15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// This file contains the validation tests for the sandbox. 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// It includes the tests that need to be performed inside the 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// sandbox. 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <shlwapi.h> 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/win/windows_version.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "testing/gtest/include/gtest/gtest.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/tests/common/controller.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#pragma comment(lib, "shlwapi.lib") 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace { 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)void TestProcessAccess(sandbox::TestRunner* runner, DWORD target) { 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const wchar_t *kCommandTemplate = L"OpenProcessCmd %d %d"; 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t command[1024] = {0}; 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Test all the scary process permissions. 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_CREATE_THREAD); 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_DUP_HANDLE); 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_SET_INFORMATION); 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_VM_OPERATION); 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_VM_READ); 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_VM_WRITE); 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, PROCESS_QUERY_INFORMATION); 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, WRITE_DAC); 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, WRITE_OWNER); 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, kCommandTemplate, target, READ_CONTROL); 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(sandbox::SBOX_TEST_DENIED, runner->RunTest(command)); 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Returns true if the volume that contains any_path supports ACL security. The 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// input path can contain unexpanded environment strings. Returns false on any 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// failure or if the file system does not support file security (such as FAT). 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool VolumeSupportsACLs(const wchar_t* any_path) { 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t expand[MAX_PATH +1]; 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD len =::ExpandEnvironmentStringsW(any_path, expand, _countof(expand)); 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (0 == len) return false; 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (len > _countof(expand)) return false; 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!::PathStripToRootW(expand)) return false; 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD fs_flags = 0; 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!::GetVolumeInformationW(expand, NULL, 0, 0, NULL, &fs_flags, NULL, 0)) 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (fs_flags & FILE_PERSISTENT_ACLS) return true; 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests if the suite is working properly. 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestSuite) { 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(SBOX_TEST_PING_OK, runner.RunTest(L"ping")); 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests if the file system is correctly protected by the sandbox. 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestFileSystem) { 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Do not perform the test if the system is using FAT or any other 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // file system that does not have file security. 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(VolumeSupportsACLs(L"%SystemDrive%\\")); 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(VolumeSupportsACLs(L"%SystemRoot%\\")); 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(VolumeSupportsACLs(L"%ProgramFiles%\\")); 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(VolumeSupportsACLs(L"%Temp%\\")); 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(VolumeSupportsACLs(L"%AppData%\\")); 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 83116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenFileCmd %SystemDrive%")); 84116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenFileCmd %SystemRoot%")); 85116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenFileCmd %ProgramFiles%")); 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 87116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch runner.RunTest(L"OpenFileCmd %SystemRoot%\\System32")); 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 89116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch runner.RunTest(L"OpenFileCmd %SystemRoot%\\explorer.exe")); 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 91116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch runner.RunTest(L"OpenFileCmd %SystemRoot%\\Cursors\\arrow_i.cur")); 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 93116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch runner.RunTest(L"OpenFileCmd %AllUsersProfile%")); 94116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenFileCmd %Temp%")); 95116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenFileCmd %AppData%")); 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests if the registry is correctly protected by the sandbox. 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestRegistry) { 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenKey HKLM")); 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenKey HKCU")); 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenKey HKU")); 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.RunTest( 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) L"OpenKey HKLM " 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) L"\"Software\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon\"")); 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests that the permissions on the Windowstation does not allow the sandbox 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// to get to the interactive desktop or to make the sbox desktop interactive. 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestDesktop) { 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 114a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) runner.GetPolicy()->SetAlternateDesktop(true); 115116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch runner.GetPolicy()->SetIntegrityLevel(INTEGRITY_LEVEL_LOW); 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"OpenInteractiveDesktop NULL")); 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"SwitchToSboxDesktop NULL")); 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 120a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles)// Tests that the permissions on the Windowstation does not allow the sandbox 121a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles)// to get to the interactive desktop or to make the sbox desktop interactive. 