public void UniqueUserPerContainer()
{
Container1 = CreateContainer(Container1Handle);
Container2 = CreateContainer(Container2Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "whoami.exe",
DisablePathMapping = true,
Privileged = false
};
var io1 = new StringProcessIO();
var io2 = new StringProcessIO();
Container1.Run(pSpec, io1).WaitForExit();
Container2.Run(pSpec, io2).WaitForExit();
var user1 = io1.Output.ToString();
var user2 = io2.Output.ToString();
Assert.NotEmpty(user1);
Assert.NotEmpty(user2);
Assert.NotEqual(user1, user2);
}
public void Stop_StillWorks_Eventually()
{
Container1 = CreateContainer(Container1Handle);
string userid = null;
Container1.ImpersonateContainerUser(() =>
{
userid = WindowsIdentity.GetCurrent().User.ToString();
});
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { @"/C ""FOR /L %% IN () DO ping 127.0.0.1 -n 2""" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
var realProcess = Process.GetProcessById(process.Id);
Process containerHost = FindProcessByUserAndName(userid, "IronFrame.Host");
ProcessInfoHelper.SuspendProcess(containerHost.Id);
Container1.Stop(true);
Assert.True(realProcess.HasExited);
}
public void StartShortLivedTask()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { "/C \"set CONTAINER_HANDLE && set PROC_ENV\"" },
Environment = new Dictionary <string, string>
{
{ "PROC_ENV", "VAL1" }
},
};
// RUN THE SHORT LIVED PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
int exitCode;
bool exited = process.TryWaitForExit(2000, out exitCode);
var output = io.Output.ToString().Trim();
var error = io.Error.ToString().Trim();
// VERIFY THE PROCESS RAN AND EXITED
Assert.True(exited);
Assert.Equal(exitCode, 0);
// VERIFY THE ENVIRONMENT WAS SET
Assert.Contains("CONTAINER_HANDLE=" + Container1.Handle, output);
Assert.Contains("PROC_ENV=VAL1", output);
}
public void StartAndStopLongRunningProcess()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "ping.exe",
DisablePathMapping = true,
Arguments = new string[] { "127.0.0.1", "-n", "-1" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
int exitCode;
bool exited = process.TryWaitForExit(500, out exitCode);
// VERIFY IT HASNT EXITED YET
Assert.False(exited);
var actualProcess = Process.GetProcessById(process.Id);
Assert.False(actualProcess.HasExited);
// KILL THE PROCESS AND WAIT FOR EXIT
process.Kill();
exited = process.TryWaitForExit(2000, out exitCode);
// VERIFY THE PROCESS WAS KILLED
Assert.True(exited);
Assert.True(actualProcess.HasExited);
Assert.True(io.Output.ToString().Length > 0);
}
public void UserHasAProfileLoaded()
{
Container1 = CreateContainer(Container1Handle);
var exePath = Container1.Directory.MapUserPath("x509app.exe");
var compilerPath = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "csc.exe");
var srcPath = Path.Combine(Environment.CurrentDirectory, "..", "..", "fixtures", "x509app.cs");
var compileProcess = new Process()
{
StartInfo = new ProcessStartInfo()
{
FileName = compilerPath,
Arguments = "/out:" + exePath + " " + srcPath,
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false,
}
};
compileProcess.Start();
string output = compileProcess.StandardOutput.ReadToEnd();
string err = compileProcess.StandardOutput.ReadToEnd();
compileProcess.WaitForExit();
if (compileProcess.ExitCode != 0)
{
logger.WriteLine(output);
logger.WriteLine(err);
}
Assert.Equal(0, compileProcess.ExitCode);
var pSpec = new ProcessSpec
{
ExecutablePath = exePath,
DisablePathMapping = true,
};
var io = new StringProcessIO();
Container1.Run(pSpec, io).WaitForExit();
output = io.Output.ToString();
err = io.Error.ToString();
if (output.Contains("FAILURE"))
{
logger.WriteLine(output);
logger.WriteLine(err);
}
Assert.Contains("SUCCESS", output);
var username = "******" + Container1.Id;
Container1.Destroy();
Container1Handle = null;
var userDir = Path.Combine(Environment.GetEnvironmentVariable("SYSTEMDRIVE") + @"\", "Users", username);
Assert.False(Directory.Exists(userDir));
}
public void Enforced()
{
Container1 = CreateContainer(Container1Handle);
Container1.LimitDisk(10 * 1024);
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd",
DisablePathMapping = true,
Privileged = false,
WorkingDirectory = Container1.Directory.UserPath,
};
var io1 = new StringProcessIO();
var passed = 0;
var failed = 0;
for (int i = 0; i < 20; i++)
{
pSpec.Arguments = new[] { "/C", "echo Hi Bob > bob" + i + ".txt" };
var proc = Container1.Run(pSpec, io1);
var exitCode = proc.WaitForExit();
if (exitCode == 0)
{
passed++;
}
else
{
failed++;
}
}
Assert.Equal(13, passed);
Assert.Equal(7, failed);
}
public void StartAndStopLauncher()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = @"cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { "/C ping.exe 127.0.0.1 -n 1000" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
int exitCode;
bool exited = process.TryWaitForExit(500, out exitCode);
// VERIFY IT HASNT EXITED YET
Assert.False(exited);
var actualProcess = Process.GetProcessById(process.Id);
var childProcess = Process.GetProcesses().FirstOrDefault(x =>
{
// Get some basic information about the process
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
try
{
uint bytesWritten;
NtQueryInformationProcess(x.Handle,
0, ref pbi, (uint)Marshal.SizeOf(pbi),
out bytesWritten); // == 0 is OK
// Is it a child process of the process we're trying to terminate?
