Skip to content

Files Tab and Storage Contexts Tests (HARD-FILES)

Validate that Files tab operations and Storage Contexts do not allow data to escape beyond defined roots or policy constraints.

Objectives

  • Enforce context root boundaries; deny traversal above root.
  • Verify import/export restrictions by classification, size, and extension.

Preconditions

  • Define one or more Storage Contexts under configuration.launch.runtime.files.contexts.

Controls Under Test

  • runtime.files.contexts and file operation policies.

Canonical Tests

IDThreat / ScenarioUniversal ProcedureExpected Outcome & Audit
HARD-FILES-01Export Above Root1. Configure a Storage Context root.
2. Attempt to navigate/export above the root via Files tab.
Pass: Access denied or navigation blocked.
Audit: category: "fileOp", action: "deny", attempted path/context id, rule.id, integrity.hash.
HARD-FILES-02Import Classification Deny1. Configure deny import for classifications: ["CUI"] (example).
2. Attempt to import a CUI‑labeled file.
Pass: Import denied with user message.
Audit: category: "fileOp", action: "deny", classification.normalized, rule.id, integrity.hash.
HARD-FILES-03Cross‑Context Copy Rules1. Configure two contexts with different policies.
2. Attempt copy/move across contexts when restricted.
Pass: Operation follows policy; denies when prohibited.
Audit: category: "fileOp", action, reason, rule.id, integrity.hash.
HARD-FILES-04Temp/Log Spill Containment1. Write temp/log files inside the Sandbox.
2. Check host visibility.
Pass: Data remains overlay‑only; not visible on host.
Audit: category: "fileOp", action: "process", context fields as applicable.
HARD-FILES-ASSOC-01Default Verb Selection1. Configure fileAssociations[].actions with one action default: true; add another action without default.
2. Remove default and rely on rule priority; then test tie‑break by association id.
Pass: Selection order: default: true → highest priority → alphabetical by id (fallback displayName).
Audit: category: "fileOp" (open/preview), action, rule.id, integrity.hash.
HARD-FILES-ASSOC-02Open With + Hidden App Routing1. App policy: visibility: "hidden", action: "allow".
2. Association action with showInOpenWith: true referencing the hidden app.
3. Open With from Files tab.
Pass: Hidden app not listed in Applications; Open With shows entry and routes when authorized.
Audit: category: "authz" for launch allow/deny with rule.id; fileOp for invocation as applicable.
HARD-FILES-ASSOC-03Custom Verbs Invoke1. Add a custom verb (for example, extract).
2. Invoke from context menu.
Pass: Custom action appears and executes per configuration.
Audit: category: "fileOp", action, rule.id, integrity.hash.
HARD-FILES-PREVIEW-01Built‑in Preview Providers1. Configure defaultPreviewProvider on a fileType or a preview action in associations.
2. Open matching files.
Pass: builtInPdf/builtInImage/builtInText selected correctly by match and association rules.
Audit: category: "fileOp", `action: "process"
HARD-FILES-PRINT-UI-01Print Verb Availability1. For a fileType without any verbs.print, check Files tab actions.
2. Add a print handler and re‑test.
Pass: Print absent when not configured; appears when a print handler exists. App‑referenced handlers require an enabled matching allow policy.
Audit: category: "fileOp", action, rule.id, integrity.hash.
HARD-FILES-LIST-01Listing Deny by Type1. Deny listing of certain fileTypes via list rules.
2. Open Files tab and browse.
Pass: Items of denied types are hidden; allowed types appear.
Audit: category: "fileOp", action: "process", policy rule context; absence of entries is expected.
HARD-FILES-IMPORT-01Import Denied by Type1. Configure import deny for a type (for example, executables).
2. Attempt import.
Pass: Operation denied with message.
Audit: category: "fileOp", action: "deny", rule.id, integrity.hash.
HARD-FILES-EXPORT-01Export Default Deny1. Without explicit allow for export, attempt export.Pass: Export denied by default unless allowed.
Audit: category: "fileOp", action: "deny", rule.id, integrity.hash.
HARD-FILES-MOUNT-01Global Mounts Visible1. Define configuration.launch.mounts using tokens (for example, @DESKTOP@).
2. Inspect runtime/container view.
Pass: Mounts resolve and are visible inside the Sandbox.
Audit: category: "fileOp" (mount events when available), action, context details.
HARD-FILES-MOUNT-02App‑Scoped Mount Overrides Global1. Define an app modifications.mounts colliding by name or destination with a global mount.
2. Launch the app.
Pass: App‑scoped mount takes precedence.
Audit: category: "fileOp" (mount), rule.id, integrity.hash.
HARD-FILES-MOUNT-03Launch Profile Overrides App/Global1. Define apps[].profiles[].mounts colliding with app/global mounts.
2. Select the profile and launch.
Pass: Launch profile mount wins over app/global.
Audit: category: "fileOp" (mount), rule.id, integrity.hash.
HARD-FILES-MOUNT-04Token/Env Resolution1. Use Windows env tokens (for example, %LOCALAPPDATA%) in mount source.
2. Resolve at validation time.
Pass: Tokens resolve correctly; paths materialize as expected.
Audit: category: "fileOp", action, resolution context when available.

Evidence Requirements

  • Audit category: fileOp with action, outcome, and reason.
  • Include context id and attempted path where available.

Troubleshooting

  • Confirm runtime.files.contexts roots are correct and selected context is active in the test profile.
  • Validate path normalization and canonicalization settings; check for mounts that expose host paths unintentionally.
  • Ensure classification providers are active when testing classification-aware rules.

Known Limitations & Negative Space

  • These procedures evaluate Files tab and Storage Context boundaries; they do not cover OS shell integrations outside the Launcher.
  • External sync tools installed inside the sandbox may require additional device/network denies; see Devices and Networking tests.

See also

  • Policy: features/file-handling.md, configuration/global-configuration.md, configuration/launch-profiles.md