122a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles)TEST(ValidationSuite, TestAlternateDesktop) { 123a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) base::win::Version version = base::win::GetVersion(); 124a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) if (version < base::win::VERSION_WIN7) 125a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) return; 126a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) 127a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) TestRunner runner; 128a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"EnumAlternateWinsta NULL")); 129a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) 130a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) wchar_t command[1024] = {0}; 131a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) runner.SetTimeout(3600000); 132a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) runner.GetPolicy()->SetAlternateDesktop(true); 133116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch runner.GetPolicy()->SetIntegrityLevel(INTEGRITY_LEVEL_LOW); 134a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) base::string16 desktop_name = runner.GetPolicy()->GetAlternateDesktop(); 135a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) desktop_name = desktop_name.substr(desktop_name.find('\\') + 1); 136a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) wsprintf(command, L"OpenAlternateDesktop %lS", desktop_name.c_str()); 137a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); 138a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles)} 139a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests if the windows are correctly protected by the sandbox. 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestWindows) { 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t command[1024] = {0}; 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, L"ValidWindow %d", ::GetDesktopWindow()); 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, L"ValidWindow %d", ::FindWindow(NULL, NULL)); 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests that a locked-down process cannot open another locked-down process. 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestProcessDenyLockdown) { 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner target; 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t command[1024] = {0}; 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) target.SetAsynchronous(true); 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"SleepCmd 30000")); 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestProcessAccess(&runner, target.process_id()); 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests that a low-integrity process cannot open a locked-down process (due 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// to the integrity label changing after startup via SetDelayedIntegrityLevel). 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestProcessDenyLowIntegrity) { 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This test applies only to Vista and above. 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (base::win::Version() < base::win::VERSION_VISTA) 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return; 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner target; 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t command[1024] = {0}; 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) target.SetAsynchronous(true); 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) target.GetPolicy()->SetDelayedIntegrityLevel(INTEGRITY_LEVEL_LOW); 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.GetPolicy()->SetIntegrityLevel(INTEGRITY_LEVEL_LOW); 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.GetPolicy()->SetTokenLevel(USER_RESTRICTED_SAME_ACCESS, 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) USER_INTERACTIVE); 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"SleepCmd 30000")); 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestProcessAccess(&runner, target.process_id()); 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests that a locked-down process cannot open a low-integrity process. 1895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestProcessDenyBelowLowIntegrity) { 1905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This test applies only to Vista and above. 1915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (base::win::Version() < base::win::VERSION_VISTA) 1925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return; 1935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 1955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner target; 1965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t command[1024] = {0}; 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) target.SetAsynchronous(true); 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) target.GetPolicy()->SetIntegrityLevel(INTEGRITY_LEVEL_LOW); 2005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) target.GetPolicy()->SetTokenLevel(USER_RESTRICTED_SAME_ACCESS, 2015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) USER_INTERACTIVE); 2025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.GetPolicy()->SetDelayedIntegrityLevel(INTEGRITY_LEVEL_UNTRUSTED); 2045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) runner.GetPolicy()->SetTokenLevel(USER_RESTRICTED_SAME_ACCESS, 2055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) USER_INTERACTIVE); 2065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"SleepCmd 30000")); 2085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestProcessAccess(&runner, target.process_id()); 2105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Tests if the threads are correctly protected by the sandbox. 2135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(ValidationSuite, TestThread) { 2145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TestRunner runner; 2155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wchar_t command[1024] = {0}; 2165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) wsprintf(command, L"OpenThreadCmd %d", ::GetCurrentThreadId()); 2185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command)); 2195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 221f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// Tests if an over-limit allocation will be denied. 222f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)TEST(ValidationSuite, TestMemoryLimit) { 223f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) TestRunner runner; 224f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) wchar_t command[1024] = {0}; 225f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) const int kAllocationSize = 256 * 1024 * 1024; 226f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 227f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) wsprintf(command, L"AllocateCmd %d", kAllocationSize); 228f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) runner.GetPolicy()->SetJobMemoryLimit(kAllocationSize); 229f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) EXPECT_EQ(SBOX_FATAL_MEMORY_EXCEEDED, runner.RunTest(command)); 230f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)} 231f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 232f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// Tests a large allocation will succeed absent limits. 233f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)TEST(ValidationSuite, TestMemoryNoLimit) { 234f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) TestRunner runner; 235f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) wchar_t command[1024] = {0}; 236f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) const int kAllocationSize = 256 * 1024 * 1024; 237f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 238f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) wsprintf(command, L"AllocateCmd %d", kAllocationSize); 239f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command)); 240f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)} 241f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 2425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 243