OLD | NEW |
| (Empty) |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <stddef.h> | |
6 #include <stdint.h> | |
7 | |
8 #include "sandbox/win/src/policy_engine_params.h" | |
9 #include "sandbox/win/src/policy_engine_processor.h" | |
10 #include "testing/gtest/include/gtest/gtest.h" | |
11 | |
12 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { | |
13 #define POLPARAM(p) sandbox::ParamPickerMake(p), | |
14 #define POLPARAMS_END } | |
15 | |
16 namespace sandbox { | |
17 | |
18 bool SetupNtdllImports(); | |
19 | |
20 TEST(PolicyEngineTest, Rules1) { | |
21 SetupNtdllImports(); | |
22 | |
23 // Construct two policy rules that say: | |
24 // | |
25 // #1 | |
26 // If the path is c:\\documents and settings\\* AND | |
27 // If the creation mode is 'open existing' AND | |
28 // If the security descriptor is null THEN | |
29 // Ask the broker. | |
30 // | |
31 // #2 | |
32 // If the security descriptor is null AND | |
33 // If the path ends with *.txt AND | |
34 // If the creation mode is not 'create new' THEN | |
35 // return Access Denied. | |
36 | |
37 enum FileCreateArgs { | |
38 FileNameArg, | |
39 CreationDispositionArg, | |
40 FlagsAndAttributesArg, | |
41 SecurityAttributes | |
42 }; | |
43 | |
44 const size_t policy_sz = 1024; | |
45 PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]); | |
46 OpcodeFactory opcode_maker(policy, policy_sz - 0x40); | |
47 | |
48 // Add rule set #1 | |
49 opcode_maker.MakeOpWStringMatch(FileNameArg, | |
50 L"c:\\documents and settings\\", | |
51 0, CASE_INSENSITIVE, kPolNone); | |
52 opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING, | |
53 kPolNone); | |
54 opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL, | |
55 kPolNone); | |
56 opcode_maker.MakeOpAction(ASK_BROKER, kPolNone); | |
57 | |
58 // Add rule set #2 | |
59 opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT", | |
60 kSeekToEnd, CASE_INSENSITIVE, kPolNone); | |
61 opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW, | |
62 kPolNegateEval); | |
63 opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone); | |
64 policy->opcode_count = 7; | |
65 | |
66 const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; | |
67 uint32_t creation_mode = OPEN_EXISTING; | |
68 uint32_t flags = FILE_ATTRIBUTE_NORMAL; | |
69 void* security_descriptor = NULL; | |
70 | |
71 POLPARAMS_BEGIN(eval_params) | |
72 POLPARAM(filename) | |
73 POLPARAM(creation_mode) | |
74 POLPARAM(flags) | |
75 POLPARAM(security_descriptor) | |
76 POLPARAMS_END; | |
77 | |
78 PolicyResult pr; | |
79 PolicyProcessor pol_ev(policy); | |
80 | |
81 // Test should match the first rule set. | |
82 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
83 EXPECT_EQ(POLICY_MATCH, pr); | |
84 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
85 | |
86 // Test should still match the first rule set. | |
87 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
88 EXPECT_EQ(POLICY_MATCH, pr); | |
89 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
90 | |
91 // Changing creation_mode such that evaluation should not match any rule. | |
92 creation_mode = CREATE_NEW; | |
93 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
94 EXPECT_EQ(NO_POLICY_MATCH, pr); | |
95 | |
96 // Changing creation_mode such that evaluation should match rule #2. | |
97 creation_mode = OPEN_ALWAYS; | |
98 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
99 EXPECT_EQ(POLICY_MATCH, pr); | |
100 EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction()); | |
101 | |
102 delete [] reinterpret_cast<char*>(policy); | |
103 } | |
104 | |
105 } // namespace sandbox | |
OLD | NEW |