1// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "sandbox/win/src/policy_engine_params.h" 6#include "sandbox/win/src/policy_engine_processor.h" 7#include "testing/gtest/include/gtest/gtest.h" 8 9#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { 10#define POLPARAM(p) sandbox::ParamPickerMake(p), 11#define POLPARAMS_END } 12 13namespace sandbox { 14 15bool SetupNtdllImports(); 16 17TEST(PolicyEngineTest, Rules1) { 18 SetupNtdllImports(); 19 20 // Construct two policy rules that say: 21 // 22 // #1 23 // If the path is c:\\documents and settings\\* AND 24 // If the creation mode is 'open existing' AND 25 // If the security descriptor is null THEN 26 // Ask the broker. 27 // 28 // #2 29 // If the security descriptor is null AND 30 // If the path ends with *.txt AND 31 // If the creation mode is not 'create new' THEN 32 // return Access Denied. 33 34 enum FileCreateArgs { 35 FileNameArg, 36 CreationDispositionArg, 37 FlagsAndAttributesArg, 38 SecurityAttributes 39 }; 40 41 const size_t policy_sz = 1024; 42 PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]); 43 OpcodeFactory opcode_maker(policy, policy_sz - 0x40); 44 45 // Add rule set #1 46 opcode_maker.MakeOpWStringMatch(FileNameArg, 47 L"c:\\documents and settings\\", 48 0, CASE_INSENSITIVE, kPolNone); 49 opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING, 50 kPolNone); 51 opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL, 52 kPolNone); 53 opcode_maker.MakeOpAction(ASK_BROKER, kPolNone); 54 55 // Add rule set #2 56 opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT", 57 kSeekToEnd, CASE_INSENSITIVE, kPolNone); 58 opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW, 59 kPolNegateEval); 60 opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone); 61 policy->opcode_count = 7; 62 63 const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; 64 unsigned long creation_mode = OPEN_EXISTING; 65 unsigned long flags = FILE_ATTRIBUTE_NORMAL; 66 void* security_descriptor = NULL; 67 68 POLPARAMS_BEGIN(eval_params) 69 POLPARAM(filename) 70 POLPARAM(creation_mode) 71 POLPARAM(flags) 72 POLPARAM(security_descriptor) 73 POLPARAMS_END; 74 75 PolicyResult pr; 76 PolicyProcessor pol_ev(policy); 77 78 // Test should match the first rule set. 79 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 80 EXPECT_EQ(POLICY_MATCH, pr); 81 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 82 83 // Test should still match the first rule set. 84 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 85 EXPECT_EQ(POLICY_MATCH, pr); 86 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 87 88 // Changing creation_mode such that evaluation should not match any rule. 89 creation_mode = CREATE_NEW; 90 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 91 EXPECT_EQ(NO_POLICY_MATCH, pr); 92 93 // Changing creation_mode such that evaluation should match rule #2. 94 creation_mode = OPEN_ALWAYS; 95 pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 96 EXPECT_EQ(POLICY_MATCH, pr); 97 EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction()); 98 99 delete [] reinterpret_cast<char*>(policy); 100} 101 102} // namespace sandbox 103