Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(621)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/policy_low_level_unittest.cc

Issue 1851213002: Remove sandbox on Windows. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: fix nacl compile issues Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/win/src/policy_low_level.cc ('k') | sandbox/win/src/policy_opcodes_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stddef.h>
6 #include <stdint.h>
7
8 #include "sandbox/win/src/policy_engine_params.h"
9 #include "sandbox/win/src/policy_engine_processor.h"
10 #include "sandbox/win/src/policy_low_level.h"
11 #include "testing/gtest/include/gtest/gtest.h"
12
13 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
14 #define POLPARAM(p) sandbox::ParamPickerMake(p),
15 #define POLPARAMS_END }
16
17 namespace sandbox {
18
19 bool SetupNtdllImports();
20
21 // Testing that we allow opcode generation on valid string patterns.
22 TEST(PolicyEngineTest, StringPatternsOK) {
23 SetupNtdllImports();
24 PolicyRule pr(ASK_BROKER);
25 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE));
26 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE));
27 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE));
28 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE));
29 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe",
30 CASE_SENSITIVE));
31 }
32
33 // Testing that we signal invalid string patterns.
34 TEST(PolicyEngineTest, StringPatternsBAD) {
35 SetupNtdllImports();
36 PolicyRule pr(ASK_BROKER);
37 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE));
38 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE));
39 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE));
40 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE));
41 }
42
43 // Helper function to allocate space (on the heap) for policy.
44 PolicyGlobal* MakePolicyMemory() {
45 const size_t kTotalPolicySz = 4096*8;
46 char* mem = new char[kTotalPolicySz];
47 memset(mem, 0, kTotalPolicySz);
48 PolicyGlobal* policy = reinterpret_cast<PolicyGlobal*>(mem);
49 policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal);
50 return policy;
51 }
52
53 // The simplest test using LowLevelPolicy it should test a single opcode which
54 // does a exact string comparison.
55 TEST(PolicyEngineTest, SimpleStrMatch) {
56 SetupNtdllImports();
57 PolicyRule pr(ASK_BROKER);
58 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt",
59 CASE_INSENSITIVE));
60
61 PolicyGlobal* policy = MakePolicyMemory();
62 const uint32_t kFakeService = 2;
63
64 LowLevelPolicy policyGen(policy);
65 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
66 EXPECT_TRUE(policyGen.Done());
67
68 const wchar_t* filename = L"Z:\\Directory\\domo.txt";
69
70 POLPARAMS_BEGIN(eval_params)
71 POLPARAM(filename) // Argument 0
72 POLPARAMS_END;
73
74 PolicyResult result;
75 PolicyProcessor pol_ev(policy->entry[kFakeService]);
76
77 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
78 EXPECT_EQ(POLICY_MATCH, result);
79 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
80
81 filename = L"Z:\\Directory\\domo.txt.tmp";
82 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
83 EXPECT_EQ(NO_POLICY_MATCH, result);
84
85 delete [] reinterpret_cast<char*>(policy);
86 }
87
88 TEST(PolicyEngineTest, SimpleIfNotStrMatch) {
89 SetupNtdllImports();
90 PolicyRule pr(ASK_BROKER);
91 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\",
92 CASE_SENSITIVE));
93
94 PolicyGlobal* policy = MakePolicyMemory();
95 const uint32_t kFakeService = 2;
96 LowLevelPolicy policyGen(policy);
97
98 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
99 EXPECT_TRUE(policyGen.Done());
100
101 const wchar_t* filename = NULL;
102 POLPARAMS_BEGIN(eval_params)
103 POLPARAM(filename) // Argument 0
104 POLPARAMS_END;
105
106 PolicyResult result;
107 PolicyProcessor pol_ev(policy->entry[kFakeService]);
108
109 filename = L"c:\\Microsoft\\";
110 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
111 EXPECT_EQ(NO_POLICY_MATCH, result);
112
113 filename = L"c:\\MicroNerd\\";
114 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
115 EXPECT_EQ(POLICY_MATCH, result);
116 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
117
118 filename = L"c:\\Microsoft\\domo.txt";
119 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
120 EXPECT_EQ(POLICY_MATCH, result);
121 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