return((int)pbi.InheritedFromUniqueProcessId == process.Id);
}
catch (Exception)
{
return(false);
}
});
Assert.False(actualProcess.HasExited);
Assert.False(childProcess.HasExited);
// KILL THE PROCESS AND WAIT FOR EXIT
process.Kill();
exited = process.TryWaitForExit(2000, out exitCode);
// VERIFY THE PROCESS WAS KILLED
Assert.True(exited);
Assert.True(actualProcess.HasExited);
Assert.True(childProcess.HasExited);
Assert.True(io.Output.ToString().Length > 0);
}
public StartGuard()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = @"cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { "/C ping.exe 127.0.0.1 -n 1000" },
};
var io = new StringProcessIO();
Container1.Run(pSpec, io);
}
public void ContainerUserInContainerGroup()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "whoami.exe",
DisablePathMapping = true,
Arguments = new string[] { "/GROUPS" }
};
var io = new StringProcessIO();
Container1.Run(pSpec, io).WaitForExit();
var groupOutput = io.Output.ToString();
Assert.Contains(UserGroupName, groupOutput);
}
public void ContainerUserImpersonationDisabled()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "whoami.exe",
DisablePathMapping = true,
Arguments = new string[] { "/priv", "/fo", "csv" }
};
var io = new StringProcessIO();
Container1.Run(pSpec, io).WaitForExit();
var privilegeOutput = io.Output.ToString();
Assert.Matches("\"SeImpersonatePrivilege\",[^,]+,\"Disabled\"", privilegeOutput);
}
public void RunExecutablePathsWithDriveLetter()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = @"C:\Windows\System32\cmd.exe",
DisablePathMapping = false,
Arguments = new string[] { "/c", "echo", "test-run" }
};
var io = new StringProcessIO();
Container1.Run(pSpec, io).WaitForExit();
var output = io.Output.ToString();
Assert.Contains("test-run", output);
}
public void FindAndKillProcess()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { @"/C ""FOR /L %% IN () DO ping 127.0.0.1 -n 2""" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
var foundProcessByPid = Container1.FindProcessById(process.Id);
// KILL THE PROCESS AND WAIT FOR EXIT
foundProcessByPid.Kill();
int exitCode;
var exited = process.TryWaitForExit(2000, out exitCode);
// VERIFY THE PROCESS WAS KILLED
Assert.True(exited);
}
public void FindAndKillProcess()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { @"/C ""FOR /L %% IN () DO ping 127.0.0.1 -n 2""" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
var foundProcessByPid = Container1.FindProcessById(process.Id);
// KILL THE PROCESS AND WAIT FOR EXIT
foundProcessByPid.Kill();
int exitCode;
var exited = process.TryWaitForExit(2000, out exitCode);
// VERIFY THE PROCESS WAS KILLED
Assert.True(exited);
}
public void StartAndStopLauncher()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = @"cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { "/C ping.exe 127.0.0.1 -n 1000" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
int exitCode;
bool exited = process.TryWaitForExit(500, out exitCode);
// VERIFY IT HASNT EXITED YET
Assert.False(exited);
var actualProcess = Process.GetProcessById(process.Id);
var childProcess = Process.GetProcesses().FirstOrDefault(x =>
{
// Get some basic information about the process
PROCESS_BASIC_INFORMATION pbi = new PROCESS_BASIC_INFORMATION();
try
{
uint bytesWritten;
NtQueryInformationProcess(x.Handle,
0, ref pbi, (uint)Marshal.SizeOf(pbi),
out bytesWritten); // == 0 is OK
// Is it a child process of the process we're trying to terminate?
