OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ | 5 #ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ |
6 #define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ | 6 #define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ |
7 | 7 |
8 #include "base/basictypes.h" | 8 #include <stddef.h> |
| 9 #include <stdint.h> |
| 10 |
| 11 #include "base/macros.h" |
| 12 #include "sandbox/win/src/policy_engine_opcodes.h" |
9 #include "sandbox/win/src/policy_engine_params.h" | 13 #include "sandbox/win/src/policy_engine_params.h" |
10 #include "sandbox/win/src/policy_engine_opcodes.h" | |
11 | 14 |
12 namespace sandbox { | 15 namespace sandbox { |
13 | 16 |
14 // This header contains the core policy evaluator. In its simplest form | 17 // This header contains the core policy evaluator. In its simplest form |
15 // it evaluates a stream of opcodes assuming that they are laid out in | 18 // it evaluates a stream of opcodes assuming that they are laid out in |
16 // memory as opcode groups. | 19 // memory as opcode groups. |
17 // | 20 // |
18 // An opcode group has N comparison opcodes plus 1 action opcode. For | 21 // An opcode group has N comparison opcodes plus 1 action opcode. For |
19 // example here we have 3 opcode groups (A, B,C): | 22 // example here we have 3 opcode groups (A, B,C): |
20 // | 23 // |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
59 enum PolicyResult { | 62 enum PolicyResult { |
60 NO_POLICY_MATCH, | 63 NO_POLICY_MATCH, |
61 POLICY_MATCH, | 64 POLICY_MATCH, |
62 POLICY_ERROR | 65 POLICY_ERROR |
63 }; | 66 }; |
64 | 67 |
65 // Policy evaluation flags | 68 // Policy evaluation flags |
66 // TODO(cpu): implement the options kStopOnErrors & kRankedEval. | 69 // TODO(cpu): implement the options kStopOnErrors & kRankedEval. |
67 // | 70 // |
68 // Stop evaluating as soon as an error is encountered. | 71 // Stop evaluating as soon as an error is encountered. |
69 const uint32 kStopOnErrors = 1; | 72 const uint32_t kStopOnErrors = 1; |
70 // Ignore all non fatal opcode evaluation errors. | 73 // Ignore all non fatal opcode evaluation errors. |
71 const uint32 kIgnoreErrors = 2; | 74 const uint32_t kIgnoreErrors = 2; |
72 // Short-circuit evaluation: Only evaluate until opcode group that | 75 // Short-circuit evaluation: Only evaluate until opcode group that |
73 // evaluated to true has been found. | 76 // evaluated to true has been found. |
74 const uint32 kShortEval = 4; | 77 const uint32_t kShortEval = 4; |
75 // Discussed briefly at the policy design meeting. It will evaluate | 78 // Discussed briefly at the policy design meeting. It will evaluate |
76 // all rules and then return the 'best' rule that evaluated true. | 79 // all rules and then return the 'best' rule that evaluated true. |
77 const uint32 kRankedEval = 8; | 80 const uint32_t kRankedEval = 8; |
78 | 81 |
79 // This class evaluates a policy-opcode stream given the memory where the | 82 // This class evaluates a policy-opcode stream given the memory where the |
80 // opcodes are and an input 'parameter set'. | 83 // opcodes are and an input 'parameter set'. |
81 // | 84 // |
82 // This class is designed to be callable from interception points | 85 // This class is designed to be callable from interception points |
83 // as low as the NtXXXX service level (it is not currently safe, but | 86 // as low as the NtXXXX service level (it is not currently safe, but |
84 // it is designed to be made safe). | 87 // it is designed to be made safe). |
85 // | 88 // |
86 // Its usage in an interception is: | 89 // Its usage in an interception is: |
87 // | 90 // |
(...skipping 24 matching lines...) Expand all Loading... |
112 | 115 |
113 // This constructor is just a variant of the previous constructor. | 116 // This constructor is just a variant of the previous constructor. |
114 explicit PolicyProcessor(PolicyBuffer* policy) | 117 explicit PolicyProcessor(PolicyBuffer* policy) |
115 : policy_(policy) { | 118 : policy_(policy) { |
116 SetInternalState(0, EVAL_FALSE); | 119 SetInternalState(0, EVAL_FALSE); |
117 } | 120 } |
118 | 121 |
119 // Evaluates a policy-opcode stream. See the comments at the top of this | 122 // Evaluates a policy-opcode stream. See the comments at the top of this |
120 // class for more info. Returns POLICY_MATCH if a rule set was found that | 123 // class for more info. Returns POLICY_MATCH if a rule set was found that |
121 // matches an active policy. | 124 // matches an active policy. |
122 PolicyResult Evaluate(uint32 options, | 125 PolicyResult Evaluate(uint32_t options, |
123 ParameterSet* parameters, | 126 ParameterSet* parameters, |
124 size_t parameter_count); | 127 size_t parameter_count); |
125 | 128 |
126 // If the result of Evaluate() was POLICY_MATCH, calling this function returns | 129 // If the result of Evaluate() was POLICY_MATCH, calling this function returns |
127 // the recommended policy action. | 130 // the recommended policy action. |
128 EvalResult GetAction() const; | 131 EvalResult GetAction() const; |
129 | 132 |
130 private: | 133 private: |
131 struct { | 134 struct { |
132 size_t current_index_; | 135 size_t current_index_; |
133 EvalResult current_result_; | 136 EvalResult current_result_; |
134 } state_; | 137 } state_; |
135 | 138 |
136 // Sets the currently matching action result. | 139 // Sets the currently matching action result. |
137 void SetInternalState(size_t index, EvalResult result); | 140 void SetInternalState(size_t index, EvalResult result); |
138 | 141 |
139 PolicyBuffer* policy_; | 142 PolicyBuffer* policy_; |
140 DISALLOW_COPY_AND_ASSIGN(PolicyProcessor); | 143 DISALLOW_COPY_AND_ASSIGN(PolicyProcessor); |
141 }; | 144 }; |
142 | 145 |
143 } // namespace sandbox | 146 } // namespace sandbox |
144 | 147 |
145 #endif // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ | 148 #endif // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ |
OLD | NEW |