Appearance
Files Tab and Storage Contexts Tests (HARD-FILES)
Validate that Files tab operations and Storage Contexts do not allow data to escape beyond defined roots or policy constraints.
Objectives
- Enforce context root boundaries; deny traversal above root.
- Verify import/export restrictions by classification, size, and extension.
Preconditions
- Define one or more Storage Contexts under
configuration.launch.runtime.files.contexts.
Controls Under Test
runtime.files.contextsand file operation policies.
Canonical Tests
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| HARD-FILES-01 | Export Above Root | 1. Configure a Storage Context root. 2. Attempt to navigate/export above the root via Files tab. | Pass: Access denied or navigation blocked. Audit: category: "fileOp", action: "deny", attempted path/context id, rule.id, integrity.hash. |
| HARD-FILES-02 | Import Classification Deny | 1. Configure deny import for classifications: ["CUI"] (example).2. Attempt to import a CUI‑labeled file. | Pass: Import denied with user message. Audit: category: "fileOp", action: "deny", classification.normalized, rule.id, integrity.hash. |
| HARD-FILES-03 | Cross‑Context Copy Rules | 1. Configure two contexts with different policies. 2. Attempt copy/move across contexts when restricted. | Pass: Operation follows policy; denies when prohibited. Audit: category: "fileOp", action, reason, rule.id, integrity.hash. |
| HARD-FILES-04 | Temp/Log Spill Containment | 1. Write temp/log files inside the Sandbox. 2. Check host visibility. | Pass: Data remains overlay‑only; not visible on host. Audit: category: "fileOp", action: "process", context fields as applicable. |
| HARD-FILES-ASSOC-01 | Default Verb Selection | 1. Configure fileAssociations[].actions with one action default: true; add another action without default.2. Remove default and rely on rule priority; then test tie‑break by association id. | Pass: Selection order: default: true → highest priority → alphabetical by id (fallback displayName).Audit: category: "fileOp" (open/preview), action, rule.id, integrity.hash. |
| HARD-FILES-ASSOC-02 | Open With + Hidden App Routing | 1. App policy: visibility: "hidden", action: "allow".2. Association action with showInOpenWith: true referencing the hidden app.3. Open With from Files tab. | Pass: Hidden app not listed in Applications; Open With shows entry and routes when authorized. Audit: category: "authz" for launch allow/deny with rule.id; fileOp for invocation as applicable. |
| HARD-FILES-ASSOC-03 | Custom Verbs Invoke | 1. Add a custom verb (for example, extract).2. Invoke from context menu. | Pass: Custom action appears and executes per configuration. Audit: category: "fileOp", action, rule.id, integrity.hash. |
| HARD-FILES-PREVIEW-01 | Built‑in Preview Providers | 1. Configure defaultPreviewProvider on a fileType or a preview action in associations.2. Open matching files. | Pass: builtInPdf/builtInImage/builtInText selected correctly by match and association rules.Audit: category: "fileOp", `action: "process" |
| HARD-FILES-PRINT-UI-01 | Print Verb Availability | 1. For a fileType without any verbs.print, check Files tab actions.2. Add a print handler and re‑test. | Pass: Print absent when not configured; appears when a print handler exists. App‑referenced handlers require an enabled matching allow policy. Audit: category: "fileOp", action, rule.id, integrity.hash. |
| HARD-FILES-LIST-01 | Listing Deny by Type | 1. Deny listing of certain fileTypes via list rules.2. Open Files tab and browse. | Pass: Items of denied types are hidden; allowed types appear. Audit: category: "fileOp", action: "process", policy rule context; absence of entries is expected. |
| HARD-FILES-IMPORT-01 | Import Denied by Type | 1. Configure import deny for a type (for example, executables). 2. Attempt import. | Pass: Operation denied with message. Audit: category: "fileOp", action: "deny", rule.id, integrity.hash. |
| HARD-FILES-EXPORT-01 | Export Default Deny | 1. Without explicit allow for export, attempt export. | Pass: Export denied by default unless allowed. Audit: category: "fileOp", action: "deny", rule.id, integrity.hash. |
| HARD-FILES-MOUNT-01 | Global Mounts Visible | 1. Define configuration.launch.mounts using tokens (for example, @DESKTOP@).2. Inspect runtime/container view. | Pass: Mounts resolve and are visible inside the Sandbox. Audit: category: "fileOp" (mount events when available), action, context details. |
| HARD-FILES-MOUNT-02 | App‑Scoped Mount Overrides Global | 1. Define an app modifications.mounts colliding by name or destination with a global mount.2. Launch the app. | Pass: App‑scoped mount takes precedence. Audit: category: "fileOp" (mount), rule.id, integrity.hash. |
| HARD-FILES-MOUNT-03 | Launch Profile Overrides App/Global | 1. Define apps[].profiles[].mounts colliding with app/global mounts.2. Select the profile and launch. | Pass: Launch profile mount wins over app/global. Audit: category: "fileOp" (mount), rule.id, integrity.hash. |
| HARD-FILES-MOUNT-04 | Token/Env Resolution | 1. Use Windows env tokens (for example, %LOCALAPPDATA%) in mount source.2. Resolve at validation time. | Pass: Tokens resolve correctly; paths materialize as expected. Audit: category: "fileOp", action, resolution context when available. |
Evidence Requirements
- Audit category:
fileOpwith action, outcome, and reason. - Include context id and attempted path where available.
Troubleshooting
- Confirm
runtime.files.contextsroots are correct and selected context is active in the test profile. - Validate path normalization and canonicalization settings; check for mounts that expose host paths unintentionally.
- Ensure classification providers are active when testing classification-aware rules.
Known Limitations & Negative Space
- These procedures evaluate Files tab and Storage Context boundaries; they do not cover OS shell integrations outside the Launcher.
- External sync tools installed inside the sandbox may require additional device/network denies; see Devices and Networking tests.
See also
- Policy:
features/file-handling.md,configuration/global-configuration.md,configuration/launch-profiles.md