122
123 delete [] reinterpret_cast<char*>(policy);
124 }
125
126 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) {
127 SetupNtdllImports();
128 PolicyRule pr(ASK_BROKER);
129 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
130 CASE_SENSITIVE));
131
132 PolicyGlobal* policy = MakePolicyMemory();
133 const uint32_t kFakeService = 3;
134 LowLevelPolicy policyGen(policy);
135
136 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
137 EXPECT_TRUE(policyGen.Done());
138
139 const wchar_t* filename = NULL;
140 POLPARAMS_BEGIN(eval_params)
141 POLPARAM(filename) // Argument 0
142 POLPARAMS_END;
143
144 PolicyResult result;
145 PolicyProcessor pol_ev(policy->entry[kFakeService]);
146
147 filename = L"c:\\Microsoft\\domo.txt";
148 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
149 EXPECT_EQ(NO_POLICY_MATCH, result);
150
151 filename = L"c:\\MicroNerd\\domo.txt";
152 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
153 EXPECT_EQ(POLICY_MATCH, result);
154 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
155
156 delete [] reinterpret_cast<char*>(policy);
157 }
158
159 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) {
160 SetupNtdllImports();
161 PolicyRule pr(ASK_BROKER);
162 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt",
163 CASE_SENSITIVE));
164
165 PolicyGlobal* policy = MakePolicyMemory();
166 const uint32_t kFakeService = 3;
167 LowLevelPolicy policyGen(policy);
168
169 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
170 EXPECT_TRUE(policyGen.Done());
171
172 const wchar_t* filename = NULL;
173 POLPARAMS_BEGIN(eval_params)
174 POLPARAM(filename) // Argument 0
175 POLPARAMS_END;
176
177 PolicyResult result;
178 PolicyProcessor pol_ev(policy->entry[kFakeService]);
179
180 filename = L"c:\\Microsoft\\domo.txt";
181 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
182 EXPECT_EQ(NO_POLICY_MATCH, result);
183
184 filename = L"c:\\MicroNerd\\domo.txt";
185 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
186 EXPECT_EQ(POLICY_MATCH, result);
187 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
188
189 filename = L"c:\\Microsoft\\domo.bmp";
190 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
191 EXPECT_EQ(POLICY_MATCH, result);
192 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
193
194 delete [] reinterpret_cast<char*>(policy);
195 }
196
197 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) {
198 SetupNtdllImports();
199 PolicyRule pr(ASK_BROKER);
200 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
201 CASE_SENSITIVE));
202 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
203
204 PolicyGlobal* policy = MakePolicyMemory();
205 const uint32_t kFakeService = 3;
206 LowLevelPolicy policyGen(policy);
207
208 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
209 EXPECT_TRUE(policyGen.Done());
210
211 const wchar_t* filename = NULL;
212 uint32_t access = 0;
213 POLPARAMS_BEGIN(eval_params)
214 POLPARAM(filename) // Argument 0
215 POLPARAM(access) // Argument 1
216 POLPARAMS_END;
217
218 PolicyResult result;
219 PolicyProcessor pol_ev(policy->entry[kFakeService]);
220
221 filename = L"c:\\Microsoft\\domo.txt";
222 access = 24;
223 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
224 EXPECT_EQ(NO_POLICY_MATCH, result);
225
226 filename = L"c:\\Microsoft\\domo.txt";
227 access = 42;
228 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
229 EXPECT_EQ(NO_POLICY_MATCH, result);
230
231 filename = L"c:\\MicroNerd\\domo.txt";
232 access = 24;
233 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
234 EXPECT_EQ(POLICY_MATCH, result);
235 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
236
237 filename = L"c:\\Micronesia\\domo.txt";
238 access = 42;
239 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
240 EXPECT_EQ(NO_POLICY_MATCH, result);
241
242 delete [] reinterpret_cast<char*>(policy);
243 }
244
245 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) {
246 SetupNtdllImports();
247 PolicyRule pr(ASK_BROKER);
248 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
249 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt",
250 CASE_SENSITIVE));
251 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL));
252
253 PolicyGlobal* policy = MakePolicyMemory();
254 const uint32_t kFakeService = 3;
255 LowLevelPolicy policyGen(policy);
256
257 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
