OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ | 5 #ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ |
6 #define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ | 6 #define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ |
7 | 7 |
8 #include <stddef.h> | 8 #include "base/basictypes.h" |
9 #include <stdint.h> | 9 #include "sandbox/win/src/policy_engine_params.h" |
10 | |
11 #include "base/macros.h" | |
12 #include "sandbox/win/src/policy_engine_opcodes.h" | 10 #include "sandbox/win/src/policy_engine_opcodes.h" |
13 #include "sandbox/win/src/policy_engine_params.h" | |
14 | 11 |
15 namespace sandbox { | 12 namespace sandbox { |
16 | 13 |
17 // This header contains the core policy evaluator. In its simplest form | 14 // This header contains the core policy evaluator. In its simplest form |
18 // it evaluates a stream of opcodes assuming that they are laid out in | 15 // it evaluates a stream of opcodes assuming that they are laid out in |
19 // memory as opcode groups. | 16 // memory as opcode groups. |
20 // | 17 // |
21 // An opcode group has N comparison opcodes plus 1 action opcode. For | 18 // An opcode group has N comparison opcodes plus 1 action opcode. For |
22 // example here we have 3 opcode groups (A, B,C): | 19 // example here we have 3 opcode groups (A, B,C): |
23 // | 20 // |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
62 enum PolicyResult { | 59 enum PolicyResult { |
63 NO_POLICY_MATCH, | 60 NO_POLICY_MATCH, |
64 POLICY_MATCH, | 61 POLICY_MATCH, |
65 POLICY_ERROR | 62 POLICY_ERROR |
66 }; | 63 }; |
67 | 64 |
68 // Policy evaluation flags | 65 // Policy evaluation flags |
69 // TODO(cpu): implement the options kStopOnErrors & kRankedEval. | 66 // TODO(cpu): implement the options kStopOnErrors & kRankedEval. |
70 // | 67 // |
71 // Stop evaluating as soon as an error is encountered. | 68 // Stop evaluating as soon as an error is encountered. |
72 const uint32_t kStopOnErrors = 1; | 69 const uint32 kStopOnErrors = 1; |
73 // Ignore all non fatal opcode evaluation errors. | 70 // Ignore all non fatal opcode evaluation errors. |
74 const uint32_t kIgnoreErrors = 2; | 71 const uint32 kIgnoreErrors = 2; |
75 // Short-circuit evaluation: Only evaluate until opcode group that | 72 // Short-circuit evaluation: Only evaluate until opcode group that |
76 // evaluated to true has been found. | 73 // evaluated to true has been found. |
77 const uint32_t kShortEval = 4; | 74 const uint32 kShortEval = 4; |
78 // Discussed briefly at the policy design meeting. It will evaluate | 75 // Discussed briefly at the policy design meeting. It will evaluate |
79 // all rules and then return the 'best' rule that evaluated true. | 76 // all rules and then return the 'best' rule that evaluated true. |
80 const uint32_t kRankedEval = 8; | 77 const uint32 kRankedEval = 8; |
81 | 78 |
82 // This class evaluates a policy-opcode stream given the memory where the | 79 // This class evaluates a policy-opcode stream given the memory where the |
83 // opcodes are and an input 'parameter set'. | 80 // opcodes are and an input 'parameter set'. |
84 // | 81 // |
85 // This class is designed to be callable from interception points | 82 // This class is designed to be callable from interception points |
86 // as low as the NtXXXX service level (it is not currently safe, but | 83 // as low as the NtXXXX service level (it is not currently safe, but |
87 // it is designed to be made safe). | 84 // it is designed to be made safe). |
88 // | 85 // |
89 // Its usage in an interception is: | 86 // Its usage in an interception is: |
90 // | 87 // |
(...skipping 24 matching lines...) Expand all Loading... |
115 | 112 |
116 // This constructor is just a variant of the previous constructor. | 113 // This constructor is just a variant of the previous constructor. |
117 explicit PolicyProcessor(PolicyBuffer* policy) | 114 explicit PolicyProcessor(PolicyBuffer* policy) |
118 : policy_(policy) { | 115 : policy_(policy) { |
119 SetInternalState(0, EVAL_FALSE); | 116 SetInternalState(0, EVAL_FALSE); |
120 } | 117 } |
121 | 118 |
122 // Evaluates a policy-opcode stream. See the comments at the top of this | 119 // Evaluates a policy-opcode stream. See the comments at the top of this |
123 // class for more info. Returns POLICY_MATCH if a rule set was found that | 120 // class for more info. Returns POLICY_MATCH if a rule set was found that |
124 // matches an active policy. | 121 // matches an active policy. |
125 PolicyResult Evaluate(uint32_t options, | 122 PolicyResult Evaluate(uint32 options, |
126 ParameterSet* parameters, | 123 ParameterSet* parameters, |
127 size_t parameter_count); | 124 size_t parameter_count); |
128 | 125 |
129 // If the result of Evaluate() was POLICY_MATCH, calling this function returns | 126 // If the result of Evaluate() was POLICY_MATCH, calling this function returns |
130 // the recommended policy action. | 127 // the recommended policy action. |
131 EvalResult GetAction() const; | 128 EvalResult GetAction() const; |
132 | 129 |
133 private: | 130 private: |
134 struct { | 131 struct { |
135 size_t current_index_; | 132 size_t current_index_; |
136 EvalResult current_result_; | 133 EvalResult current_result_; |
137 } state_; | 134 } state_; |
138 | 135 |
139 // Sets the currently matching action result. | 136 // Sets the currently matching action result. |
140 void SetInternalState(size_t index, EvalResult result); | 137 void SetInternalState(size_t index, EvalResult result); |
141 | 138 |
142 PolicyBuffer* policy_; | 139 PolicyBuffer* policy_; |
143 DISALLOW_COPY_AND_ASSIGN(PolicyProcessor); | 140 DISALLOW_COPY_AND_ASSIGN(PolicyProcessor); |
144 }; | 141 }; |
145 | 142 |
146 } // namespace sandbox | 143 } // namespace sandbox |
147 | 144 |
148 #endif // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ | 145 #endif // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ |
OLD | NEW |