| Index: sandbox/win/src/process_mitigations_test.cc
|
| ===================================================================
|
| --- sandbox/win/src/process_mitigations_test.cc (revision 156553)
|
| +++ sandbox/win/src/process_mitigations_test.cc (working copy)
|
| @@ -1,203 +0,0 @@
|
| -// Copyright (c) 2011 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include "base/stringprintf.h"
|
| -#include "base/win/scoped_handle.h"
|
| -
|
| -#include "base/win/windows_version.h"
|
| -#include "sandbox/win/src/nt_internals.h"
|
| -#include "sandbox/win/src/process_mitigations.h"
|
| -#include "sandbox/win/src/sandbox.h"
|
| -#include "sandbox/win/src/sandbox_factory.h"
|
| -#include "sandbox/win/src/sandbox_utils.h"
|
| -#include "sandbox/win/src/target_services.h"
|
| -#include "sandbox/win/src/win_utils.h"
|
| -#include "sandbox/win/tests/common/controller.h"
|
| -#include "testing/gtest/include/gtest/gtest.h"
|
| -
|
| -namespace {
|
| -
|
| -typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)(
|
| - HANDLE process,
|
| - LPDWORD flags,
|
| - PBOOL permanent);
|
| -
|
| -typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)(
|
| - HANDLE process,
|
| - PROCESS_MITIGATION_POLICY mitigation_policy,
|
| - PVOID buffer,
|
| - SIZE_T length);
|
| -
|
| -GetProcessMitigationPolicyFunction get_process_mitigation_policy;
|
| -
|
| -bool CheckWin8DepPolicy() {
|
| - PROCESS_MITIGATION_DEP_POLICY policy;
|
| - if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy,
|
| - &policy, sizeof(policy))) {
|
| - return false;
|
| - }
|
| - return policy.Enable && policy.Permanent;
|
| -}
|
| -
|
| -bool CheckWin8AslrPolicy() {
|
| - PROCESS_MITIGATION_ASLR_POLICY policy;
|
| - if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy,
|
| - &policy, sizeof(policy))) {
|
| - return false;
|
| - }
|
| - return policy.EnableForceRelocateImages && policy.DisallowStrippedImages;
|
| -}
|
| -
|
| -bool CheckWin8StrictHandlePolicy() {
|
| - PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy;
|
| - if (!get_process_mitigation_policy(::GetCurrentProcess(),
|
| - ProcessStrictHandleCheckPolicy,
|
| - &policy, sizeof(policy))) {
|
| - return false;
|
| - }
|
| - return policy.RaiseExceptionOnInvalidHandleReference &&
|
| - policy.HandleExceptionsPermanentlyEnabled;
|
| -}
|
| -
|
| -bool CheckWin8Win32CallPolicy() {
|
| - PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy;
|
| - if (!get_process_mitigation_policy(::GetCurrentProcess(),
|
| - ProcessSystemCallDisablePolicy,
|
| - &policy, sizeof(policy))) {
|
| - return false;
|
| - }
|
| - return policy.DisallowWin32kSystemCalls;
|
| -}
|
| -
|
| -bool CheckWin8DllExtensionPolicy() {
|
| - PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy;
|
| - if (!get_process_mitigation_policy(::GetCurrentProcess(),
|
| - ProcessExtensionPointDisablePolicy,
|
| - &policy, sizeof(policy))) {
|
| - return false;
|
| - }
|
| - return policy.DisableExtensionPoints;
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| -namespace sandbox {
|
| -
|
| -SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
|
| - get_process_mitigation_policy =
|
| - reinterpret_cast<GetProcessMitigationPolicyFunction>(
|
| - ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
|
| - "GetProcessMitigationPolicy"));
|
| -
|
| - if (!get_process_mitigation_policy)
|
| - return SBOX_TEST_NOT_FOUND;
|
| -
|
| - if (!CheckWin8DepPolicy())
