Appearance
Drag-and-Drop Egress Tests (DM-DRAG)
Validate that drag-and-drop operations do not allow files or objects to leave the Secure Sandbox unless explicitly authorized.
Objectives
- Enforce deny-by-default posture for outbound drag-and-drop.
- Verify classification-aware rules and per-direction controls.
Preconditions
- Policy sets
runtime.dataMotion.settings.dragDrop.enabled: trueand a deny-by-default posture.
Controls Under Test
runtime.dataMotion.rules[]withchannel: "dragDrop"anddirection: in|out|both.
Test Scenarios
| ID | Test Scenario | Procedure | Expected Outcome |
|---|---|---|---|
| DM-DRAG-01 | File Drop (Outbound) | 1. Policy: dragDrop direction out = deny.2. App: Drag file from sandbox window to Host Desktop. | Pass: Drag operation is blocked (cursor shows "no" symbol or drop does nothing). |
| DM-DRAG-02 | Inbound Block | 1. Policy: dragDrop direction in = deny.2. Host: Drag malware.exe into sandbox window. | Pass: File is not transferred into the sandbox. |
| DM-DRAG-03 | Classification Filter | 1. Policy: Deny classifications: ["Confidential"].2. App: Drag labeled file to host. | Pass: Labeled file is blocked; unlabeled file (if allowed) passes. |
Evidence Requirements
- Audit category:
dataMotionwithchannel: "dragDrop",direction,action,outcome. - Include
rule.id,priority, counts/bytes, and classification context where applicable.
Troubleshooting
- Verify
runtime.dataMotion.settings.dragDrop.enabled: trueand the intended default posture. - Check rule ordering and
priority; ensure the specific deny rule precedes broader allow rules. - Confirm classification detection is configured when rules reference
classifications.
Known Limitations & Negative Space
- These tests validate functional drag-and-drop control, not covert channels (for example, screen capture or OCR). See related procedures in Data Egress and Screen Capture.
- Application-specific drag APIs may present unique formats; ensure format detection covers common cases.
