// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include #include #include "base/strings/string16.h" #include "base/strings/sys_string_conversions.h" #include "base/win/scoped_handle.h" #include "base/win/scoped_process_information.h" #include "base/win/windows_version.h" #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_factory.h" #include "sandbox/win/src/sandbox_policy.h" #include "sandbox/win/tests/common/controller.h" #include "testing/gtest/include/gtest/gtest.h" namespace { // While the shell API provides better calls than this home brew function // we use GetSystemWindowsDirectoryW which does not query the registry so // it is safe to use after revert. base::string16 MakeFullPathToSystem32(const wchar_t* name) { wchar_t windows_path[MAX_PATH] = {0}; ::GetSystemWindowsDirectoryW(windows_path, MAX_PATH); base::string16 full_path(windows_path); if (full_path.empty()) { return full_path; } full_path += L"\\system32\\"; full_path += name; return full_path; } // Creates a process with the |exe| and |command| parameter using the // unicode and ascii version of the api. sandbox::SboxTestResult CreateProcessHelper(const base::string16& exe, const base::string16& command) { base::win::ScopedProcessInformation pi; STARTUPINFOW si = {sizeof(si)}; const wchar_t *exe_name = NULL; if (!exe.empty()) exe_name = exe.c_str(); const wchar_t *cmd_line = NULL; if (!command.empty()) cmd_line = command.c_str(); // Create the process with the unicode version of the API. sandbox::SboxTestResult ret1 = sandbox::SBOX_TEST_FAILED; PROCESS_INFORMATION temp_process_info = {}; if (::CreateProcessW(exe_name, const_cast(cmd_line), NULL, NULL, FALSE, 0, NULL, NULL, &si, &temp_process_info)) { pi.Set(temp_process_info); ret1 = sandbox::SBOX_TEST_SUCCEEDED; } else { DWORD last_error = GetLastError(); if ((ERROR_NOT_ENOUGH_QUOTA == last_error) || (ERROR_ACCESS_DENIED == last_error) || (ERROR_FILE_NOT_FOUND == last_error)) { ret1 = sandbox::SBOX_TEST_DENIED; } else { ret1 = sandbox::SBOX_TEST_FAILED; } } pi.Close(); // Do the same with the ansi version of the api STARTUPINFOA sia = {sizeof(sia)}; sandbox::SboxTestResult ret2 = sandbox::SBOX_TEST_FAILED; std::string narrow_cmd_line; if (cmd_line) narrow_cmd_line = base::SysWideToMultiByte(cmd_line, CP_UTF8); if (::CreateProcessA( exe_name ? base::SysWideToMultiByte(exe_name, CP_UTF8).c_str() : NULL, cmd_line ? const_cast(narrow_cmd_line.c_str()) : NULL, NULL, NULL, FALSE, 0, NULL, NULL, &sia, &temp_process_info)) { pi.Set(temp_process_info); ret2 = sandbox::SBOX_TEST_SUCCEEDED; } else { DWORD last_error = GetLastError(); if ((ERROR_NOT_ENOUGH_QUOTA == last_error) || (ERROR_ACCESS_DENIED == last_error) || (ERROR_FILE_NOT_FOUND == last_error)) { ret2 = sandbox::SBOX_TEST_DENIED; } else { ret2 = sandbox::SBOX_TEST_FAILED; } } if (ret1 == ret2) return ret1; return sandbox::SBOX_TEST_FAILED; } } // namespace namespace sandbox { SBOX_TESTS_COMMAND int Process_RunApp1(int argc, wchar_t **argv) { if (argc != 1) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } if ((NULL == argv) || (NULL == argv[0])) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } base::string16 path = MakeFullPathToSystem32(argv[0]); // TEST 1: Try with the path in the app_name. return CreateProcessHelper(path, base::string16()); } SBOX_TESTS_COMMAND int Process_RunApp2(int argc, wchar_t **argv) { if (argc != 1) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } if ((NULL == argv) || (NULL == argv[0])) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } base::string16 path = MakeFullPathToSystem32(argv[0]); // TEST 2: Try with the path in the cmd_line. base::string16 cmd_line = L"\""; cmd_line += path; cmd_line += L"\""; return CreateProcessHelper(base::string16(), cmd_line); } SBOX_TESTS_COMMAND int Process_RunApp3(int argc, wchar_t **argv) { if (argc != 1) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } if ((NULL == argv) || (NULL == argv[0])) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } // TEST 3: Try file name in the cmd_line. return CreateProcessHelper(base::string16(), argv[0]); } SBOX_TESTS_COMMAND int Process_RunApp4(int argc, wchar_t **argv) { if (argc != 1) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } if ((NULL == argv) || (NULL == argv[0])) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } // TEST 4: Try file name in the app_name and current directory sets correctly. base::string16 system32 = MakeFullPathToSystem32(L""); wchar_t current_directory[MAX_PATH + 1]; int result4; bool test_succeeded = false; DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory); if (!ret) return SBOX_TEST_FIRST_ERROR; if (ret < MAX_PATH) { current_directory[ret] = L'\\'; current_directory[ret+1] = L'\0'; if (::SetCurrentDirectory(system32.c_str())) { result4 = CreateProcessHelper(argv[0], base::string16()); if (::SetCurrentDirectory(current_directory)) { test_succeeded = true; } } else { return SBOX_TEST_SECOND_ERROR; } } if (!test_succeeded) result4 = SBOX_TEST_FAILED; return result4; } SBOX_TESTS_COMMAND int Process_RunApp5(int argc, wchar_t **argv) { if (argc != 1) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } if ((NULL == argv) || (NULL == argv[0])) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } base::string16 path = MakeFullPathToSystem32(argv[0]); // TEST 5: Try with the path in the cmd_line and arguments. base::string16 cmd_line = L"\""; cmd_line += path; cmd_line += L"\" /I"; return CreateProcessHelper(base::string16(), cmd_line); } SBOX_TESTS_COMMAND int Process_RunApp6(int argc, wchar_t **argv) { if (argc != 1) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } if ((NULL == argv) || (NULL == argv[0])) { return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; } // TEST 6: Try with the file_name in the cmd_line and arguments. base::string16 cmd_line = argv[0]; cmd_line += L" /I"; return CreateProcessHelper(base::string16(), cmd_line); } // Creates a process and checks if it's possible to get a handle to it's token. SBOX_TESTS_COMMAND int Process_GetChildProcessToken(int argc, wchar_t **argv) { if (argc != 1) return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; if ((NULL == argv) || (NULL == argv[0])) return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; base::string16 path = MakeFullPathToSystem32(argv[0]); STARTUPINFOW si = {sizeof(si)}; PROCESS_INFORMATION temp_process_info = {}; if (!::CreateProcessW(path.c_str(), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &temp_process_info)) { return SBOX_TEST_FAILED; } base::win::ScopedProcessInformation pi(temp_process_info); HANDLE token = NULL; BOOL result = ::OpenProcessToken(pi.process_handle(), TOKEN_IMPERSONATE, &token); DWORD error = ::GetLastError(); base::win::ScopedHandle token_handle(token); if (!::TerminateProcess(pi.process_handle(), 0)) return SBOX_TEST_FAILED; if (result && token) return SBOX_TEST_SUCCEEDED; if (ERROR_ACCESS_DENIED == error) return SBOX_TEST_DENIED; return SBOX_TEST_FAILED; } SBOX_TESTS_COMMAND int Process_OpenToken(int argc, wchar_t **argv) { HANDLE token; if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) { if (ERROR_ACCESS_DENIED == ::GetLastError()) { return SBOX_TEST_DENIED; } } else { ::CloseHandle(token); return SBOX_TEST_SUCCEEDED; } return SBOX_TEST_FAILED; } TEST(ProcessPolicyTest, TestAllAccess) { // Check if the "all access" rule fails to be added when the token is too // powerful. TestRunner runner; // Check the failing case. runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); EXPECT_EQ(SBOX_ERROR_UNSUPPORTED, runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_ALL_EXEC, L"this is not important")); // Check the working case. runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_INTERACTIVE); EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_ALL_EXEC, L"this is not important")); } TEST(ProcessPolicyTest, CreateProcessAW) { TestRunner runner; base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); base::string16 system32 = MakeFullPathToSystem32(L""); ASSERT_TRUE(!exe_path.empty()); EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_MIN_EXEC, exe_path.c_str())); // Need to add directory rules for the directories that we use in // SetCurrentDirectory. EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY, system32.c_str())); wchar_t current_directory[MAX_PATH]; DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory); ASSERT_TRUE(0 != ret && ret < MAX_PATH); wcscat_s(current_directory, MAX_PATH, L"\\"); EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY, current_directory)); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp1 calc.exe")); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp2 calc.exe")); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp3 calc.exe")); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp5 calc.exe")); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp6 calc.exe")); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_RunApp1 findstr.exe")); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_RunApp2 findstr.exe")); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_RunApp3 findstr.exe")); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_RunApp5 findstr.exe")); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_RunApp6 findstr.exe")); #if !defined(_WIN64) if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { // WinXP results are not reliable. EXPECT_EQ(SBOX_TEST_SECOND_ERROR, runner.RunTest(L"Process_RunApp4 calc.exe")); EXPECT_EQ(SBOX_TEST_SECOND_ERROR, runner.RunTest(L"Process_RunApp4 findstr.exe")); } #endif } TEST(ProcessPolicyTest, OpenToken) { TestRunner runner; EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_OpenToken")); } TEST(ProcessPolicyTest, TestGetProcessTokenMinAccess) { TestRunner runner; base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); ASSERT_TRUE(!exe_path.empty()); EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_MIN_EXEC, exe_path.c_str())); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); } TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccess) { TestRunner runner(JOB_UNPROTECTED, USER_INTERACTIVE, USER_INTERACTIVE); base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); ASSERT_TRUE(!exe_path.empty()); EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_ALL_EXEC, exe_path.c_str())); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); } TEST(ProcessPolicyTest, TestGetProcessTokenMinAccessNoJob) { TestRunner runner(JOB_NONE, USER_RESTRICTED_SAME_ACCESS, USER_LOCKDOWN); base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); ASSERT_TRUE(!exe_path.empty()); EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_MIN_EXEC, exe_path.c_str())); EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); } TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccessNoJob) { TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE); base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); ASSERT_TRUE(!exe_path.empty()); EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, TargetPolicy::PROCESS_ALL_EXEC, exe_path.c_str())); EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); } } // namespace sandbox