diff options
Diffstat (limited to 'security/sandbox/chromium/sandbox/win/src/app_container_test.cc')
-rw-r--r-- | security/sandbox/chromium/sandbox/win/src/app_container_test.cc | 161 |
1 files changed, 0 insertions, 161 deletions
diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_test.cc b/security/sandbox/chromium/sandbox/win/src/app_container_test.cc deleted file mode 100644 index ced5cbde7..000000000 --- a/security/sandbox/chromium/sandbox/win/src/app_container_test.cc +++ /dev/null @@ -1,161 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <windows.h> - -#define _ATL_NO_EXCEPTIONS -#include <atlbase.h> -#include <atlsecurity.h> - -#include "base/strings/string16.h" -#include "base/win/scoped_handle.h" -#include "base/win/windows_version.h" -#include "sandbox/win/src/sync_policy_test.h" -#include "testing/gtest/include/gtest/gtest.h" - -namespace { - -const wchar_t kAppContainerName[] = L"sbox_test"; -const wchar_t kAppContainerSid[] = - L"S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-" - L"924012148-2839372144"; - -const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE; - -HANDLE CreateTaggedEvent(const base::string16& name, - const base::string16& sid) { - base::win::ScopedHandle event(CreateEvent(NULL, FALSE, FALSE, name.c_str())); - if (!event.IsValid()) - return NULL; - - wchar_t file_name[MAX_PATH] = {}; - wchar_t temp_directory[MAX_PATH] = {}; - GetTempPath(MAX_PATH, temp_directory); - GetTempFileName(temp_directory, L"test", 0, file_name); - - base::win::ScopedHandle file; - file.Set(CreateFile(file_name, GENERIC_READ | STANDARD_RIGHTS_READ, kSharing, - NULL, OPEN_EXISTING, 0, NULL)); - DeleteFile(file_name); - if (!file.IsValid()) - return NULL; - - CSecurityDesc sd; - if (!AtlGetSecurityDescriptor(file.Get(), SE_FILE_OBJECT, &sd, - OWNER_SECURITY_INFORMATION | - GROUP_SECURITY_INFORMATION | - DACL_SECURITY_INFORMATION)) { - return NULL; - } - - PSID local_sid; - if (!ConvertStringSidToSid(sid.c_str(), &local_sid)) - return NULL; - - CDacl new_dacl; - sd.GetDacl(&new_dacl); - CSid csid(reinterpret_cast<SID*>(local_sid)); - new_dacl.AddAllowedAce(csid, EVENT_ALL_ACCESS); - if (!AtlSetDacl(event.Get(), SE_KERNEL_OBJECT, new_dacl)) - event.Close(); - - LocalFree(local_sid); - return event.IsValid() ? event.Take() : NULL; -} - -} // namespace - -namespace sandbox { - -TEST(AppContainerTest, AllowOpenEvent) { - if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) - return; - - TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED); - - const wchar_t capability[] = L"S-1-15-3-12345678-87654321"; - base::win::ScopedHandle handle(CreateTaggedEvent(L"test", capability)); - ASSERT_TRUE(handle.IsValid()); - - EXPECT_EQ(SBOX_ALL_OK, - runner.broker()->InstallAppContainer(kAppContainerSid, - kAppContainerName)); - EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetCapability(capability)); - EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid)); - - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open f test")); - - runner.SetTestState(BEFORE_REVERT); - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open f test")); - EXPECT_EQ(SBOX_ALL_OK, - runner.broker()->UninstallAppContainer(kAppContainerSid)); -} - -TEST(AppContainerTest, DenyOpenEvent) { - if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) - return; - - TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED); - - const wchar_t capability[] = L"S-1-15-3-12345678-87654321"; - base::win::ScopedHandle handle(CreateTaggedEvent(L"test", capability)); - ASSERT_TRUE(handle.IsValid()); - - EXPECT_EQ(SBOX_ALL_OK, - runner.broker()->InstallAppContainer(kAppContainerSid, - kAppContainerName)); - EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid)); - - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test")); - - runner.SetTestState(BEFORE_REVERT); - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test")); - EXPECT_EQ(SBOX_ALL_OK, - runner.broker()->UninstallAppContainer(kAppContainerSid)); -} - -TEST(AppContainerTest, NoImpersonation) { - if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) - return; - - TestRunner runner(JOB_UNPROTECTED, USER_LIMITED, USER_LIMITED); - EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid)); -} - -TEST(AppContainerTest, WantsImpersonation) { - if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) - return; - - TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_NON_ADMIN); - EXPECT_EQ(SBOX_ERROR_CANNOT_INIT_APPCONTAINER, - runner.GetPolicy()->SetAppContainer(kAppContainerSid)); -} - -TEST(AppContainerTest, RequiresImpersonation) { - if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) - return; - - TestRunner runner(JOB_UNPROTECTED, USER_RESTRICTED, USER_RESTRICTED); - EXPECT_EQ(SBOX_ERROR_CANNOT_INIT_APPCONTAINER, - runner.GetPolicy()->SetAppContainer(kAppContainerSid)); -} - -TEST(AppContainerTest, DenyOpenEventForLowBox) { - if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) - return; - - TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED); - - base::win::ScopedHandle event(CreateEvent(NULL, FALSE, FALSE, L"test")); - ASSERT_TRUE(event.IsValid()); - - EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetLowBox(kAppContainerSid)); - - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test")); -} - -// TODO(shrikant): Please add some tests to prove usage of lowbox token like -// socket connection to local server in lock down mode. - -} // namespace sandbox |