michael@0: // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #include michael@0: michael@0: #include "testing/gtest/include/gtest/gtest.h" michael@0: #include "sandbox/win/src/registry_policy.h" michael@0: #include "sandbox/win/src/sandbox.h" michael@0: #include "sandbox/win/src/sandbox_policy.h" michael@0: #include "sandbox/win/src/sandbox_factory.h" michael@0: #include "sandbox/win/src/nt_internals.h" michael@0: #include "sandbox/win/src/win_utils.h" michael@0: #include "sandbox/win/tests/common/controller.h" michael@0: michael@0: namespace { michael@0: michael@0: static const DWORD kAllowedRegFlags = KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | michael@0: KEY_NOTIFY | KEY_READ | GENERIC_READ | michael@0: GENERIC_EXECUTE | READ_CONTROL; michael@0: michael@0: #define BINDNTDLL(name) \ michael@0: name ## Function name = reinterpret_cast( \ michael@0: ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), #name)) michael@0: michael@0: bool IsKeyOpenForRead(HKEY handle) { michael@0: BINDNTDLL(NtQueryObject); michael@0: michael@0: OBJECT_BASIC_INFORMATION info = {0}; michael@0: NTSTATUS status = NtQueryObject(handle, ObjectBasicInformation, &info, michael@0: sizeof(info), NULL); michael@0: michael@0: if (!NT_SUCCESS(status)) michael@0: return false; michael@0: michael@0: if ((info.GrantedAccess & (~kAllowedRegFlags)) != 0) michael@0: return false; michael@0: return true; michael@0: } michael@0: michael@0: } michael@0: michael@0: namespace sandbox { michael@0: michael@0: SBOX_TESTS_COMMAND int Reg_OpenKey(int argc, wchar_t **argv) { michael@0: if (argc != 4) michael@0: return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; michael@0: michael@0: REGSAM desired_access = 0; michael@0: ULONG options = 0; michael@0: if (wcscmp(argv[1], L"read") == 0) { michael@0: desired_access = KEY_READ; michael@0: } else if (wcscmp(argv[1], L"write") == 0) { michael@0: desired_access = KEY_ALL_ACCESS; michael@0: } else if (wcscmp(argv[1], L"link") == 0) { michael@0: options = REG_OPTION_CREATE_LINK; michael@0: desired_access = KEY_ALL_ACCESS; michael@0: } else { michael@0: desired_access = MAXIMUM_ALLOWED; michael@0: } michael@0: michael@0: HKEY root = GetReservedKeyFromName(argv[2]); michael@0: HKEY key; michael@0: LRESULT result = 0; michael@0: michael@0: if (wcscmp(argv[0], L"create") == 0) michael@0: result = ::RegCreateKeyEx(root, argv[3], 0, NULL, options, desired_access, michael@0: NULL, &key, NULL); michael@0: else michael@0: result = ::RegOpenKeyEx(root, argv[3], 0, desired_access, &key); michael@0: michael@0: if (ERROR_SUCCESS == result) { michael@0: if (MAXIMUM_ALLOWED == desired_access) { michael@0: if (!IsKeyOpenForRead(key)) { michael@0: ::RegCloseKey(key); michael@0: return SBOX_TEST_FAILED; michael@0: } michael@0: } michael@0: ::RegCloseKey(key); michael@0: return SBOX_TEST_SUCCEEDED; michael@0: } else if (ERROR_ACCESS_DENIED == result) { michael@0: return SBOX_TEST_DENIED; michael@0: } michael@0: michael@0: return SBOX_TEST_FAILED; michael@0: } michael@0: michael@0: TEST(RegistryPolicyTest, TestKeyAnyAccess) { michael@0: TestRunner runner; michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_ANY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Microsoft")); michael@0: michael@0: // Tests read access on key allowed for read-write. michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey create read HKEY_LOCAL_MACHINE software\\microsoft")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey open read HKEY_LOCAL_MACHINE software\\microsoft")); michael@0: michael@0: if (::IsUserAnAdmin()) { michael@0: // Tests write access on key allowed for read-write. michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey create write HKEY_LOCAL_MACHINE software\\microsoft")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey open write HKEY_LOCAL_MACHINE software\\microsoft")); michael@0: } michael@0: michael@0: // Tests subdirectory access on keys where we don't have subdirectory acess. michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey create read " michael@0: L"HKEY_LOCAL_MACHINE software\\microsoft\\Windows")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey open read " michael@0: L"HKEY_LOCAL_MACHINE software\\microsoft\\windows")); michael@0: michael@0: // Tests to see if we can create keys where we dont have subdirectory access. michael@0: // This is denied. michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey create write " michael@0: L"HKEY_LOCAL_MACHINE software\\Microsoft\\google_unit_tests")); michael@0: michael@0: RegDeleteKey(HKEY_LOCAL_MACHINE, L"software\\Microsoft\\google_unit_tests"); michael@0: michael@0: // Tests if we need to handle differently the "\\" at the end. michael@0: // This is denied. We need to add both rules. michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest( michael@0: L"Reg_OpenKey create read HKEY_LOCAL_MACHINE software\\microsoft\\")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest( michael@0: L"Reg_OpenKey open read HKEY_LOCAL_MACHINE software\\microsoft\\")); michael@0: } michael@0: michael@0: TEST(RegistryPolicyTest, TestKeyNoAccess) { michael@0: TestRunner runner; michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE")); michael@0: michael@0: // Tests read access where we don't have access at all. michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest( michael@0: L"Reg_OpenKey create read HKEY_LOCAL_MACHINE software")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest( michael@0: L"Reg_OpenKey open read HKEY_LOCAL_MACHINE software")); michael@0: } michael@0: michael@0: TEST(RegistryPolicyTest, TestKeyReadOnlyAccess) { michael@0: TestRunner runner; michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Policies")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Policies\\*")); michael@0: michael@0: // Tests subdirectory acess on keys where we have subdirectory acess. michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey create read " michael@0: L"HKEY_LOCAL_MACHINE software\\Policies\\microsoft")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey open read " michael@0: L"HKEY_LOCAL_MACHINE software\\Policies\\microsoft")); michael@0: michael@0: // Tests to see if we can create keys where we have subdirectory access. michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey create write " michael@0: L"HKEY_LOCAL_MACHINE software\\Policies\\google_unit_tests")); michael@0: michael@0: RegDeleteKey(HKEY_LOCAL_MACHINE, L"software\\Policies\\google_unit_tests"); michael@0: } michael@0: michael@0: TEST(RegistryPolicyTest, TestKeyAllAccessSubDir) { michael@0: TestRunner runner; michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_ANY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Policies")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_ANY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Policies\\*")); michael@0: michael@0: if (::IsUserAnAdmin()) { michael@0: // Tests to see if we can create keys where we have subdirectory access. michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey create write " michael@0: L"HKEY_LOCAL_MACHINE software\\Policies\\google_unit_tests")); michael@0: michael@0: RegDeleteKey(HKEY_LOCAL_MACHINE, L"software\\Policies\\google_unit_tests"); michael@0: } michael@0: } michael@0: michael@0: TEST(RegistryPolicyTest, TestKeyCreateLink) { michael@0: TestRunner runner; michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_LOCAL_MACHINE")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_ANY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Policies")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_ANY, michael@0: L"HKEY_LOCAL_MACHINE\\Software\\Policies\\*")); michael@0: michael@0: // Tests to see if we can create a registry link key. michael@0: // NOTE: In theory here we should make sure to check for SBOX_TEST_DENIED michael@0: // instead of !SBOX_TEST_SUCCEEDED, but unfortunately the result is not michael@0: // access denied. Internally RegCreateKeyEx (At least on Vista 64) tries to michael@0: // create the link, and we return successfully access denied, then, it michael@0: // decides to try to break the path in multiple chunks, and create the links michael@0: // one by one. In this scenario, it tries to create "HKLM\Software" as a michael@0: // link key, which obviously fail with STATUS_OBJECT_NAME_COLLISION, and michael@0: // this is what is returned to the user. michael@0: EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey create link " michael@0: L"HKEY_LOCAL_MACHINE software\\Policies\\google_unit_tests")); michael@0: michael@0: // In case our code fails, and the call works, we need to delete the new michael@0: // link. There is no api for this, so we need to use the NT call. michael@0: HKEY key = NULL; michael@0: LRESULT result = ::RegOpenKeyEx(HKEY_LOCAL_MACHINE, michael@0: L"software\\Policies\\google_unit_tests", michael@0: REG_OPTION_OPEN_LINK, MAXIMUM_ALLOWED, michael@0: &key); michael@0: michael@0: if (!result) { michael@0: HMODULE ntdll = GetModuleHandle(L"ntdll.dll"); michael@0: NtDeleteKeyFunction NtDeleteKey = michael@0: reinterpret_cast(GetProcAddress(ntdll, michael@0: "NtDeleteKey")); michael@0: NtDeleteKey(key); michael@0: } michael@0: } michael@0: michael@0: TEST(RegistryPolicyTest, TestKeyReadOnlyHKCU) { michael@0: TestRunner runner; michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_CURRENT_USER")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_CURRENT_USER\\Software")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_USERS\\.default")); michael@0: michael@0: EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY, michael@0: TargetPolicy::REG_ALLOW_READONLY, michael@0: L"HKEY_USERS\\.default\\software")); michael@0: michael@0: // Tests read access where we only have read-only access. michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey create read HKEY_CURRENT_USER software")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey open read HKEY_CURRENT_USER software")); michael@0: michael@0: // Tests write access where we only have read-only acess. michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest( michael@0: L"Reg_OpenKey create write HKEY_CURRENT_USER software")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest( michael@0: L"Reg_OpenKey open write HKEY_CURRENT_USER software")); michael@0: michael@0: // Tests maximum allowed access where we only have read-only access. michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey create maximum_allowed HKEY_CURRENT_USER software")); michael@0: michael@0: EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest( michael@0: L"Reg_OpenKey open maximum_allowed HKEY_CURRENT_USER software")); michael@0: } michael@0: michael@0: } // namespace sandbox