start testingaaron/win_process_mitigations

Signed-off-by: Aaron Klotz <aaron@tailscale.com>

1 files changed, 57 insertions, 0 deletions

diff --git a/util/winutil/testdata/testprocessattributes/tests_windows.go b/util/winutil/testdata/testprocessattributes/tests_windows.go
new file mode 100644
index 000000000..93f543988
--- /dev/null
+++ b/util/winutil/testdata/testprocessattributes/tests_windows.go
@@ -0,0 +1,57 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"fmt"
+
+	"tailscale.com/util/winutil"
+)
+
+func init() {
+	// registerInit("Foo", FooInit)
+	// register("Foo", Foo)
+	register("MitigateSelf", MitigateSelf)
+}
+
+func MitigateSelf() {
+	var zero winutil.ProcessMitigationPolicies
+	initialPolicies, err := winutil.CurrentProcessMitigationPolicies()
+	if err != nil {
+		fmt.Printf("error: CurrentProcessMitigationPolicies: %v\n", err)
+		return
+	}
+
+	if initialPolicies != zero {
+		fmt.Println("error: initialPolicies not zero value")
+		return
+	}
+
+	setTo := winutil.ProcessMitigationPolicies{
+		DisableExtensionPoints:          true,
+		PreferSystem32Images:            true,
+		ProhibitDynamicCode:             true,
+		ProhibitLowMandatoryLabelImages: true,
+		ProhibitNonMicrosoftSignedDLLs:  true,
+		ProhibitRemoteImages:            true,
+	}
+
+	if err := setTo.SetOnCurrentProcess(); err != nil {
+		fmt.Printf("error: SetOnCurrentProcess: %v\n", err)
+		return
+	}
+
+	checkPolicies, err := winutil.CurrentProcessMitigationPolicies()
+	if err != nil {
+		fmt.Printf("error: CurrentProcessMitigationPolicies: %v\n", err)
+		return
+	}
+
+	if checkPolicies != setTo {
+		fmt.Printf("error: checkPolicies got %#v, want %#v\n", checkPolicies, setTo)
+		return
+	}
+
+	fmt.Println("OK")
+}