15d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// Copyright (c) 2014 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/win/windows_version.h" 65d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "sandbox/win/src/handle_closer.h" 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox.h" 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox_policy.h" 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox_factory.h" 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/tests/common/controller.h" 115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "testing/gtest/include/gtest/gtest.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) { 175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (argc < 1 || argc > 2) { 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if ((NULL == argv) || (NULL == argv[0])) { 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE pipe = ::CreateNamedPipeW(argv[0], 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096, 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4096, 2000, NULL); 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (INVALID_HANDLE_VALUE == pipe) 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return SBOX_TEST_DENIED; 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // The second parameter allows us to enforce a whitelist for where the 325d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // pipe should be in the object namespace after creation. 335d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (argc == 2) { 345d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) base::string16 handle_name; 355d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (GetHandleName(pipe, &handle_name)) { 365d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (handle_name.compare(0, wcslen(argv[1]), argv[1]) != 0) 375d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return SBOX_TEST_FAILED; 385d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } else { 395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return SBOX_TEST_FAILED; 405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 415d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 425d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) OVERLAPPED overlapped = {0}; 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL); 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) BOOL result = ::ConnectNamedPipe(pipe, &overlapped); 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!result) { 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD error = ::GetLastError(); 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (ERROR_PIPE_CONNECTED != error && 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ERROR_IO_PENDING != error) { 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return SBOX_TEST_FAILED; 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!::CloseHandle(pipe)) 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return SBOX_TEST_FAILED; 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ::CloseHandle(overlapped.hEvent); 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return SBOX_TEST_SUCCEEDED; 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 625d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// Tests if we can create a pipe in the sandbox. 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(NamedPipePolicyTest, CreatePipe) { 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(nsylvain): This policy is wrong because "*" is a valid char in a 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // namedpipe name. Here we apply it like a wildcard. http://b/893603 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TargetPolicy::NAMEDPIPES_ALLOW_ANY, 695d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) L"\\\\.\\pipe\\test*")); 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); 735d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 745d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // On XP, the sandbox can create a pipe without any help but it fails on 755d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Vista+, this is why we do not test the "denied" case. 765d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { 775d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 785d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); 795d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 805d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 815d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 825d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// Tests if we can create a pipe with a path traversal in the sandbox. 835d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST(NamedPipePolicyTest, CreatePipeTraversal) { 845d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) TestRunner runner; 855d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // TODO(nsylvain): This policy is wrong because "*" is a valid char in a 865d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // namedpipe name. Here we apply it like a wildcard. http://b/893603 875d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, 885d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) TargetPolicy::NAMEDPIPES_ALLOW_ANY, 895d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) L"\\\\.\\pipe\\test*")); 905d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 915d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // On XP, the sandbox can create a pipe without any help but it fails on 925d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Vista+, this is why we do not test the "denied" case. 935d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { 945d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 955d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\..\\bleh")); 965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/../bleh")); 985d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 995d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\../bleh")); 1005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 1015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/..\\bleh")); 1025d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 1035d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 1045d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1055d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// This tests that path canonicalization is actually disabled if we use \\?\ 1065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// syntax. 1075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST(NamedPipePolicyTest, CreatePipeCanonicalization) { 1085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to 1095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // disable all string parsing and to send the string that follows it straight 1105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // to the file system." 1115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx 112cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) const wchar_t* argv[2] = { L"\\\\?\\pipe\\test\\..\\bleh", 113cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) L"\\Device\\NamedPipe\\test" }; 114cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, 115cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) NamedPipe_Create(2, const_cast<wchar_t**>(argv))); 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The same test as CreatePipe but this time using strict interceptions. 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) { 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.GetPolicy()->SetStrictInterceptions(); 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(nsylvain): This policy is wrong because "*" is a valid char in a 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // namedpipe name. Here we apply it like a wildcard. http://b/893603 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES, 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TargetPolicy::NAMEDPIPES_ALLOW_ANY, 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) L"\\\\.\\pipe\\test*")); 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh")); 1315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1325d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // On XP, the sandbox can create a pipe without any help but it fails on 1335d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Vista+, this is why we do not test the "denied" case. 1345d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { 1355d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 1365d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh")); 1375d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 141