1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/policy_engine_params.h"
6 #include "sandbox/win/src/policy_engine_processor.h"
7 #include "sandbox/win/src/policy_low_level.h"
8 #include "testing/gtest/include/gtest/gtest.h"
9
10 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
11 #define POLPARAM(p) sandbox::ParamPickerMake(p),
12 #define POLPARAMS_END }
13
14 namespace sandbox {
15
16 bool SetupNtdllImports();
17
18 // Testing that we allow opcode generation on valid string patterns.
TEST(PolicyEngineTest,StringPatternsOK)19 TEST(PolicyEngineTest, StringPatternsOK) {
20 SetupNtdllImports();
21 PolicyRule pr(ASK_BROKER);
22 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE));
23 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE));
24 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE));
25 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE));
26 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe",
27 CASE_SENSITIVE));
28 }
29
30 // Testing that we signal invalid string patterns.
TEST(PolicyEngineTest,StringPatternsBAD)31 TEST(PolicyEngineTest, StringPatternsBAD) {
32 SetupNtdllImports();
33 PolicyRule pr(ASK_BROKER);
34 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE));
35 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE));
36 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE));
37 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE));
38 }
39
40 // Helper function to allocate space (on the heap) for policy.
MakePolicyMemory()41 PolicyGlobal* MakePolicyMemory() {
42 const size_t kTotalPolicySz = 4096*8;
43 char* mem = new char[kTotalPolicySz];
44 memset(mem, 0, kTotalPolicySz);
45 PolicyGlobal* policy = reinterpret_cast<PolicyGlobal*>(mem);
46 policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal);
47 return policy;
48 }
49
50 // The simplest test using LowLevelPolicy it should test a single opcode which
51 // does a exact string comparison.
TEST(PolicyEngineTest,SimpleStrMatch)52 TEST(PolicyEngineTest, SimpleStrMatch) {
53 SetupNtdllImports();
54 PolicyRule pr(ASK_BROKER);
55 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt",
56 CASE_INSENSITIVE));
57
58 PolicyGlobal* policy = MakePolicyMemory();
59 const uint32 kFakeService = 2;
60
61 LowLevelPolicy policyGen(policy);
62 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
63 EXPECT_TRUE(policyGen.Done());
64
65 const wchar_t* filename = L"Z:\\Directory\\domo.txt";
66
67 POLPARAMS_BEGIN(eval_params)
68 POLPARAM(filename) // Argument 0
69 POLPARAMS_END;
70
71 PolicyResult result;
72 PolicyProcessor pol_ev(policy->entry[kFakeService]);
73
74 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
75 EXPECT_EQ(POLICY_MATCH, result);
76 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
77
78 filename = L"Z:\\Directory\\domo.txt.tmp";
79 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
80 EXPECT_EQ(NO_POLICY_MATCH, result);
81
82 delete [] reinterpret_cast<char*>(policy);
83 }
84
TEST(PolicyEngineTest,SimpleIfNotStrMatch)85 TEST(PolicyEngineTest, SimpleIfNotStrMatch) {
86 SetupNtdllImports();
87 PolicyRule pr(ASK_BROKER);
88 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\",
89 CASE_SENSITIVE));
90
91 PolicyGlobal* policy = MakePolicyMemory();
92 const uint32 kFakeService = 2;
93 LowLevelPolicy policyGen(policy);
94
95 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
96 EXPECT_TRUE(policyGen.Done());
97
98 const wchar_t* filename = NULL;
99 POLPARAMS_BEGIN(eval_params)
100 POLPARAM(filename) // Argument 0
101 POLPARAMS_END;
102
103 PolicyResult result;
104 PolicyProcessor pol_ev(policy->entry[kFakeService]);
105
106 filename = L"c:\\Microsoft\\";
107 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
108 EXPECT_EQ(NO_POLICY_MATCH, result);
109
110 filename = L"c:\\MicroNerd\\";
111 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
112 EXPECT_EQ(POLICY_MATCH, result);
113 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
114
115 filename = L"c:\\Microsoft\\domo.txt";
116 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
117 EXPECT_EQ(POLICY_MATCH, result);
118 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
119
120 delete [] reinterpret_cast<char*>(policy);
121 }
122
TEST(PolicyEngineTest,SimpleIfNotStrMatchWild1)123 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) {
124 SetupNtdllImports();
125 PolicyRule pr(ASK_BROKER);