return (int)pbi.InheritedFromUniqueProcessId == process.Id;
}
catch (Exception)
{
return false;
}
});
Assert.False(actualProcess.HasExited);
Assert.False(childProcess.HasExited);
// KILL THE PROCESS AND WAIT FOR EXIT
process.Kill();
exited = process.TryWaitForExit(2000, out exitCode);
// VERIFY THE PROCESS WAS KILLED
Assert.True(exited);
Assert.True(actualProcess.HasExited);
Assert.True(childProcess.HasExited);
Assert.True(io.Output.ToString().Length > 0);
}
public void StartAndStopLongRunningProcess()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "ping.exe",
DisablePathMapping = true,
Arguments = new string[] { "127.0.0.1", "-n", "-1" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
int exitCode;
bool exited = process.TryWaitForExit(500, out exitCode);
// VERIFY IT HASNT EXITED YET
Assert.False(exited);
var actualProcess = Process.GetProcessById(process.Id);
Assert.False(actualProcess.HasExited);
// KILL THE PROCESS AND WAIT FOR EXIT
process.Kill();
exited = process.TryWaitForExit(2000, out exitCode);
// VERIFY THE PROCESS WAS KILLED
Assert.True(exited);
Assert.True(actualProcess.HasExited);
Assert.True(io.Output.ToString().Length > 0);
}
public void StartShortLivedTask()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { "/C \"set CONTAINER_HANDLE && set PROC_ENV\"" },
Environment = new Dictionary<string, string>
{
{"PROC_ENV", "VAL1"}
},
};
// RUN THE SHORT LIVED PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
int exitCode;
bool exited = process.TryWaitForExit(2000, out exitCode);
var output = io.Output.ToString().Trim();
var error = io.Error.ToString().Trim();
// VERIFY THE PROCESS RAN AND EXITED
Assert.True(exited);
Assert.Equal(exitCode, 0);
// VERIFY THE ENVIRONMENT WAS SET
Assert.Contains("CONTAINER_HANDLE=" + Container1.Handle, output);
Assert.Contains("PROC_ENV=VAL1", output);
}
public void ContainerUserInContainerGroup()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "whoami.exe",
DisablePathMapping = true,
Arguments = new string[] { "/GROUPS" }
};
var io = new StringProcessIO();
Container1.Run(pSpec, io).WaitForExit();
var groupOutput = io.Output.ToString();
Assert.Contains(UserGroupName, groupOutput);
}
public void UniqueUserPerContainer()
{
Container1 = CreateContainer(Container1Handle);
Container2 = CreateContainer(Container2Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = "whoami.exe",
DisablePathMapping = true,
Privileged = false
};
var io1 = new StringProcessIO();
var io2 = new StringProcessIO();
Container1.Run(pSpec, io1).WaitForExit();
Container2.Run(pSpec, io2).WaitForExit();
var user1 = io1.Output.ToString();
var user2 = io2.Output.ToString();
Assert.NotEmpty(user1);
Assert.NotEmpty(user2);
Assert.NotEqual(user1, user2);
}
public void RunExecutablePathsWithDriveLetter()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = @"C:\Windows\System32\cmd.exe",
DisablePathMapping = false,
Arguments = new string[] { "/c", "echo", "test-run" }
};
var io = new StringProcessIO();
Container1.Run(pSpec, io).WaitForExit();
var output = io.Output.ToString();
Assert.Contains("test-run", output);
}
public void Enforced()
{
Container1 = CreateContainer(Container1Handle);
Container1.LimitDisk(10 * 1024);
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd",
DisablePathMapping = true,
Privileged = false,
WorkingDirectory = Container1.Directory.UserPath,
};
var io1 = new StringProcessIO();
var passed = 0;
var failed = 0;
for (int i = 0; i < 20; i++)
{
pSpec.Arguments = new[] { "/C", "echo Hi Bob > bob" + i + ".txt" };
var proc = Container1.Run(pSpec, io1);
var exitCode = proc.WaitForExit();
if (exitCode == 0)
{
passed++;
}
else
{
failed++;
}
}
Assert.Equal(13, passed);
Assert.Equal(7, failed);
}
public void Stop_StillWorks_Eventually()
{
Container1 = CreateContainer(Container1Handle);
string userid = null;
Container1.ImpersonateContainerUser(() =>
{
userid = WindowsIdentity.GetCurrent().User.ToString();
});
var pSpec = new ProcessSpec
{
ExecutablePath = "cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { @"/C ""FOR /L %% IN () DO ping 127.0.0.1 -n 2""" },
};
// START THE LONG RUNNING PROCESS
var io = new StringProcessIO();
var process = Container1.Run(pSpec, io);
var realProcess = Process.GetProcessById(process.Id);
Process containerHost = FindProcessByUserAndName(userid, "IronFrame.Host");
ProcessInfoHelper.SuspendProcess(containerHost.Id);
Container1.Stop(true);
Assert.True(realProcess.HasExited);
}
public StartGuard()
{
Container1 = CreateContainer(Container1Handle);
var pSpec = new ProcessSpec
{
ExecutablePath = @"cmd.exe",
DisablePathMapping = true,
Arguments = new string[] { "/C ping.exe 127.0.0.1 -n 1000" },
};
var io = new StringProcessIO();
Container1.Run(pSpec, io);
}
