1// Copyright (c) 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "base/win/windows_version.h" 6#include "sandbox/win/src/handle_closer.h" 7#include "sandbox/win/src/sandbox.h" 8#include "sandbox/win/src/sandbox_policy.h" 9#include "sandbox/win/src/sandbox_factory.h" 10#include "sandbox/win/tests/common/controller.h" 11#include "testing/gtest/include/gtest/gtest.h" 12 13namespace sandbox { 14 15 16SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) { 17 if (argc < 1 || argc > 2) { 18 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; 19 } 20 if ((NULL == argv) || (NULL == argv[0])) { 21 return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; 22 } 23 24 HANDLE pipe = ::CreateNamedPipeW(argv[0], 25 PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, 26 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096, 27 4096, 2000, NULL); 28 if (INVALID_HANDLE_VALUE == pipe) 29 return SBOX_TEST_DENIED; 30 31 // The second parameter allows us to enforce a whitelist for where the 32 // pipe should be in the object namespace after creation. 33 if (argc == 2) { 34 base::string16 handle_name; 35 if (GetHandleName(pipe, &handle_name)) { 36 if (handle_name.compare(0, wcslen(argv[1]), argv[1]) != 0) 37 return SBOX_TEST_FAILED; 38 } else { 39 return SBOX_TEST_FAILED; 40 } 41 } 42 43 OVERLAPPED overlapped = {0}; 44 overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL); 45 BOOL result = ::ConnectNamedPipe(pipe, &overlapped); 46 47 if (!result) { 48 DWORD error = ::GetLastError(); 49 if (ERROR_PIPE_CONNECTED != error && 50 ERROR_IO_PENDING != error) { 51 return SBOX_TEST_FAILED; 52 } 53 } 54 55 if (!::CloseHandle(pipe)) 56 return SBOX_TEST_FAILED; 57 58 ::CloseHandle(overlapped.hEvent); 59 return SBOX_TEST_SUCCEEDED; 60} 61 62// Tests if we can create a pipe in the sandbox. 63TEST(NamedPipePolicyTest, CreatePipe) { 64 TestRunner runner; 65 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a 66 // namedpipe name. Here we apply it like a wildcard. http://b/893603 67 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, 68 TargetPolicy::NAMEDPIPES_ALLOW_ANY, 69 L"\\\\.\\pipe\\test*")); 70 71 EXPECT_EQ(SBOX_TEST_SUCCEEDED, 72 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); 73 74 // On XP, the sandbox can create a pipe without any help but it fails on 75 // Vista+, this is why we do not test the "denied" case. 76 if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { 77 EXPECT_EQ(SBOX_TEST_DENIED, 78 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); 79 } 80} 81 82// Tests if we can create a pipe with a path traversal in the sandbox. 83TEST(NamedPipePolicyTest, CreatePipeTraversal) { 84 TestRunner runner; 85 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a 86 // namedpipe name. Here we apply it like a wildcard. http://b/893603 87 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, 88 TargetPolicy::NAMEDPIPES_ALLOW_ANY, 89 L"\\\\.\\pipe\\test*")); 90 91 // On XP, the sandbox can create a pipe without any help but it fails on 92 // Vista+, this is why we do not test the "denied" case. 93 if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { 94 EXPECT_EQ(SBOX_TEST_DENIED, 95 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\..\\bleh")); 96 EXPECT_EQ(SBOX_TEST_DENIED, 97 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/../bleh")); 98 EXPECT_EQ(SBOX_TEST_DENIED, 99 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\../bleh")); 100 EXPECT_EQ(SBOX_TEST_DENIED, 101 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/..\\bleh")); 102 } 103} 104 105// This tests that path canonicalization is actually disabled if we use \\?\ 106// syntax. 107TEST(NamedPipePolicyTest, CreatePipeCanonicalization) { 108 // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to 109 // disable all string parsing and to send the string that follows it straight 110 // to the file system." 111 // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx 112 const wchar_t* argv[2] = { L"\\\\?\\pipe\\test\\..\\bleh", 113 L"\\Device\\NamedPipe\\test" }; 114 EXPECT_EQ(SBOX_TEST_SUCCEEDED, 115 NamedPipe_Create(2, const_cast<wchar_t**>(argv))); 116} 117 118// The same test as CreatePipe but this time using strict interceptions. 119TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) { 120 TestRunner runner; 121 runner.GetPolicy()->SetStrictInterceptions(); 122 123 // TODO(nsylvain): This policy is wrong because "*" is a valid char in a 124 // namedpipe name. Here we apply it like a wildcard. http://b/893603 125 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, 126 TargetPolicy::NAMEDPIPES_ALLOW_ANY, 127 L"\\\\.\\pipe\\test*")); 128 129 EXPECT_EQ(SBOX_TEST_SUCCEEDED, 130 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); 131 132 // On XP, the sandbox can create a pipe without any help but it fails on 133 // Vista+, this is why we do not test the "denied" case. 134 if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { 135 EXPECT_EQ(SBOX_TEST_DENIED, 136 runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); 137 } 138} 139 140} // namespace sandbox 141