126 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
127 CASE_SENSITIVE));
128
129 PolicyGlobal* policy = MakePolicyMemory();
130 const uint32 kFakeService = 3;
131 LowLevelPolicy policyGen(policy);
132
133 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
134 EXPECT_TRUE(policyGen.Done());
135
136 const wchar_t* filename = NULL;
137 POLPARAMS_BEGIN(eval_params)
138 POLPARAM(filename) // Argument 0
139 POLPARAMS_END;
140
141 PolicyResult result;
142 PolicyProcessor pol_ev(policy->entry[kFakeService]);
143
144 filename = L"c:\\Microsoft\\domo.txt";
145 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
146 EXPECT_EQ(NO_POLICY_MATCH, result);
147
148 filename = L"c:\\MicroNerd\\domo.txt";
149 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
150 EXPECT_EQ(POLICY_MATCH, result);
151 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
152
153 delete [] reinterpret_cast<char*>(policy);
154 }
155
TEST(PolicyEngineTest,SimpleIfNotStrMatchWild2)156 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) {
157 SetupNtdllImports();
158 PolicyRule pr(ASK_BROKER);
159 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt",
160 CASE_SENSITIVE));
161
162 PolicyGlobal* policy = MakePolicyMemory();
163 const uint32 kFakeService = 3;
164 LowLevelPolicy policyGen(policy);
165
166 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
167 EXPECT_TRUE(policyGen.Done());
168
169 const wchar_t* filename = NULL;
170 POLPARAMS_BEGIN(eval_params)
171 POLPARAM(filename) // Argument 0
172 POLPARAMS_END;
173
174 PolicyResult result;
175 PolicyProcessor pol_ev(policy->entry[kFakeService]);
176
177 filename = L"c:\\Microsoft\\domo.txt";
178 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
179 EXPECT_EQ(NO_POLICY_MATCH, result);
180
181 filename = L"c:\\MicroNerd\\domo.txt";
182 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
183 EXPECT_EQ(POLICY_MATCH, result);
184 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
185
186 filename = L"c:\\Microsoft\\domo.bmp";
187 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
188 EXPECT_EQ(POLICY_MATCH, result);
189 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
190
191 delete [] reinterpret_cast<char*>(policy);
192 }
193
TEST(PolicyEngineTest,IfNotStrMatchTwoRulesWild1)194 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) {
195 SetupNtdllImports();
196 PolicyRule pr(ASK_BROKER);
197 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
198 CASE_SENSITIVE));
199 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
200
201 PolicyGlobal* policy = MakePolicyMemory();
202 const uint32 kFakeService = 3;
203 LowLevelPolicy policyGen(policy);
204
205 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
206 EXPECT_TRUE(policyGen.Done());
207
208 const wchar_t* filename = NULL;
209 unsigned long access = 0;
210 POLPARAMS_BEGIN(eval_params)
211 POLPARAM(filename) // Argument 0
212 POLPARAM(access) // Argument 1
213 POLPARAMS_END;
214
215 PolicyResult result;
216 PolicyProcessor pol_ev(policy->entry[kFakeService]);
217
218 filename = L"c:\\Microsoft\\domo.txt";
219 access = 24;
220 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
221 EXPECT_EQ(NO_POLICY_MATCH, result);
222
223 filename = L"c:\\Microsoft\\domo.txt";
224 access = 42;
225 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
226 EXPECT_EQ(NO_POLICY_MATCH, result);
227
228 filename = L"c:\\MicroNerd\\domo.txt";
229 access = 24;
230 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
231 EXPECT_EQ(POLICY_MATCH, result);
232 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
233
234 filename = L"c:\\Micronesia\\domo.txt";
235 access = 42;
236 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
237 EXPECT_EQ(NO_POLICY_MATCH, result);
238
239 delete [] reinterpret_cast<char*>(policy);
240 }
241
TEST(PolicyEngineTest,IfNotStrMatchTwoRulesWild2)242 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) {
243 SetupNtdllImports();
244 PolicyRule pr(ASK_BROKER);
245 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
246 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt",
247 CASE_SENSITIVE));
248 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL));
249
250 PolicyGlobal* policy = MakePolicyMemory();
251 const uint32 kFakeService = 3;
252 LowLevelPolicy policyGen(policy);
253
254 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
255 EXPECT_TRUE(policyGen.Done());
256
257 const wchar_t* filename = NULL;
