sandbox/src/restricted_token_unittest.cc - Issue 10783004: Move Windows Sandbox, trybots version (don't commit me!)

Side by Side Diff: sandbox/src/restricted_token_unittest.cc

Issue 10783004: Move Windows Sandbox, trybots version (don't commit me!) (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Rebase to top of tree Created 8 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
	(Empty)
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 // This file contains unit tests for the RestrictedToken.

6

7 #define _ATL_NO_EXCEPTIONS

8 #include <atlbase.h>

9 #include <atlsecurity.h>

10 #include <vector>

11 #include "sandbox/src/restricted_token.h"

12 #include "sandbox/src/sid.h"

13 #include "testing/gtest/include/gtest/gtest.h"

14

15 namespace sandbox {

16

17 // Tests the initializatioin with an invalid token handle.

18 TEST(RestrictedTokenTest, InvalidHandle) {

19 RestrictedToken token;

20 ASSERT_EQ(ERROR_INVALID_HANDLE, token.Init(reinterpret_cast<HANDLE>(0x5555)));

21 }

22

23 // Tests the initialization with NULL as parameter.

24 TEST(RestrictedTokenTest, DefaultInit) {

25 // Get the current process token.

26 HANDLE token_handle = INVALID_HANDLE_VALUE;

27 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,

28 &token_handle));

29

30 ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);

31

32 ATL::CAccessToken access_token;

33 access_token.Attach(token_handle);

34

35 // Create the token using the current token.

36 RestrictedToken token_default;

37 ASSERT_EQ(ERROR_SUCCESS, token_default.Init(NULL));

38

39 // Get the handle to the restricted token.

40

41 HANDLE restricted_token_handle = NULL;

42 ASSERT_EQ(ERROR_SUCCESS,

43 token_default.GetRestrictedTokenHandle(&restricted_token_handle));

44

45 ATL::CAccessToken restricted_token;

46 restricted_token.Attach(restricted_token_handle);

47

48 ATL::CSid sid_user_restricted;

49 ATL::CSid sid_user_default;

50 ATL::CSid sid_owner_restricted;

51 ATL::CSid sid_owner_default;

52 ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted));

53 ASSERT_TRUE(access_token.GetUser(&sid_user_default));

54 ASSERT_TRUE(restricted_token.GetOwner(&sid_owner_restricted));

55 ASSERT_TRUE(access_token.GetOwner(&sid_owner_default));

56

57 // Check if both token have the same owner and user.

58 ASSERT_EQ(sid_user_restricted, sid_user_default);

59 ASSERT_EQ(sid_owner_restricted, sid_owner_default);

60 }

61

62 // Tests the initialization with a custom token as parameter.

63 TEST(RestrictedTokenTest, CustomInit) {

64 // Get the current process token.

65 HANDLE token_handle = INVALID_HANDLE_VALUE;

66 ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,

67 &token_handle));

68

69 ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);

70

71 ATL::CAccessToken access_token;

72 access_token.Attach(token_handle);

73

74 // Change the primary group.

75 access_token.SetPrimaryGroup(ATL::Sids::World());

76

77 // Create the token using the current token.

78 RestrictedToken token;

79 ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle()));

80

81 // Get the handle to the restricted token.

82

83 HANDLE restricted_token_handle = NULL;

84 ASSERT_EQ(ERROR_SUCCESS,

85 token.GetRestrictedTokenHandle(&restricted_token_handle));

86

87 ATL::CAccessToken restricted_token;

88 restricted_token.Attach(restricted_token_handle);

89

90 ATL::CSid sid_restricted;

91 ATL::CSid sid_default;

92 ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted));

93 ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default));

94

95 // Check if both token have the same owner.

96 ASSERT_EQ(sid_restricted, sid_default);

97 }

98

99 // Verifies that the token created by the object are valid.

