• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/win/src/policy_engine_params.h"
6 #include "sandbox/win/src/policy_engine_processor.h"
7 #include "testing/gtest/include/gtest/gtest.h"
8 
9 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
10 #define POLPARAM(p) sandbox::ParamPickerMake(p),
11 #define POLPARAMS_END }
12 
13 namespace sandbox {
14 
15 bool SetupNtdllImports();
16 
TEST(PolicyEngineTest,Rules1)17 TEST(PolicyEngineTest, Rules1) {
18   SetupNtdllImports();
19 
20   // Construct two policy rules that say:
21   //
22   // #1
23   // If the path is c:\\documents and settings\\* AND
24   // If the creation mode is 'open existing' AND
25   // If the security descriptor is null THEN
26   // Ask the broker.
27   //
28   // #2
29   // If the security descriptor is null AND
30   // If the path ends with *.txt AND
31   // If the creation mode is not 'create new' THEN
32   // return Access Denied.
33 
34   enum FileCreateArgs {
35     FileNameArg,
36     CreationDispositionArg,
37     FlagsAndAttributesArg,
38     SecurityAttributes
39   };
40 
41   const size_t policy_sz = 1024;
42   PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
43   OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
44 
45   // Add rule set #1
46   opcode_maker.MakeOpWStringMatch(FileNameArg,
47                                   L"c:\\documents and settings\\",
48                                   0, CASE_INSENSITIVE, kPolNone);
49   opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
50                                  kPolNone);
51   opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL,
52                                  kPolNone);
53   opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
54 
55   // Add rule set #2
56   opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT",
57                                   kSeekToEnd, CASE_INSENSITIVE, kPolNone);
58   opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
59                                  kPolNegateEval);
60   opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
61   policy->opcode_count = 7;
62 
63   const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
64   unsigned long creation_mode = OPEN_EXISTING;
65   unsigned long flags = FILE_ATTRIBUTE_NORMAL;
66   void* security_descriptor = NULL;
67 
68   POLPARAMS_BEGIN(eval_params)
69     POLPARAM(filename)
70     POLPARAM(creation_mode)
71     POLPARAM(flags)
72     POLPARAM(security_descriptor)
73   POLPARAMS_END;
74 
75   PolicyResult pr;
76   PolicyProcessor pol_ev(policy);
77 
78   // Test should match the first rule set.
79   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
80   EXPECT_EQ(POLICY_MATCH, pr);
81   EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
82 
83   // Test should still match the first rule set.
84   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
85   EXPECT_EQ(POLICY_MATCH, pr);
86   EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
87 
88   // Changing creation_mode such that evaluation should not match any rule.
89   creation_mode = CREATE_NEW;
90   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
91   EXPECT_EQ(NO_POLICY_MATCH, pr);
92 
93   // Changing creation_mode such that evaluation should match rule #2.
94   creation_mode = OPEN_ALWAYS;
95   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
96   EXPECT_EQ(POLICY_MATCH, pr);
97   EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
98 
99   delete [] reinterpret_cast<char*>(policy);
100 }
101 
102 }  // namespace sandbox
103