258 unsigned long access = 0;
259 unsigned long sharing = 66;
260
261 POLPARAMS_BEGIN(eval_params)
262 POLPARAM(filename) // Argument 0
263 POLPARAM(access) // Argument 1
264 POLPARAM(sharing) // Argument 2
265 POLPARAMS_END;
266
267 PolicyResult result;
268 PolicyProcessor pol_ev(policy->entry[kFakeService]);
269
270 filename = L"c:\\GoogleV2\\domo.txt";
271 access = 24;
272 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
273 EXPECT_EQ(NO_POLICY_MATCH, result);
274
275 filename = L"c:\\GoogleV2\\domo.bmp";
276 access = 24;
277 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
278 EXPECT_EQ(POLICY_MATCH, result);
279 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
280
281 filename = L"c:\\GoogleV23\\domo.txt";
282 access = 24;
283 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
284 EXPECT_EQ(POLICY_MATCH, result);
285 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
286
287
288 filename = L"c:\\GoogleV2\\domo.txt";
289 access = 42;
290 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
291 EXPECT_EQ(NO_POLICY_MATCH, result);
292
293 filename = L"c:\\Google\\domo.txt";
294 access = 24;
295 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
296 EXPECT_EQ(POLICY_MATCH, result);
297 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
298
299 filename = L"c:\\Micronesia\\domo.txt";
300 access = 42;
301 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
302 EXPECT_EQ(NO_POLICY_MATCH, result);
303
304 filename = L"c:\\GoogleV2\\domo.bmp";
305 access = 24;
306 sharing = 0;
307 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
308 EXPECT_EQ(NO_POLICY_MATCH, result);
309
310 delete [] reinterpret_cast<char*>(policy);
311 }
312
313 // Testing one single rule in one single service. The service is made to
314 // resemble NtCreateFile.
TEST(PolicyEngineTest,OneRuleTest)315 TEST(PolicyEngineTest, OneRuleTest) {
316 SetupNtdllImports();
317 PolicyRule pr(ASK_BROKER);
318 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt",
319 CASE_SENSITIVE));
320 EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL));
321 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
322
323 PolicyGlobal* policy = MakePolicyMemory();
324
325 const uint32 kNtFakeCreateFile = 7;
326
327 LowLevelPolicy policyGen(policy);
328 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr));
329 EXPECT_TRUE(policyGen.Done());
330
331 const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
332 unsigned long creation_mode = OPEN_EXISTING;
333 unsigned long flags = FILE_ATTRIBUTE_NORMAL;
334 void* security_descriptor = NULL;
335
336 POLPARAMS_BEGIN(eval_params)
337 POLPARAM(filename) // Argument 0
338 POLPARAM(creation_mode) // Argument 1
339 POLPARAM(flags) // Argument 2
340 POLPARAM(security_descriptor)
341 POLPARAMS_END;
342
343 PolicyResult result;
344 PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]);
345
346 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
347 EXPECT_EQ(POLICY_MATCH, result);
348 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
349
350 creation_mode = CREATE_ALWAYS;
351 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
352 EXPECT_EQ(NO_POLICY_MATCH, result);
353
354 creation_mode = OPEN_EXISTING;
355 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt";
356 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
357 EXPECT_EQ(POLICY_MATCH, result);
358 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
359
360 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp";
361 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
362 EXPECT_EQ(NO_POLICY_MATCH, result);
363
364 flags = FILE_ATTRIBUTE_DEVICE;
365 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
366 EXPECT_EQ(NO_POLICY_MATCH, result);
367
368 filename = L"c:\\Other\\Macrosoft\\Another file.txt";
369 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
370 EXPECT_EQ(NO_POLICY_MATCH, result);
371
372 filename = L"c:\\Microsoft\\1.txt";
373 flags = FILE_ATTRIBUTE_NORMAL;
374 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
375 EXPECT_EQ(POLICY_MATCH, result);
376 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
377
378 filename = L"c:\\Microsoft\\1.ttt";
379 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
380 EXPECT_EQ(NO_POLICY_MATCH, result);
381
382 delete [] reinterpret_cast<char*>(policy);
383 }
384
385 // Testing 3 rules in 3 services. Two of the services resemble File services.
