michael@0: // Copyright (c) 2012 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #include michael@0: #include michael@0: michael@0: #include "base/strings/string16.h" michael@0: #include "base/strings/sys_string_conversions.h" michael@0: #include "base/win/scoped_handle.h" michael@0: #include "base/win/scoped_process_information.h" michael@0: #include "base/win/windows_version.h" michael@0: #include "sandbox/win/src/sandbox.h" michael@0: #include "sandbox/win/src/sandbox_factory.h" michael@0: #include "sandbox/win/src/sandbox_policy.h" michael@0: #include "sandbox/win/tests/common/controller.h" michael@0: #include "testing/gtest/include/gtest/gtest.h" michael@0: michael@0: namespace { michael@0: michael@0: // While the shell API provides better calls than this home brew function michael@0: // we use GetSystemWindowsDirectoryW which does not query the registry so michael@0: // it is safe to use after revert. michael@0: string16 MakeFullPathToSystem32(const wchar_t* name) { michael@0: wchar_t windows_path[MAX_PATH] = {0}; michael@0: ::GetSystemWindowsDirectoryW(windows_path, MAX_PATH); michael@0: string16 full_path(windows_path); michael@0: if (full_path.empty()) { michael@0: return full_path; michael@0: } michael@0: full_path += L"\\system32\\"; michael@0: full_path += name; michael@0: return full_path; michael@0: } michael@0: michael@0: // Creates a process with the |exe| and |command| parameter using the michael@0: // unicode and ascii version of the api. michael@0: sandbox::SboxTestResult CreateProcessHelper(const string16& exe, michael@0: const string16& command) { michael@0: base::win::ScopedProcessInformation pi; michael@0: STARTUPINFOW si = {sizeof(si)}; michael@0: michael@0: const wchar_t *exe_name = NULL; michael@0: if (!exe.empty()) michael@0: exe_name = exe.c_str(); michael@0: michael@0: const wchar_t *cmd_line = NULL; michael@0: if (!command.empty()) michael@0: cmd_line = command.c_str(); michael@0: michael@0: // Create the process with the unicode version of the API. michael@0: sandbox::SboxTestResult ret1 = sandbox::SBOX_TEST_FAILED; michael@0: if (!::CreateProcessW(exe_name, const_cast(cmd_line), NULL, NULL, michael@0: FALSE, 0, NULL, NULL, &si, pi.Receive())) { michael@0: DWORD last_error = GetLastError(); michael@0: if ((ERROR_NOT_ENOUGH_QUOTA == last_error) || michael@0: (ERROR_ACCESS_DENIED == last_error) || michael@0: (ERROR_FILE_NOT_FOUND == last_error)) { michael@0: ret1 = sandbox::SBOX_TEST_DENIED; michael@0: } else { michael@0: ret1 = sandbox::SBOX_TEST_FAILED; michael@0: } michael@0: } else { michael@0: ret1 = sandbox::SBOX_TEST_SUCCEEDED; michael@0: } michael@0: michael@0: pi.Close(); michael@0: michael@0: // Do the same with the ansi version of the api michael@0: STARTUPINFOA sia = {sizeof(sia)}; michael@0: sandbox::SboxTestResult ret2 = sandbox::SBOX_TEST_FAILED; michael@0: michael@0: std::string narrow_cmd_line; michael@0: if (cmd_line) michael@0: narrow_cmd_line = base::SysWideToMultiByte(cmd_line, CP_UTF8); michael@0: if (!::CreateProcessA( michael@0: exe_name ? base::SysWideToMultiByte(exe_name, CP_UTF8).c_str() : NULL, michael@0: cmd_line ? const_cast(narrow_cmd_line.c_str()) : NULL, michael@0: NULL, NULL, FALSE, 0, NULL, NULL, &sia, pi.Receive())) { michael@0: DWORD last_error = GetLastError(); michael@0: if ((ERROR_NOT_ENOUGH_QUOTA == last_error) || michael@0: (ERROR_ACCESS_DENIED == last_error) || michael@0: (ERROR_FILE_NOT_FOUND == last_error)) { michael@0: ret2 = sandbox::SBOX_TEST_DENIED; michael@0: } else { michael@0: ret2 = sandbox::SBOX_TEST_FAILED; michael@0: } michael@0: } else { michael@0: ret2 = sandbox::SBOX_TEST_SUCCEEDED; michael@0: } michael@0: michael@0: if (ret1 == ret2) michael@0: return ret1; michael@0: michael@0: return sandbox::SBOX_TEST_FAILED; michael@0: } michael@0: michael@0: } // namespace michael@0: michael@0: namespace sandbox { michael@0: michael@0: SBOX_TESTS_COMMAND int Process_RunApp1(int argc, wchar_t **argv) { michael@0: if (argc != 1) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: if ((NULL == argv) || (NULL == argv[0])) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: string16 path = MakeFullPathToSystem32(argv[0]); michael@0: michael@0: // TEST 1: Try with the path in the app_name. michael@0: return CreateProcessHelper(path, string16()); michael@0: } michael@0: michael@0: SBOX_TESTS_COMMAND int Process_RunApp2(int argc, wchar_t **argv) { michael@0: if (argc != 1) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: if ((NULL == argv) || (NULL == argv[0])) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: string16 path = MakeFullPathToSystem32(argv[0]); michael@0: michael@0: // TEST 2: Try with the path in the cmd_line. michael@0: string16 cmd_line = L"\""; michael@0: cmd_line += path; michael@0: cmd_line += L"\""; michael@0: return CreateProcessHelper(string16(), cmd_line); michael@0: } michael@0: michael@0: SBOX_TESTS_COMMAND int Process_RunApp3(int argc, wchar_t **argv) { michael@0: if (argc != 1) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: if ((NULL == argv) || (NULL == argv[0])) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: michael@0: // TEST 3: Try file name in the cmd_line. michael@0: return CreateProcessHelper(string16(), argv[0]); michael@0: } michael@0: michael@0: SBOX_TESTS_COMMAND int Process_RunApp4(int argc, wchar_t **argv) { michael@0: if (argc != 1) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: if ((NULL == argv) || (NULL == argv[0])) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: michael@0: // TEST 4: Try file name in the app_name and current directory sets correctly. michael@0: string16 system32 = MakeFullPathToSystem32(L""); michael@0: wchar_t current_directory[MAX_PATH + 1]; michael@0: int result4; michael@0: bool test_succeeded = false; michael@0: DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory); michael@0: if (!ret) michael@0: return SBOX_TEST_FIRST_ERROR; michael@0: michael@0: if (ret < MAX_PATH) { michael@0: current_directory[ret] = L'\\'; michael@0: current_directory[ret+1] = L'\0'; michael@0: if (::SetCurrentDirectory(system32.c_str())) { michael@0: result4 = CreateProcessHelper(argv[0], string16()); michael@0: if (::SetCurrentDirectory(current_directory)) { michael@0: test_succeeded = true; michael@0: } michael@0: } else { michael@0: return SBOX_TEST_SECOND_ERROR; michael@0: } michael@0: } michael@0: if (!test_succeeded) michael@0: result4 = SBOX_TEST_FAILED; michael@0: michael@0: return result4; michael@0: } michael@0: michael@0: SBOX_TESTS_COMMAND int Process_RunApp5(int argc, wchar_t **argv) { michael@0: if (argc != 1) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: if ((NULL == argv) || (NULL == argv[0])) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: string16 path = MakeFullPathToSystem32(argv[0]); michael@0: michael@0: // TEST 5: Try with the path in the cmd_line and arguments. michael@0: string16 cmd_line = L"\""; michael@0: cmd_line += path; michael@0: cmd_line += L"\" /I"; michael@0: return CreateProcessHelper(string16(), cmd_line); michael@0: } michael@0: michael@0: SBOX_TESTS_COMMAND int Process_RunApp6(int argc, wchar_t **argv) { michael@0: if (argc != 1) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: if ((NULL == argv) || (NULL == argv[0])) { michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: } michael@0: michael@0: // TEST 6: Try with the file_name in the cmd_line and arguments. michael@0: string16 cmd_line = argv[0]; michael@0: cmd_line += L" /I"; michael@0: return CreateProcessHelper(string16(), cmd_line); michael@0: } michael@0: michael@0: // Creates a process and checks if it's possible to get a handle to it's token. michael@0: SBOX_TESTS_COMMAND int Process_GetChildProcessToken(int argc, wchar_t **argv) { michael@0: if (argc != 1) michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: michael@0: if ((NULL == argv) || (NULL == argv[0])) michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: michael@0: string16 path = MakeFullPathToSystem32(argv[0]); michael@0: michael@0: base::win::ScopedProcessInformation pi; michael@0: STARTUPINFOW si = {sizeof(si)}; michael@0: michael@0: if (!::CreateProcessW(path.c_str(), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, michael@0: NULL, NULL, &si, pi.Receive())) { michael@0: return SBOX_TEST_FAILED; michael@0: } michael@0: michael@0: HANDLE token = NULL; michael@0: BOOL result = michael@0: ::OpenProcessToken(pi.process_handle(), TOKEN_IMPERSONATE, &token); michael@0: DWORD error = ::GetLastError(); michael@0: michael@0: base::win::ScopedHandle token_handle(token); michael@0: michael@0: if (!::TerminateProcess(pi.process_handle(), 0)) michael@0: return SBOX_TEST_FAILED; michael@0: michael@0: if (result && token) michael@0: return SBOX_TEST_SUCCEEDED; michael@0: michael@0: if (ERROR_ACCESS_DENIED == error) michael@0: return SBOX_TEST_DENIED; michael@0: michael@0: return SBOX_TEST_FAILED; michael@0: } michael@0: michael@0: michael@0: SBOX_TESTS_COMMAND int Process_OpenToken(int argc, wchar_t **argv) { michael@0: HANDLE token; michael@0: if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) { michael@0: if (ERROR_ACCESS_DENIED == ::GetLastError()) { michael@0: return SBOX_TEST_DENIED; michael@0: } michael@0: } else { michael@0: ::CloseHandle(token); michael@0: return SBOX_TEST_SUCCEEDED; michael@0: } michael@0: michael@0: return SBOX_TEST_FAILED; michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, TestAllAccess) { michael@0: // Check if the "all access" rule fails to be added when the token is too michael@0: // powerful. michael@0: TestRunner runner; michael@0: michael@0: // Check the failing case. michael@0: runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); michael@0: EXPECT_EQ(SBOX_ERROR_UNSUPPORTED, michael@0: runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_ALL_EXEC, michael@0: L"this is not important")); michael@0: michael@0: // Check the working case. michael@0: runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_INTERACTIVE); michael@0: michael@0: EXPECT_EQ(SBOX_ALL_OK, michael@0: runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_ALL_EXEC, michael@0: L"this is not important")); michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, CreateProcessAW) { michael@0: TestRunner runner; michael@0: string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); michael@0: string16 system32 = MakeFullPathToSystem32(L""); michael@0: ASSERT_TRUE(!exe_path.empty()); michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_MIN_EXEC, michael@0: exe_path.c_str())); michael@0: michael@0: // Need to add directory rules for the directories that we use in michael@0: // SetCurrentDirectory. michael@0: EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY, michael@0: system32.c_str())); michael@0: michael@0: wchar_t current_directory[MAX_PATH]; michael@0: DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory); michael@0: ASSERT_TRUE(0 != ret && ret < MAX_PATH); michael@0: michael@0: wcscat_s(current_directory, MAX_PATH, L"\\"); michael@0: EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY, michael@0: current_directory)); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp1 calc.exe")); michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp2 calc.exe")); michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp3 calc.exe")); michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp5 calc.exe")); michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp6 calc.exe")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_RunApp1 findstr.exe")); michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_RunApp2 findstr.exe")); michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_RunApp3 findstr.exe")); michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_RunApp5 findstr.exe")); michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_RunApp6 findstr.exe")); michael@0: michael@0: #if !defined(_WIN64) michael@0: if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { michael@0: // WinXP results are not reliable. michael@0: EXPECT_EQ(SBOX_TEST_SECOND_ERROR, michael@0: runner.RunTest(L"Process_RunApp4 calc.exe")); michael@0: EXPECT_EQ(SBOX_TEST_SECOND_ERROR, michael@0: runner.RunTest(L"Process_RunApp4 findstr.exe")); michael@0: } michael@0: #endif michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, OpenToken) { michael@0: TestRunner runner; michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_OpenToken")); michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, TestGetProcessTokenMinAccess) { michael@0: TestRunner runner; michael@0: string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); michael@0: ASSERT_TRUE(!exe_path.empty()); michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_MIN_EXEC, michael@0: exe_path.c_str())); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, michael@0: runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccess) { michael@0: TestRunner runner(JOB_UNPROTECTED, USER_INTERACTIVE, USER_INTERACTIVE); michael@0: string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); michael@0: ASSERT_TRUE(!exe_path.empty()); michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_ALL_EXEC, michael@0: exe_path.c_str())); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, TestGetProcessTokenMinAccessNoJob) { michael@0: TestRunner runner(JOB_NONE, USER_RESTRICTED_SAME_ACCESS, USER_LOCKDOWN); michael@0: string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); michael@0: ASSERT_TRUE(!exe_path.empty()); michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_MIN_EXEC, michael@0: exe_path.c_str())); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, michael@0: runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); michael@0: } michael@0: michael@0: TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccessNoJob) { michael@0: TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE); michael@0: string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); michael@0: ASSERT_TRUE(!exe_path.empty()); michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, michael@0: TargetPolicy::PROCESS_ALL_EXEC, michael@0: exe_path.c_str())); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, michael@0: runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); michael@0: } michael@0: michael@0: } // namespace sandbox