100 TEST(RestrictedTokenTest, ResultToken) {

101 RestrictedToken token;

102 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

103

104 ASSERT_EQ(ERROR_SUCCESS,

105 token.AddRestrictingSid(ATL::Sids::World().GetPSID()));

106

107 HANDLE restricted_token;

108 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token));

109

110 ASSERT_TRUE(::IsTokenRestricted(restricted_token));

111

112 DWORD length = 0;

113 TOKEN_TYPE type;

114 ASSERT_TRUE(::GetTokenInformation(restricted_token,

115 ::TokenType,

116 &type,

117 sizeof(type),

118 &length));

119

120 ASSERT_EQ(type, TokenPrimary);

121

122 HANDLE impersonation_token;

123 ASSERT_EQ(ERROR_SUCCESS,

124 token.GetRestrictedTokenHandleForImpersonation(&impersonation_token));

125

126 ASSERT_TRUE(::IsTokenRestricted(impersonation_token));

127

128 ASSERT_TRUE(::GetTokenInformation(impersonation_token,

129 ::TokenType,

130 &type,

131 sizeof(type),

132 &length));

133

134 ASSERT_EQ(type, TokenImpersonation);

135

136 ::CloseHandle(impersonation_token);

137 ::CloseHandle(restricted_token);

138 }

139

140 // Verifies that the token created has "Restricted" in its default dacl.

141 TEST(RestrictedTokenTest, DefaultDacl) {

142 RestrictedToken token;

143 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

144

145 ASSERT_EQ(ERROR_SUCCESS,

146 token.AddRestrictingSid(ATL::Sids::World().GetPSID()));

147

148 HANDLE handle;

149 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle));

150

151 ATL::CAccessToken restricted_token;

152 restricted_token.Attach(handle);

153

154 ATL::CDacl dacl;

155 ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));

156

157 bool restricted_found = false;

158

159 unsigned int ace_count = dacl.GetAceCount();

160 for (unsigned int i = 0; i < ace_count ; ++i) {

161 ATL::CSid sid;

162 ACCESS_MASK mask = 0;

163 dacl.GetAclEntry(i, &sid, &mask);

164 if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {

165 restricted_found = true;

166 break;

167 }

168 }

169

170 ASSERT_TRUE(restricted_found);

171 }

172

173 // Tests the method "AddSidForDenyOnly".

174 TEST(RestrictedTokenTest, DenySid) {

175 RestrictedToken token;

176 HANDLE token_handle = NULL;

177

178 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

179 ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid)));

180 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

181

182 ATL::CAccessToken restricted_token;

183 restricted_token.Attach(token_handle);

184

185 ATL::CTokenGroups groups;

186 ASSERT_TRUE(restricted_token.GetGroups(&groups));

187

188 ATL::CSid::CSidArray sids;

189 ATL::CAtlArray<DWORD> attributes;

190 groups.GetSidsAndAttributes(&sids, &attributes);

191

192 for (unsigned int i = 0; i < sids.GetCount(); i++) {

193 if (ATL::Sids::World() == sids[i]) {

194 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,

195 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);

196 }

197 }

198 }

199

200 // Tests the method "AddAllSidsForDenyOnly".

201 TEST(RestrictedTokenTest, DenySids) {

202 RestrictedToken token;

203 HANDLE token_handle = NULL;

204

205 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

206 ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL));

207 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

208

209 ATL::CAccessToken restricted_token;

210 restricted_token.Attach(token_handle);

211

212 ATL::CTokenGroups groups;

213 ASSERT_TRUE(restricted_token.GetGroups(&groups));

214

215 ATL::CSid::CSidArray sids;

216 ATL::CAtlArray<DWORD> attributes;

217 groups.GetSidsAndAttributes(&sids, &attributes);

218

219 // Verify that all sids are really gone.

220 for (unsigned int i = 0; i < sids.GetCount(); i++) {

221 if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 &&

222 (attributes[i] & SE_GROUP_INTEGRITY) == 0) {

223 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,

224 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);

225 }

226 }

227 }

228

229 // Tests the method "AddAllSidsForDenyOnly" using an exception list.

230 TEST(RestrictedTokenTest, DenySidsException) {

231 RestrictedToken token;

232 HANDLE token_handle = NULL;

233

234 std::vector<Sid> sids_exception;

235 sids_exception.push_back(Sid(WinWorldSid));

236

237 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

238 ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception));

239 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

240

241 ATL::CAccessToken restricted_token;

242 restricted_token.Attach(token_handle);

243

244 ATL::CTokenGroups groups;

245 ASSERT_TRUE(restricted_token.GetGroups(&groups));

246

247 ATL::CSid::CSidArray sids;

248 ATL::CAtlArray<DWORD> attributes;

249 groups.GetSidsAndAttributes(&sids, &attributes);

250

251 // Verify that all sids are really gone.

