QueryAttributes ipconfig.exe f"));
   EXPECT_EQ(SBOX_TEST_DENIED,
             runner.RunTest(L"File_QueryAttributes ftp.exe f"));
   EXPECT_EQ(SBOX_TEST_NOT_FOUND,
             runner.RunTest(L"File_QueryAttributes notfound.exe f"));
 }
 // Makes sure that we don't leak information when there is not policy to allow
 // a path.
 TEST(FilePolicyTest, TestQueryAttributesFileNoPolicy) {
   TestRunner runner;
   EXPECT_EQ(SBOX_TEST_DENIED,
             runner.RunTest(L"File_QueryAttributes ftp.exe f"));
   EXPECT_EQ(SBOX_TEST_DENIED,
             runner.RunTest(L"File_QueryAttributes notfound.exe f"));
 }
 TEST(FilePolicyTest, TestRename) {
   TestRunner runner;
   // Give access to the temp directory.
   wchar_t temp_directory[MAX_PATH];
   wchar_t temp_file_name1[MAX_PATH];
   wchar_t temp_file_name2[MAX_PATH];
   wchar_t temp_file_name3[MAX_PATH];
   wchar_t temp_file_name4[MAX_PATH];
   wchar_t temp_file_name5[MAX_PATH];
   wchar_t temp_file_name6[MAX_PATH];
   wchar_t temp_file_name7[MAX_PATH];
   wchar_t temp_file_name8[MAX_PATH];
   ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name1), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name2), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name3), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name4), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name5), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name6), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name7), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name8), 0u);
   // Add rules to make file1->file2 succeed.
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name1));
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name2));
   // Add rules to make file3->file4 fail.
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name3));
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
                                temp_file_name4));
   // Add rules to make file5->file6 fail.
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
                                temp_file_name5));
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name6));
   // Add rules to make file7->no_pol_file fail.
   ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name7));
   // Delete the files where the files are going to be renamed to.
   ::DeleteFile(temp_file_name2);
   ::DeleteFile(temp_file_name4);
   ::DeleteFile(temp_file_name6);
   ::DeleteFile(temp_file_name8);
   wchar_t command[MAX_PATH*2 + 20] = {0};
   wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name1,
            temp_file_name2);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command));
   wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name3,
            temp_file_name4);
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
   wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name5,
            temp_file_name6);
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
   wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name7,
            temp_file_name8);
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
   // Delete all the files in case they are still there.
   ::DeleteFile(temp_file_name1);
   ::DeleteFile(temp_file_name2);
   ::DeleteFile(temp_file_name3);
   ::DeleteFile(temp_file_name4);
   ::DeleteFile(temp_file_name5);
   ::DeleteFile(temp_file_name6);
   ::DeleteFile(temp_file_name7);
   ::DeleteFile(temp_file_name8);
 }
 TEST(FilePolicyTest, OpenSys32FilesDenyBecauseOfDir) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY,
                                   L"notepad.exe"));
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create notepad.exe"));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_Win32Create notepad.exe"));
 }
 TEST(FilePolicyTest, OpenSys32FilesAllowNotepad) {
   TestRunner runner;
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY,
                                   L"notepad.exe"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_Win32Create notepad.exe"));
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create calc.exe"));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"File_Win32Create notepad.exe"));
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_Win32Create calc.exe"));
 }
 TEST(FilePolicyTest, FileGetDiskSpace) {
   TestRunner runner;
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_GetDiskSpace"));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace"));
   // Add an 'allow' rule in the windows\system32 such that GetDiskFreeSpaceEx
   // succeeds (it does an NtOpenFile) but windows\system32\notepad.exe is
   // denied since there is no wild card in the rule.
   EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY, L""));
   runner.SetTestState(BEFORE_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace"));
   runner.SetTestState(AFTER_REVERT);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace"));
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create notepad.exe"));
 }
 // http://crbug.com/146944
 TEST(FilePolicyTest, DISABLED_TestReparsePoint) {
   TestRunner runner;
   // Create a temp file because we need write access to it.
   wchar_t temp_directory[MAX_PATH];
   wchar_t temp_file_name[MAX_PATH];
   ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
   ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
   // Delete the file and create a directory instead.
   ASSERT_TRUE(::DeleteFile(temp_file_name));
   ASSERT_TRUE(::CreateDirectory(temp_file_name, NULL));
   // Create a temporary file in the subfolder.
   std::wstring subfolder = temp_file_name;
   std::wstring temp_file_title = subfolder.substr(subfolder.rfind(L"\\") + 1);
   std::wstring temp_file = subfolder + L"\\file_" + temp_file_title;
   HANDLE file = ::CreateFile(temp_file.c_str(), FILE_ALL_ACCESS,
                              FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
                              CREATE_ALWAYS, 0, NULL);
   ASSERT_TRUE(INVALID_HANDLE_VALUE != file);
   ASSERT_TRUE(::CloseHandle(file));
   // Create a temporary file in the temp directory.
   std::wstring temp_dir = temp_directory;
   std::wstring temp_file_in_temp = temp_dir + L"file_" + temp_file_title;
   file = ::CreateFile(temp_file_in_temp.c_str(), FILE_ALL_ACCESS,
                       FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
                       CREATE_ALWAYS, 0, NULL);
   ASSERT_TRUE(file != NULL);
   ASSERT_TRUE(::CloseHandle(file));
   // Give write access to the temp directory.
   std::wstring temp_dir_wildcard = temp_dir + L"*";
   EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY,
                                temp_dir_wildcard.c_str()));
   // Prepare the command to execute.
   std::wstring command_write;
   command_write += L"File_Create Write \"";
   command_write += temp_file;
   command_write += L"\"";
   // Verify that we have write access to the original file
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write.c_str()));
   // Replace the subfolder by a reparse point to %temp%.
   ::DeleteFile(temp_file.c_str());
   HANDLE dir = ::CreateFile(subfolder.c_str(), FILE_ALL_ACCESS,
                             FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
                             OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
   EXPECT_TRUE(INVALID_HANDLE_VALUE != dir);
   std::wstring temp_dir_nt;
   temp_dir_nt += L"\\??\\";
   temp_dir_nt += temp_dir;
   EXPECT_TRUE(SetReparsePoint(dir, temp_dir_nt.c_str()));
   EXPECT_TRUE(::CloseHandle(dir));
   // Try to open the file again.
   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_write.c_str()));
   // Remove the reparse point.
   dir = ::CreateFile(subfolder.c_str(), FILE_ALL_ACCESS,
                      FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
                      FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
                      NULL);
   EXPECT_TRUE(INVALID_HANDLE_VALUE != dir);
   EXPECT_TRUE(DeleteReparsePoint(dir));
   EXPECT_TRUE(::CloseHandle(dir));
   // Cleanup.
   EXPECT_TRUE(::DeleteFile(temp_file_in_temp.c_str()));
   EXPECT_TRUE(::RemoveDirectory(subfolder.c_str()));
 }
 }  // namespace sandbox

The Tor Browser / annotate

security/sandbox/win/src/file_policy_test.cc@6474c204b198 (annotated)

security/sandbox/win/src/file_policy_test.cc