TEST(PolicyEngineTest,ThreeRulesTest)386 TEST(PolicyEngineTest, ThreeRulesTest) {
387 SetupNtdllImports();
388 PolicyRule pr_pipe(FAKE_SUCCESS);
389 EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*",
390 CASE_INSENSITIVE));
391 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL));
392 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
393
394 size_t opc1 = pr_pipe.GetOpcodeCount();
395 EXPECT_EQ(3, opc1);
396
397 PolicyRule pr_dump(ASK_BROKER);
398 EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*",
399 CASE_INSENSITIVE));
400 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL));
401 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
402
403 size_t opc2 = pr_dump.GetOpcodeCount();
404 EXPECT_EQ(4, opc2);
405
406 PolicyRule pr_winexe(SIGNAL_ALARM);
407 EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe",
408 CASE_INSENSITIVE));
409 EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
410
411 size_t opc3 = pr_winexe.GetOpcodeCount();
412 EXPECT_EQ(3, opc3);
413
414 PolicyRule pr_adobe(GIVE_CACHED);
415 EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\",
416 CASE_SENSITIVE));
417 EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
418
419 size_t opc4 = pr_adobe.GetOpcodeCount();
420 EXPECT_EQ(4, opc4);
421
422 PolicyRule pr_none(GIVE_FIRST);
423 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND));
424 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND));
425
426 size_t opc5 = pr_none.GetOpcodeCount();
427 EXPECT_EQ(2, opc5);
428
429 PolicyGlobal* policy = MakePolicyMemory();
430
431 const uint32 kNtFakeNone = 4;
432 const uint32 kNtFakeCreateFile = 5;
433 const uint32 kNtFakeOpenFile = 6;
434
435 LowLevelPolicy policyGen(policy);
436 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe));
437 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump));
438 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe));
439
440 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe));
441 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe));
442
443 EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none));
444
445 EXPECT_TRUE(policyGen.Done());
446
447 // Inspect the policy structure manually.
448 EXPECT_TRUE(NULL == policy->entry[0]);
449 EXPECT_TRUE(NULL == policy->entry[1]);
450 EXPECT_TRUE(NULL == policy->entry[2]);
451 EXPECT_TRUE(NULL == policy->entry[3]);
452 EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone.
453 EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile.
454 EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile.
455 EXPECT_TRUE(NULL == policy->entry[7]);
456
457 // The total per service opcode counts now must take in account one
458 // extra opcode (action opcode) per rule.
459 ++opc1;
460 ++opc2;
461 ++opc3;
462 ++opc4;
463 ++opc5;
464
465 size_t tc1 = policy->entry[kNtFakeNone]->opcode_count;
466 size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count;
467 size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count;
468
469 EXPECT_EQ(opc5, tc1);
470 EXPECT_EQ((opc1 + opc2 + opc3), tc2);
471 EXPECT_EQ((opc1 + opc4), tc3);
472
473 // Check the type of the first and last opcode of each service.
474
475 EXPECT_EQ(OP_ULONG_AND_MATCH, policy->entry[kNtFakeNone]->opcodes[0].GetID());
476 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID());
477 EXPECT_EQ(OP_WSTRING_MATCH,
478 policy->entry[kNtFakeCreateFile]->opcodes[0].GetID());
479 EXPECT_EQ(OP_ACTION,
480 policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID());
481 EXPECT_EQ(OP_WSTRING_MATCH,
482 policy->entry[kNtFakeOpenFile]->opcodes[0].GetID());
483 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID());
484
485 // Test the policy evaluation.
