Home | History | Annotate | Download | only in src 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include <windows.h>
      6 
      7 #define _ATL_NO_EXCEPTIONS
      8 #include <atlbase.h>
      9 #include <atlsecurity.h>
     10 
     11 #include "base/strings/string16.h"
     12 #include "base/win/scoped_handle.h"
     13 #include "base/win/windows_version.h"
     14 #include "sandbox/win/src/sync_policy_test.h"
     15 #include "testing/gtest/include/gtest/gtest.h"
     16 
     17 namespace {
     18 
     19 const wchar_t kAppContainerName[] = L"sbox_test";
     20 const wchar_t kAppContainerSid[] =
     21     L"S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-"
     22     L"924012148-2839372144";
     23 
     24 const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE;
     25 
     26 HANDLE CreateTaggedEvent(const base::string16& name,
     27                          const base::string16& sid) {
     28   base::win::ScopedHandle event(CreateEvent(NULL, FALSE, FALSE, name.c_str()));
     29   if (!event.IsValid())
     30     return NULL;
     31 
     32   wchar_t file_name[MAX_PATH] = {};
     33   wchar_t temp_directory[MAX_PATH] = {};
     34   GetTempPath(MAX_PATH, temp_directory);
     35   GetTempFileName(temp_directory, L"test", 0, file_name);
     36 
     37   base::win::ScopedHandle file;
     38   file.Set(CreateFile(file_name, GENERIC_READ | STANDARD_RIGHTS_READ, kSharing,
     39                       NULL, OPEN_EXISTING, 0, NULL));
     40   DeleteFile(file_name);
     41   if (!file.IsValid())
     42     return NULL;
     43 
     44   CSecurityDesc sd;
     45   if (!AtlGetSecurityDescriptor(file.Get(), SE_FILE_OBJECT, &sd,
     46                                 OWNER_SECURITY_INFORMATION |
     47                                     GROUP_SECURITY_INFORMATION |
     48                                     DACL_SECURITY_INFORMATION)) {
     49     return NULL;
     50   }
     51 
     52   PSID local_sid;
     53   if (!ConvertStringSidToSid(sid.c_str(), &local_sid))
     54     return NULL;
     55 
     56   CDacl new_dacl;
     57   sd.GetDacl(&new_dacl);
     58   CSid csid(reinterpret_cast<SID*>(local_sid));
     59   new_dacl.AddAllowedAce(csid, EVENT_ALL_ACCESS);
     60   if (!AtlSetDacl(event.Get(), SE_KERNEL_OBJECT, new_dacl))
     61     event.Close();
     62 
     63   LocalFree(local_sid);
     64   return event.IsValid() ? event.Take() : NULL;
     65 }
     66 
     67 }  // namespace
     68 
     69 namespace sandbox {
     70 
     71 TEST(AppContainerTest, AllowOpenEvent) {
     72   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
     73     return;
     74 
     75   TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED);
     76 
     77   const wchar_t capability[] = L"S-1-15-3-12345678-87654321";
     78   base::win::ScopedHandle handle(CreateTaggedEvent(L"test", capability));
     79   ASSERT_TRUE(handle.IsValid());
     80 
     81   EXPECT_EQ(SBOX_ALL_OK,
     82             runner.broker()->InstallAppContainer(kAppContainerSid,
     83                                                  kAppContainerName));
     84   EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetCapability(capability));
     85   EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid));
     86 
     87   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open f test"));
     88 
     89   runner.SetTestState(BEFORE_REVERT);
     90   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open f test"));
     91   EXPECT_EQ(SBOX_ALL_OK,
     92             runner.broker()->UninstallAppContainer(kAppContainerSid));
     93 }
     94 
     95 TEST(AppContainerTest, DenyOpenEvent) {
     96   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
     97     return;
     98 
     99   TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED);
    100 
    101   const wchar_t capability[] = L"S-1-15-3-12345678-87654321";
    102   base::win::ScopedHandle handle(CreateTaggedEvent(L"test", capability));
    103   ASSERT_TRUE(handle.IsValid());
    104 
    105   EXPECT_EQ(SBOX_ALL_OK,
    106             runner.broker()->InstallAppContainer(kAppContainerSid,
    107                                                  kAppContainerName));
    108   EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid));
    109 
    110   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test"));
    111 
    112   runner.SetTestState(BEFORE_REVERT);
    113   EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test"));
    114   EXPECT_EQ(SBOX_ALL_OK,
    115             runner.broker()->UninstallAppContainer(kAppContainerSid));
    116 }
    117 
    118 TEST(AppContainerTest, NoImpersonation) {
    119   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
    120     return;
    121 
    122   TestRunner runner(JOB_UNPROTECTED, USER_LIMITED, USER_LIMITED);
    123   EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid));
    124 }
    125 
    126 TEST(AppContainerTest, WantsImpersonation) {
    127   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
    128     return;
    129 
    130   TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_NON_ADMIN);
    131   EXPECT_EQ(SBOX_ERROR_CANNOT_INIT_APPCONTAINER,
    132             runner.GetPolicy()->SetAppContainer(kAppContainerSid));
    133 }
    134 
    135 TEST(AppContainerTest, RequiresImpersonation) {
    136   if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
    137     return;
    138 
    139   TestRunner runner(JOB_UNPROTECTED, USER_RESTRICTED, USER_RESTRICTED);
    140   EXPECT_EQ(SBOX_ERROR_CANNOT_INIT_APPCONTAINER,
    141             runner.GetPolicy()->SetAppContainer(kAppContainerSid));
    142 }
    143 
    144 }  // namespace sandbox
    145