blob: 550380f4007373af4c888cceaf4b180f643433c3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <windows.h>
#include <string>
#define TEST_INJECTION_DLL
#include "chrome/test/security_tests/ipc_security_tests.h"
#include "content/common/injection_test_dll.h"
#include "sandbox/tests/common/controller.h"
#include "sandbox/tests/validation_tests/commands.h"
using sandbox::TestOpenKey;
using sandbox::TestOpenReadFile;
using sandbox::TestOpenWriteFile;
#define SECURITY_CHECK(x) (*test_count)++; \
if (sandbox::SBOX_TEST_DENIED != x) { \
return FALSE; \
};
BOOL APIENTRY DllMain(HMODULE module, DWORD ul_reason_for_call,
LPVOID lpReserved) {
return TRUE;
}
// Runs the security tests of sandbox for the renderer process.
// If a test fails, the return value is FALSE and test_count contains the
// number of tests executed, including the failing test.
BOOL __declspec(dllexport) __cdecl RunRendererTests(int *test_count) {
*test_count = 0;
SECURITY_CHECK(TestOpenReadFile(L"%SystemDrive%"));
SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%"));
SECURITY_CHECK(TestOpenReadFile(L"%ProgramFiles%"));
SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%\\System32"));
SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%\\explorer.exe"));
SECURITY_CHECK(TestOpenReadFile(L"%SystemRoot%\\Cursors\\arrow_i.cur"));
SECURITY_CHECK(TestOpenReadFile(L"%AllUsersProfile%"));
SECURITY_CHECK(TestOpenReadFile(L"%Temp%"));
SECURITY_CHECK(TestOpenReadFile(L"%AppData%"));
SECURITY_CHECK(TestOpenKey(HKEY_LOCAL_MACHINE, L""));
SECURITY_CHECK(TestOpenKey(HKEY_CURRENT_USER, L""));
SECURITY_CHECK(TestOpenKey(HKEY_USERS, L""));
SECURITY_CHECK(TestOpenKey(HKEY_LOCAL_MACHINE,
L"Software\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon"));
// Test below run on a separate thread because they cannot block the
// renderer process. Therefore they do not return a meaningful value.
PipeImpersonationAttack();
return TRUE;
}
// Runs the security tests of sandbox for the plugin process.
// If a test fails, the return value is FALSE and test_count contains the
// number of tests executed, including the failing test.
BOOL __declspec(dllexport) __cdecl RunPluginTests(int *test_count) {
*test_count = 0;
SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%"));
SECURITY_CHECK(TestOpenWriteFile(L"%ProgramFiles%"));
SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%\\System32"));
SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%\\explorer.exe"));
SECURITY_CHECK(TestOpenWriteFile(L"%SystemRoot%\\Cursors\\arrow_i.cur"));
return TRUE;
}
|
