Skip to content

Perforce CLI

Validate Perforce command-line client (p4.exe) behaviors under the Secure Sandbox.

Objectives

  • Enforce deny-by-default egress and designated proxy/pinned roots for Perforce server connections.
  • Verify workspace sync, edit, and print flows respect Storage Context boundaries.
  • Ensure SSL trust/pinning and fail-closed posture prevent MitM or direct egress.
  • Confirm ticket/trust and config files (for example, P4TICKETS, P4TRUST, P4CONFIG) write/read only within allowed contexts.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • Perforce CLI installed (p4.exe).
  • Networking deny-by-default with proxy enforcement and pinned roots.
  • Optional: Test depot access (read-only is sufficient) to exercise p4 sync.

Controls Under Test

  • runtime.networking.egressDefaultAction, designated proxy enforcement, and pinned roots.
  • runtime.files.contexts (workspace root and ticket/trust/config file locations).

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-TOOL-PERFORCE-CLI-01NET-EGRESS-01Server connection via FQDNp4 -p ssl:perforce.example.com:1666 info (or p4 login -a).Requests traverse designated proxy; denied if server not allowlisted.
SCEN-TOOL-PERFORCE-CLI-02NET-EGRESS-01Direct IPset P4PORT=ssl:1.1.1.1:1666 && p4 infoDenied per default deny; audit shows action: "deny".
SCEN-TOOL-PERFORCE-CLI-03NET-EGRESS-11IPv6 literalset P4PORT=ssl:[2606:4700:4700::1111]:1666 && p4 infoDenied; audit ipVersion: 6, action: "deny".
SCEN-TOOL-PERFORCE-CLI-04NET-EGRESS-09Proxy fail-closedTake designated proxy down; run p4 info.Denied; no direct fallback; reason: "proxyUnavailable", proxyEnforced: true.
SCEN-TOOL-PERFORCE-CLI-05NET-EGRESS-10Proxy identity/pinningIntercept proxy TLS with wrong CA; p4 info.TLS error/handshake failure; `reason: "certMismatch"
SCEN-TOOL-PERFORCE-CLI-06HARD-FILES-01Workspace sync inside Storage ContextSet client root to an allowed Storage Context; p4 sync //depot/sample/....Files populate only within the mapped Storage Context; no writes to blocked host paths.
SCEN-TOOL-PERFORCE-CLI-07HARD-FILES-01Workspace sync to blocked host pathClient root at C:\\Windows\\Temp\\p4ws; p4 sync.Denied or virtualized; writes confined to overlay/context.
SCEN-TOOL-PERFORCE-CLI-08HARD-FILES-01Ticket/trust file locationsp4 login (ticket) and p4 trust -y -f (trust).Ticket and trust files are written inside overlay/allowed context; no host escape.
SCEN-TOOL-PERFORCE-CLI-09NET-EGRESS-05Env proxy var bypassset HTTPS_PROXY=http://attacker:8080 && p4 info.Denied; reason: "unauthorizedProxy", proxyEnforced: true.
SCEN-TOOL-PERFORCE-CLI-10HARD-FILES-01Directed output to protected pathp4 print -q -o C:\\Windows\\test.txt //depot/sample.txt.Write denied or virtualized; audit fileOp deny/virtualize.
SCEN-TOOL-PERFORCE-CLI-11NET-EGRESS-01Non-SSL server (tcp/1666)p4 -p perforce.example.com:1666 info.Denied unless explicitly allowlisted; proxy/pinning still enforced.
SCEN-TOOL-PERFORCE-CLI-12NET-EGRESS-01UNC workspace rootMap client root to \\\\server\\share\\ws and run p4 sync.SMB egress blocked or writes constrained to contexts; audit deny.
SCEN-TOOL-PERFORCE-CLI-13HARD-FILES-01P4CONFIG outside contextPlace P4CONFIG=.p4config only in a blocked host path; run p4 set/p4 info.File discovery constrained; blocked paths not visible; config not loaded.
SCEN-TOOL-PERFORCE-CLI-14HARD-FILES-01Log file to protected pathp4 -L C:\\Windows\\p4.log info.Log creation denied or virtualized to overlay/context.

Optional: Perforce Proxy/Broker (if available)

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-TOOL-PERFORCE-CLI-15NET-EGRESS-01Connect via designated p4proxyp4 -p ssl:p4proxy.corp.example:1666 info.Allowed only if proxy host is allowlisted and pinned; otherwise deny.
SCEN-TOOL-PERFORCE-CLI-16NET-EGRESS-09p4proxy outage (fail-closed)Stop p4p/blackhole proxy; p4 info.Denied; no fallback to origin server; reason: "proxyUnavailable".
SCEN-TOOL-PERFORCE-CLI-17NET-EGRESS-10p4broker/proxy TLS identityMitM proxy/broker TLS with wrong CA; p4 info.Denied; `reason: "certMismatch"
SCEN-TOOL-PERFORCE-CLI-18NET-EGRESS-01Non-designated broker chainPoint P4PORT to an external broker broker.evil.tld:1666; p4 info.Denied by default egress; audit shows deny to non-allowlisted host.

Evidence Requirements

  • network events: destination (for example, perforce.example.com:1666), protocol (tcp), ipVersion, action, outcome, proxyEnforced, and reason (for example, proxyUnavailable, certMismatch, pinningFailed, unauthorizedProxy).
  • fileOp events: client root writes and directed output (-o), plus writes to P4TICKETS/P4TRUST; include path, action/outcome (deny/virtualized), and context identifiers.

Troubleshooting

  • You can validate without credentials using p4 -p <server> info; if the server requires auth, p4 login -a is sufficient to exercise ticket file creation.
  • p4 trust stores a fingerprint; when designated proxy or pinned roots reject TLS, the connection should fail before trust is established.
  • Ensure the client root you pick cleanly maps inside or outside your allowed Storage Contexts to exercise both allowed and denied paths.

Known Limitations & Negative Space

  • Scenarios assume a generic Perforce server; Perforce Proxy/Broker details vary. Use the optional section only when available in your environment.
  • Windows symlink behaviors may vary by policy; these scenarios avoid symlink population.