258 EXPECT_TRUE(policyGen.Done());
259
260 const wchar_t* filename = NULL;
261 uint32_t access = 0;
262 uint32_t sharing = 66;
263
264 POLPARAMS_BEGIN(eval_params)
265 POLPARAM(filename) // Argument 0
266 POLPARAM(access) // Argument 1
267 POLPARAM(sharing) // Argument 2
268 POLPARAMS_END;
269
270 PolicyResult result;
271 PolicyProcessor pol_ev(policy->entry[kFakeService]);
272
273 filename = L"c:\\GoogleV2\\domo.txt";
274 access = 24;
275 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
276 EXPECT_EQ(NO_POLICY_MATCH, result);
277
278 filename = L"c:\\GoogleV2\\domo.bmp";
279 access = 24;
280 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
281 EXPECT_EQ(POLICY_MATCH, result);
282 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
283
284 filename = L"c:\\GoogleV23\\domo.txt";
285 access = 24;
286 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
287 EXPECT_EQ(POLICY_MATCH, result);
288 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
289
290
291 filename = L"c:\\GoogleV2\\domo.txt";
292 access = 42;
293 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
294 EXPECT_EQ(NO_POLICY_MATCH, result);
295
296 filename = L"c:\\Google\\domo.txt";
297 access = 24;
298 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
299 EXPECT_EQ(POLICY_MATCH, result);
300 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
301
302 filename = L"c:\\Micronesia\\domo.txt";
303 access = 42;
304 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
305 EXPECT_EQ(NO_POLICY_MATCH, result);
306
307 filename = L"c:\\GoogleV2\\domo.bmp";
308 access = 24;
309 sharing = 0;
310 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
311 EXPECT_EQ(NO_POLICY_MATCH, result);
312
313 delete [] reinterpret_cast<char*>(policy);
314 }
315
316 // Testing one single rule in one single service. The service is made to
317 // resemble NtCreateFile.
318 TEST(PolicyEngineTest, OneRuleTest) {
319 SetupNtdllImports();
320 PolicyRule pr(ASK_BROKER);
321 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt",
322 CASE_SENSITIVE));
323 EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL));
324 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
325
326 PolicyGlobal* policy = MakePolicyMemory();
327
328 const uint32_t kNtFakeCreateFile = 7;
329
330 LowLevelPolicy policyGen(policy);
331 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr));
332 EXPECT_TRUE(policyGen.Done());
333
334 const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
335 uint32_t creation_mode = OPEN_EXISTING;
336 uint32_t flags = FILE_ATTRIBUTE_NORMAL;
337 void* security_descriptor = NULL;
338
339 POLPARAMS_BEGIN(eval_params)
340 POLPARAM(filename) // Argument 0
341 POLPARAM(creation_mode) // Argument 1
342 POLPARAM(flags) // Argument 2
343 POLPARAM(security_descriptor)
344 POLPARAMS_END;
345
346 PolicyResult result;
347 PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]);
348
349 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
350 EXPECT_EQ(POLICY_MATCH, result);
351 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
352
353 creation_mode = CREATE_ALWAYS;
354 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
355 EXPECT_EQ(NO_POLICY_MATCH, result);
356
357 creation_mode = OPEN_EXISTING;
358 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt";
359 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
360 EXPECT_EQ(POLICY_MATCH, result);
361 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
362
363 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp";
364 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
365 EXPECT_EQ(NO_POLICY_MATCH, result);
366
367 flags = FILE_ATTRIBUTE_DEVICE;
368 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
369 EXPECT_EQ(NO_POLICY_MATCH, result);
370
371 filename = L"c:\\Other\\Macrosoft\\Another file.txt";
372 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
373 EXPECT_EQ(NO_POLICY_MATCH, result);
374
375 filename = L"c:\\Microsoft\\1.txt";
376 flags = FILE_ATTRIBUTE_NORMAL;
377 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
378 EXPECT_EQ(POLICY_MATCH, result);
379 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
380
381 filename = L"c:\\Microsoft\\1.ttt";
382 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
383 EXPECT_EQ(NO_POLICY_MATCH, result);
384
385 delete [] reinterpret_cast<char*>(policy);
386 }
387
388 // Testing 3 rules in 3 services. Two of the services resemble File services.