486
487 const wchar_t* filename = L"";
488 unsigned long creation_mode = OPEN_EXISTING;
489 unsigned long flags = FILE_ATTRIBUTE_NORMAL;
490 void* security_descriptor = NULL;
491
492 POLPARAMS_BEGIN(params)
493 POLPARAM(filename) // Argument 0
494 POLPARAM(creation_mode) // Argument 1
495 POLPARAM(flags) // Argument 2
496 POLPARAM(security_descriptor)
497 POLPARAMS_END;
498
499 PolicyResult result;
500 PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]);
501 PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]);
502 PolicyProcessor eval_None(policy->entry[kNtFakeNone]);
503
504 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
505 EXPECT_EQ(NO_POLICY_MATCH, result);
506 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
507 EXPECT_EQ(NO_POLICY_MATCH, result);
508 result = eval_None.Evaluate(kShortEval, params, _countof(params));
509 EXPECT_EQ(NO_POLICY_MATCH, result);
510
511 filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe";
512 flags = FILE_ATTRIBUTE_SYSTEM;
513 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
514 EXPECT_EQ(NO_POLICY_MATCH, result);
515 result = eval_None.Evaluate(kShortEval, params, _countof(params));
516 EXPECT_EQ(NO_POLICY_MATCH, result);
517 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
518 EXPECT_EQ(NO_POLICY_MATCH, result);
519
520 flags += FILE_ATTRIBUTE_READONLY;
521 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
522 EXPECT_EQ(NO_POLICY_MATCH, result);
523 result = eval_None.Evaluate(kShortEval, params, _countof(params));
524 EXPECT_EQ(POLICY_MATCH, result);
525 EXPECT_EQ(GIVE_FIRST, eval_None.GetAction());
526 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
527 EXPECT_EQ(NO_POLICY_MATCH, result);
528
529 flags = FILE_ATTRIBUTE_NORMAL;
530 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
531 EXPECT_EQ(POLICY_MATCH, result);
532 EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction());
533 result = eval_None.Evaluate(kShortEval, params, _countof(params));
534 EXPECT_EQ(NO_POLICY_MATCH, result);
535 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
536 EXPECT_EQ(NO_POLICY_MATCH, result);
537
538 filename = L"c:\\adobe\\ver3.2\\temp";
539 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
540 EXPECT_EQ(NO_POLICY_MATCH, result);
541 result = eval_None.Evaluate(kShortEval, params, _countof(params));
542 EXPECT_EQ(NO_POLICY_MATCH, result);
543 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
544 EXPECT_EQ(POLICY_MATCH, result);
545 EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction());
546
547 filename = L"c:\\adobe\\ver3.22\\temp";
548 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
549 EXPECT_EQ(NO_POLICY_MATCH, result);
550
551 filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path";
552 creation_mode = CREATE_ALWAYS;
553 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
554 EXPECT_EQ(POLICY_MATCH, result);
555 EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction());
556 result = eval_None.Evaluate(kShortEval, params, _countof(params));
557 EXPECT_EQ(NO_POLICY_MATCH, result);
558 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
559 EXPECT_EQ(NO_POLICY_MATCH, result);
560
561 filename = L"\\\\??\\Pipe\\Chrome.12345";
562 creation_mode = OPEN_EXISTING;
563 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
564 EXPECT_EQ(POLICY_MATCH, result);
565 EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction());
566 result = eval_None.Evaluate(kShortEval, params, _countof(params));
567 EXPECT_EQ(NO_POLICY_MATCH, result);
568 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
569 EXPECT_EQ(POLICY_MATCH, result);
570 EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction());
571
572 delete [] reinterpret_cast<char*>(policy);
573 }
574
TEST(PolicyEngineTest,PolicyRuleCopyConstructorTwoStrings)575 TEST(PolicyEngineTest, PolicyRuleCopyConstructorTwoStrings) {
576 SetupNtdllImports();
577 // Both pr_orig and pr_copy should allow hello.* but not *.txt files.
578 PolicyRule pr_orig(ASK_BROKER);
579 EXPECT_TRUE(pr_orig.AddStringMatch(IF, 0, L"hello.*", CASE_SENSITIVE));
580
581 PolicyRule pr_copy(pr_orig);
582 EXPECT_TRUE(pr_orig.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
583 EXPECT_TRUE(pr_copy.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
584
585 PolicyGlobal* policy = MakePolicyMemory();
586 LowLevelPolicy policyGen(policy);
587 EXPECT_TRUE(policyGen.AddRule(1, &pr_orig));
588 EXPECT_TRUE(policyGen.AddRule(2, &pr_copy));
589 EXPECT_TRUE(policyGen.Done());
590
591 const wchar_t* name = NULL;
592 POLPARAMS_BEGIN(eval_params)
593 POLPARAM(name)
594 POLPARAMS_END;
595
596 PolicyResult result;
597 PolicyProcessor pol_ev_orig(policy->entry[1]);
598 name = L"domo.txt";
599 result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
600 EXPECT_EQ(NO_POLICY_MATCH, result);
601
602 name = L"hello.bmp";
603 result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
604 EXPECT_EQ(POLICY_MATCH, result);
605 EXPECT_EQ(ASK_BROKER, pol_ev_orig.GetAction());
606
607 PolicyProcessor pol_ev_copy(policy->entry[2]);
608 name = L"domo.txt";
609 result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
610 EXPECT_EQ(NO_POLICY_MATCH, result);
611
612 name = L"hello.bmp";
613 result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
614 EXPECT_EQ(POLICY_MATCH, result);
615 EXPECT_EQ(ASK_BROKER, pol_ev_copy.GetAction());
616 }
617 } // namespace sandbox
618