252 for (unsigned int i = 0; i < sids.GetCount(); i++) {

253 if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 &&

254 (attributes[i] & SE_GROUP_INTEGRITY) == 0) {

255 if (ATL::Sids::World() == sids[i]) {

256 ASSERT_EQ(NULL, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);

257 } else {

258 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,

259 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);

260 }

261 }

262 }

263 }

264

265 // Tests test method AddOwnerSidForDenyOnly.

266 TEST(RestrictedTokenTest, DenyOwnerSid) {

267 RestrictedToken token;

268 HANDLE token_handle = NULL;

269

270 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

271 ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly());

272 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

273

274 ATL::CAccessToken restricted_token;

275 restricted_token.Attach(token_handle);

276

277 ATL::CTokenGroups groups;

278 ASSERT_TRUE(restricted_token.GetGroups(&groups));

279

280 ATL::CSid::CSidArray sids;

281 ATL::CAtlArray<DWORD> attributes;

282 groups.GetSidsAndAttributes(&sids, &attributes);

283

284 ATL::CSid user_sid;

285 ASSERT_TRUE(restricted_token.GetUser(&user_sid));

286

287 for (unsigned int i = 0; i < sids.GetCount(); ++i) {

288 if (user_sid == sids[i]) {

289 ASSERT_EQ(SE_GROUP_USE_FOR_DENY_ONLY,

290 attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);

291 }

292 }

293 }

294

295 // Tests the method DeleteAllPrivileges.

296 TEST(RestrictedTokenTest, DeleteAllPrivileges) {

297 RestrictedToken token;

298 HANDLE token_handle = NULL;

299

300 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

301 ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL));

302 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

303

304 ATL::CAccessToken restricted_token;

305 restricted_token.Attach(token_handle);

306

307 ATL::CTokenPrivileges privileges;

308 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));

309

310 ASSERT_EQ(0, privileges.GetCount());

311 }

312

313 // Tests the method DeleteAllPrivileges with an exception list.

314 TEST(RestrictedTokenTest, DeleteAllPrivilegesException) {

315 RestrictedToken token;

316 HANDLE token_handle = NULL;

317

318 std::vector<std::wstring> exceptions;

319 exceptions.push_back(SE_CHANGE_NOTIFY_NAME);

320

321 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

322 ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions));

323 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

324

325 ATL::CAccessToken restricted_token;

326 restricted_token.Attach(token_handle);

327

328 ATL::CTokenPrivileges privileges;

329 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));

330

331 ATL::CTokenPrivileges::CNames privilege_names;

332 ATL::CTokenPrivileges::CAttributes privilege_name_attributes;

333 privileges.GetNamesAndAttributes(&privilege_names,

334 &privilege_name_attributes);

335

336 ASSERT_EQ(1, privileges.GetCount());

337

338 for (unsigned int i = 0; i < privileges.GetCount(); ++i) {

339 ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME);

340 }

341 }

342

343 // Tests the method DeletePrivilege.

344 TEST(RestrictedTokenTest, DeletePrivilege) {

345 RestrictedToken token;

346 HANDLE token_handle = NULL;

347

348 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

349 ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME));

350 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

351

352 ATL::CAccessToken restricted_token;

353 restricted_token.Attach(token_handle);

354

355 ATL::CTokenPrivileges privileges;

356 ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));

357

358 ATL::CTokenPrivileges::CNames privilege_names;

359 ATL::CTokenPrivileges::CAttributes privilege_name_attributes;

360 privileges.GetNamesAndAttributes(&privilege_names,

361 &privilege_name_attributes);

362

363 for (unsigned int i = 0; i < privileges.GetCount(); ++i) {

364 ASSERT_NE(privilege_names[i], SE_CHANGE_NOTIFY_NAME);

365 }

366 }

367

368 // Checks if a sid is in the restricting list of the restricted token.

369 // Asserts if it's not the case. If count is a positive number, the number of

370 // elements in the restricting sids list has to be equal.

371 void CheckRestrictingSid(const ATL::CAccessToken &restricted_token,

372 ATL::CSid sid, int count) {

373 DWORD length = 1000;

374 BYTE *memory = new BYTE[1000];

375 TOKEN_GROUPS groups = reinterpret_cast<TOKEN_GROUPS>(memory);

376 ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(),

377 TokenRestrictedSids,

378 groups,

379 length,

380 &length));

381

382 ATL::CTokenGroups atl_groups(*groups);

383 delete[] memory;

384

385 if (count >= 0)

386 ASSERT_EQ(count, atl_groups.GetCount());

387

388 ATL::CSid::CSidArray sids;

389 ATL::CAtlArray<DWORD> attributes;

390 atl_groups.GetSidsAndAttributes(&sids, &attributes);

391

392 bool present = false;

393 for (unsigned int i = 0; i < sids.GetCount(); ++i) {

394 if (sids[i] == sid) {

395 present = true;

396 break;

397 }

398 }

399

400 ASSERT_TRUE(present);

401 }

402

403 // Tests the method AddRestrictingSid.