389 TEST(PolicyEngineTest, ThreeRulesTest) {
390 SetupNtdllImports();
391 PolicyRule pr_pipe(FAKE_SUCCESS);
392 EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*",
393 CASE_INSENSITIVE));
394 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL));
395 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
396
397 size_t opc1 = pr_pipe.GetOpcodeCount();
398 EXPECT_EQ(3u, opc1);
399
400 PolicyRule pr_dump(ASK_BROKER);
401 EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*",
402 CASE_INSENSITIVE));
403 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL));
404 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
405
406 size_t opc2 = pr_dump.GetOpcodeCount();
407 EXPECT_EQ(4u, opc2);
408
409 PolicyRule pr_winexe(SIGNAL_ALARM);
410 EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe",
411 CASE_INSENSITIVE));
412 EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
413
414 size_t opc3 = pr_winexe.GetOpcodeCount();
415 EXPECT_EQ(3u, opc3);
416
417 PolicyRule pr_adobe(GIVE_CACHED);
418 EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\",
419 CASE_SENSITIVE));
420 EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
421
422 size_t opc4 = pr_adobe.GetOpcodeCount();
423 EXPECT_EQ(4u, opc4);
424
425 PolicyRule pr_none(GIVE_FIRST);
426 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND));
427 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND));
428
429 size_t opc5 = pr_none.GetOpcodeCount();
430 EXPECT_EQ(2u, opc5);
431
432 PolicyGlobal* policy = MakePolicyMemory();
433
434 const uint32_t kNtFakeNone = 4;
435 const uint32_t kNtFakeCreateFile = 5;
436 const uint32_t kNtFakeOpenFile = 6;
437
438 LowLevelPolicy policyGen(policy);
439 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe));
440 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump));
441 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe));
442
443 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe));
444 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe));
445
446 EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none));
447
448 EXPECT_TRUE(policyGen.Done());
449
450 // Inspect the policy structure manually.
451 EXPECT_TRUE(NULL == policy->entry[0]);
452 EXPECT_TRUE(NULL == policy->entry[1]);
453 EXPECT_TRUE(NULL == policy->entry[2]);
454 EXPECT_TRUE(NULL == policy->entry[3]);
455 EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone.
456 EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile.
457 EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile.
458 EXPECT_TRUE(NULL == policy->entry[7]);
459
460 // The total per service opcode counts now must take in account one
461 // extra opcode (action opcode) per rule.
462 ++opc1;
463 ++opc2;
464 ++opc3;
465 ++opc4;
466 ++opc5;
467
468 size_t tc1 = policy->entry[kNtFakeNone]->opcode_count;
469 size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count;
470 size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count;
471
472 EXPECT_EQ(opc5, tc1);
473 EXPECT_EQ((opc1 + opc2 + opc3), tc2);
474 EXPECT_EQ((opc1 + opc4), tc3);
475
476 // Check the type of the first and last opcode of each service.
477
478 EXPECT_EQ(OP_NUMBER_AND_MATCH,
479 policy->entry[kNtFakeNone]->opcodes[0].GetID());
480 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID());
481 EXPECT_EQ(OP_WSTRING_MATCH,
482 policy->entry[kNtFakeCreateFile]->opcodes[0].GetID());
483 EXPECT_EQ(OP_ACTION,
484 policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID());
485 EXPECT_EQ(OP_WSTRING_MATCH,
486 policy->entry[kNtFakeOpenFile]->opcodes[0].GetID());
487 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID());
488
489 // Test the policy evaluation.
490
491 const wchar_t* filename = L"";
492 uint32_t creation_mode = OPEN_EXISTING;
493 uint32_t flags = FILE_ATTRIBUTE_NORMAL;
494 void* security_descriptor = NULL;
495
496 POLPARAMS_BEGIN(params)
497 POLPARAM(filename) // Argument 0
498 POLPARAM(creation_mode) // Argument 1
499 POLPARAM(flags) // Argument 2
500 POLPARAM(security_descriptor)
501 POLPARAMS_END;
502
503 PolicyResult result;
504 PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]);
505 PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]);
506 PolicyProcessor eval_None(policy->entry[kNtFakeNone]);
507
508 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
509 EXPECT_EQ(NO_POLICY_MATCH, result);
510 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
511 EXPECT_EQ(NO_POLICY_MATCH, result);
512 result = eval_None.Evaluate(kShortEval, params, _countof(params));
513 EXPECT_EQ(NO_POLICY_MATCH, result);
514