|
| - return SBOX_TEST_FIRST_ERROR;
|
| -
|
| - if (!CheckWin8AslrPolicy())
|
| - return SBOX_TEST_SECOND_ERROR;
|
| -
|
| - if (!CheckWin8StrictHandlePolicy())
|
| - return SBOX_TEST_THIRD_ERROR;
|
| -
|
| - if (!CheckWin8Win32CallPolicy())
|
| - return SBOX_TEST_FOURTH_ERROR;
|
| -
|
| - if (!CheckWin8DllExtensionPolicy())
|
| - return SBOX_TEST_FIFTH_ERROR;
|
| -
|
| - return SBOX_TEST_SUCCEEDED;
|
| -}
|
| -
|
| -TEST(ProcessMitigationsTest, CheckWin8) {
|
| - if (base::win::GetVersion() < base::win::VERSION_WIN8)
|
| - return;
|
| -
|
| - TestRunner runner;
|
| - sandbox::TargetPolicy* policy = runner.GetPolicy();
|
| -
|
| - EXPECT_EQ(policy->SetProcessMitigations(
|
| - MITIGATION_DEP |
|
| - MITIGATION_DEP_NO_ATL_THUNK |
|
| - MITIGATION_RELOCATE_IMAGE |
|
| - MITIGATION_RELOCATE_IMAGE_REQUIRED |
|
| - MITIGATION_EXTENSION_DLL_DISABLE),
|
| - SBOX_ALL_OK);
|
| -
|
| - EXPECT_EQ(policy->SetDelayedProcessMitigations(
|
| - MITIGATION_STRICT_HANDLE_CHECKS |
|
| - MITIGATION_WIN32K_DISABLE),
|
| - SBOX_ALL_OK);
|
| -
|
| - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
|
| -}
|
| -
|
| -
|
| -SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
|
| -#if !defined(_WIN64) // DEP is always enabled on 64-bit.
|
| - GetProcessDEPPolicyFunction get_process_dep_policy =
|
| - reinterpret_cast<GetProcessDEPPolicyFunction>(
|
| - ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
|
| - "GetProcessDEPPolicy"));
|
| - if (get_process_dep_policy) {
|
| - BOOL is_permanent = FALSE;
|
| - DWORD dep_flags = 0;
|
| -
|
| - if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags,
|
| - &is_permanent)) {
|
| - return SBOX_TEST_FIRST_ERROR;
|
| - }
|
| -
|
| - if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent)
|
| - return SBOX_TEST_SECOND_ERROR;
|
| -
|
| - } else {
|
| - NtQueryInformationProcessFunction query_information_process = NULL;
|
| - ResolveNTFunctionPtr("NtQueryInformationProcess",
|
| - &query_information_process);
|
| - if (!query_information_process)
|
| - return SBOX_TEST_NOT_FOUND;
|
| -
|
| - ULONG size = 0;
|
| - ULONG dep_flags = 0;
|
| - if (!SUCCEEDED(query_information_process(::GetCurrentProcess(),
|
| - ProcessExecuteFlags, &dep_flags,
|
| - sizeof(dep_flags), &size))) {
|
| - return SBOX_TEST_THIRD_ERROR;
|
| - }
|
| -
|
| - const int MEM_EXECUTE_OPTION_ENABLE = 1;
|
| - const int MEM_EXECUTE_OPTION_DISABLE = 2;
|
| - const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4;
|
| - const int MEM_EXECUTE_OPTION_PERMANENT = 8;
|
| - dep_flags &= 0xff;
|
| -
|
| - if (dep_flags != (MEM_EXECUTE_OPTION_DISABLE |
|
| - MEM_EXECUTE_OPTION_PERMANENT)) {
|
| - return SBOX_TEST_FOURTH_ERROR;
|
| - }
|
| - }
|
| -#endif
|
| -
|
| - return SBOX_TEST_SUCCEEDED;
|
| -}
|
| -
|
| -TEST(ProcessMitigationsTest, CheckDep) {
|
| - if (!IsXPSP2OrLater() || base::win::GetVersion() > base::win::VERSION_WIN7)
|
| - return;
|
| -
|
| - TestRunner runner;
|
| - sandbox::TargetPolicy* policy = runner.GetPolicy();
|
| -
|
| - EXPECT_EQ(policy->SetProcessMitigations(
|
| - MITIGATION_DEP |
|
| - MITIGATION_DEP_NO_ATL_THUNK |
|
| - MITIGATION_SEHOP),
|
| - SBOX_ALL_OK);
|
| - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
|
| -}
|
| -
|
| -} // namespace sandbox
|
| -
|
|
|
Chromium Code Reviews
Issue 10907217:
Revert 156550 - Add sandbox support for Windows process mitigations (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/