404 TEST(RestrictedTokenTest, AddRestrictingSid) {

405 RestrictedToken token;

406 HANDLE token_handle = NULL;

407

408 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

409 ASSERT_EQ(ERROR_SUCCESS,

410 token.AddRestrictingSid(ATL::Sids::World().GetPSID()));

411 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

412

413 ATL::CAccessToken restricted_token;

414 restricted_token.Attach(token_handle);

415

416 CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1);

417 }

418

419 // Tests the method AddRestrictingSidCurrentUser.

420 TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) {

421 RestrictedToken token;

422 HANDLE token_handle = NULL;

423

424 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

425 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());

426 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

427

428 ATL::CAccessToken restricted_token;

429 restricted_token.Attach(token_handle);

430 ATL::CSid user;

431 restricted_token.GetUser(&user);

432

433 CheckRestrictingSid(restricted_token, user, 1);

434 }

435

436 // Tests the method AddRestrictingSidLogonSession.

437 TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) {

438 RestrictedToken token;

439 HANDLE token_handle = NULL;

440

441 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

442 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession());

443 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

444

445 ATL::CAccessToken restricted_token;

446 restricted_token.Attach(token_handle);

447 ATL::CSid session;

448 restricted_token.GetLogonSid(&session);

449

450 CheckRestrictingSid(restricted_token, session, 1);

451 }

452

453 // Tests adding a lot of restricting sids.

454 TEST(RestrictedTokenTest, AddMultipleRestrictingSids) {

455 RestrictedToken token;

456 HANDLE token_handle = NULL;

457

458 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

459 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser());

460 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession());

461 ASSERT_EQ(ERROR_SUCCESS,

462 token.AddRestrictingSid(ATL::Sids::World().GetPSID()));

463 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

464

465 ATL::CAccessToken restricted_token;

466 restricted_token.Attach(token_handle);

467 ATL::CSid session;

468 restricted_token.GetLogonSid(&session);

469

470 DWORD length = 1000;

471 BYTE *memory = new BYTE[1000];

472 TOKEN_GROUPS groups = reinterpret_cast<TOKEN_GROUPS>(memory);

473 ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(),

474 TokenRestrictedSids,

475 groups,

476 length,

477 &length));

478

479 ATL::CTokenGroups atl_groups(*groups);

480 delete[] memory;

481

482 ASSERT_EQ(3, atl_groups.GetCount());

483 }

484

485 // Tests the method "AddRestrictingSidAllSids".

486 TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) {

487 RestrictedToken token;

488 HANDLE token_handle = NULL;

489

490 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

491 ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids());

492 ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle));

493

494 ATL::CAccessToken restricted_token;

495 restricted_token.Attach(token_handle);

496

497 ATL::CTokenGroups groups;

498 ASSERT_TRUE(restricted_token.GetGroups(&groups));

499

500 ATL::CSid::CSidArray sids;

501 ATL::CAtlArray<DWORD> attributes;

502 groups.GetSidsAndAttributes(&sids, &attributes);

503

504 // Verify that all group sids are in the restricting sid list.

505 for (unsigned int i = 0; i < sids.GetCount(); i++) {

506 if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) {

507 CheckRestrictingSid(restricted_token, sids[i], -1);

508 }

509 }

510

511 // Verify that the user is in the restricting sid list.

512 ATL::CSid user;

513 restricted_token.GetUser(&user);

514 CheckRestrictingSid(restricted_token, user, -1);

515 }

516

517 // Test to be executed only in release because they are triggering DCHECKs.

518 #ifndef _DEBUG

519

520 // Checks the error code when the object is initialized twice.

521 TEST(RestrictedTokenTest, DoubleInit) {

522 RestrictedToken token;

523 ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL));

524

525 ASSERT_EQ(ERROR_ALREADY_INITIALIZED, token.Init(NULL));

526 }

527

528 #endif

529

530 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/src/restricted_token.cc ('k') | sandbox/src/restricted_token_utils.h » ('j') | no next file with comments »