515 filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe";
516 flags = FILE_ATTRIBUTE_SYSTEM;
517 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
518 EXPECT_EQ(NO_POLICY_MATCH, result);
519 result = eval_None.Evaluate(kShortEval, params, _countof(params));
520 EXPECT_EQ(NO_POLICY_MATCH, result);
521 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
522 EXPECT_EQ(NO_POLICY_MATCH, result);
523
524 flags += FILE_ATTRIBUTE_READONLY;
525 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
526 EXPECT_EQ(NO_POLICY_MATCH, result);
527 result = eval_None.Evaluate(kShortEval, params, _countof(params));
528 EXPECT_EQ(POLICY_MATCH, result);
529 EXPECT_EQ(GIVE_FIRST, eval_None.GetAction());
530 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
531 EXPECT_EQ(NO_POLICY_MATCH, result);
532
533 flags = FILE_ATTRIBUTE_NORMAL;
534 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
535 EXPECT_EQ(POLICY_MATCH, result);
536 EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction());
537 result = eval_None.Evaluate(kShortEval, params, _countof(params));
538 EXPECT_EQ(NO_POLICY_MATCH, result);
539 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
540 EXPECT_EQ(NO_POLICY_MATCH, result);
541
542 filename = L"c:\\adobe\\ver3.2\\temp";
543 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
544 EXPECT_EQ(NO_POLICY_MATCH, result);
545 result = eval_None.Evaluate(kShortEval, params, _countof(params));
546 EXPECT_EQ(NO_POLICY_MATCH, result);
547 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
548 EXPECT_EQ(POLICY_MATCH, result);
549 EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction());
550
551 filename = L"c:\\adobe\\ver3.22\\temp";
552 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
553 EXPECT_EQ(NO_POLICY_MATCH, result);
554
555 filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path";
556 creation_mode = CREATE_ALWAYS;
557 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
558 EXPECT_EQ(POLICY_MATCH, result);
559 EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction());
560 result = eval_None.Evaluate(kShortEval, params, _countof(params));
561 EXPECT_EQ(NO_POLICY_MATCH, result);
562 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
563 EXPECT_EQ(NO_POLICY_MATCH, result);
564
565 filename = L"\\\\??\\Pipe\\Chrome.12345";
566 creation_mode = OPEN_EXISTING;
567 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
568 EXPECT_EQ(POLICY_MATCH, result);
569 EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction());
570 result = eval_None.Evaluate(kShortEval, params, _countof(params));
571 EXPECT_EQ(NO_POLICY_MATCH, result);
572 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
573 EXPECT_EQ(POLICY_MATCH, result);
574 EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction());
575
576 delete [] reinterpret_cast<char*>(policy);
577 }
578
579 TEST(PolicyEngineTest, PolicyRuleCopyConstructorTwoStrings) {
580 SetupNtdllImports();
581 // Both pr_orig and pr_copy should allow hello.* but not *.txt files.
582 PolicyRule pr_orig(ASK_BROKER);
583 EXPECT_TRUE(pr_orig.AddStringMatch(IF, 0, L"hello.*", CASE_SENSITIVE));
584
585 PolicyRule pr_copy(pr_orig);
586 EXPECT_TRUE(pr_orig.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
587 EXPECT_TRUE(pr_copy.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
588
589 PolicyGlobal* policy = MakePolicyMemory();
590 LowLevelPolicy policyGen(policy);
591 EXPECT_TRUE(policyGen.AddRule(1, &pr_orig));
592 EXPECT_TRUE(policyGen.AddRule(2, &pr_copy));
593 EXPECT_TRUE(policyGen.Done());
594
595 const wchar_t* name = NULL;
596 POLPARAMS_BEGIN(eval_params)
597 POLPARAM(name)
598 POLPARAMS_END;
599
600 PolicyResult result;
601 PolicyProcessor pol_ev_orig(policy->entry[1]);
602 name = L"domo.txt";
603 result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
604 EXPECT_EQ(NO_POLICY_MATCH, result);
605
606 name = L"hello.bmp";
607 result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
608 EXPECT_EQ(POLICY_MATCH, result);
609 EXPECT_EQ(ASK_BROKER, pol_ev_orig.GetAction());
610
611 PolicyProcessor pol_ev_copy(policy->entry[2]);
612 name = L"domo.txt";
613 result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
614 EXPECT_EQ(NO_POLICY_MATCH, result);
615
616 name = L"hello.bmp";
617 result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
618 EXPECT_EQ(POLICY_MATCH, result);
619 EXPECT_EQ(ASK_BROKER, pol_ev_copy.GetAction());
620 }
621 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/win/src/policy_low_level.cc ('k') | sandbox/win/src/policy_opcodes_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698