1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
// Copyright (c) 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/win/windows_version.h"
#include "sandbox/win/src/handle_closer.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_policy.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "sandbox/win/tests/common/controller.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace sandbox {
SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) {
if (argc < 1 || argc > 2) {
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
}
if ((NULL == argv) || (NULL == argv[0])) {
return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
}
HANDLE pipe = ::CreateNamedPipeW(argv[0],
PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED,
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096,
4096, 2000, NULL);
if (INVALID_HANDLE_VALUE == pipe)
return SBOX_TEST_DENIED;
// The second parameter allows us to enforce a whitelist for where the
// pipe should be in the object namespace after creation.
if (argc == 2) {
base::string16 handle_name;
if (GetHandleName(pipe, &handle_name)) {
if (handle_name.compare(0, wcslen(argv[1]), argv[1]) != 0)
return SBOX_TEST_FAILED;
} else {
return SBOX_TEST_FAILED;
}
}
OVERLAPPED overlapped = {0};
overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL);
BOOL result = ::ConnectNamedPipe(pipe, &overlapped);
if (!result) {
DWORD error = ::GetLastError();
if (ERROR_PIPE_CONNECTED != error &&
ERROR_IO_PENDING != error) {
return SBOX_TEST_FAILED;
}
}
if (!::CloseHandle(pipe))
return SBOX_TEST_FAILED;
::CloseHandle(overlapped.hEvent);
return SBOX_TEST_SUCCEEDED;
}
// Tests if we can create a pipe in the sandbox.
TEST(NamedPipePolicyTest, CreatePipe) {
TestRunner runner;
// TODO(nsylvain): This policy is wrong because "*" is a valid char in a
// namedpipe name. Here we apply it like a wildcard. http://b/893603
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES,
TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\test*"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh"));
// On XP, the sandbox can create a pipe without any help but it fails on
// Vista+, this is why we do not test the "denied" case.
if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh"));
}
}
// Tests if we can create a pipe with a path traversal in the sandbox.
TEST(NamedPipePolicyTest, CreatePipeTraversal) {
TestRunner runner;
// TODO(nsylvain): This policy is wrong because "*" is a valid char in a
// namedpipe name. Here we apply it like a wildcard. http://b/893603
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES,
TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\test*"));
// On XP, the sandbox can create a pipe without any help but it fails on
// Vista+, this is why we do not test the "denied" case.
if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\..\\bleh"));
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/../bleh"));
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\../bleh"));
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/..\\bleh"));
}
}
// This tests that path canonicalization is actually disabled if we use \\?\
// syntax.
TEST(NamedPipePolicyTest, CreatePipeCanonicalization) {
// "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to
// disable all string parsing and to send the string that follows it straight
// to the file system."
// http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
wchar_t* argv[2] = { L"\\\\?\\pipe\\test\\..\\bleh",
L"\\Device\\NamedPipe\\test" };
EXPECT_EQ(SBOX_TEST_SUCCEEDED, NamedPipe_Create(2, argv));
}
// The same test as CreatePipe but this time using strict interceptions.
TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) {
TestRunner runner;
runner.GetPolicy()->SetStrictInterceptions();
// TODO(nsylvain): This policy is wrong because "*" is a valid char in a
// namedpipe name. Here we apply it like a wildcard. http://b/893603
EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES,
TargetPolicy::NAMEDPIPES_ALLOW_ANY,
L"\\\\.\\pipe\\test*"));
EXPECT_EQ(SBOX_TEST_SUCCEEDED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh"));
// On XP, the sandbox can create a pipe without any help but it fails on
// Vista+, this is why we do not test the "denied" case.
if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
EXPECT_EQ(SBOX_TEST_DENIED,
runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh"));
}
}
} // namespace sandbox
|
