15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/policy_engine_params.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/policy_engine_processor.h" 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "testing/gtest/include/gtest/gtest.h" 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define POLPARAM(p) sandbox::ParamPickerMake(p), 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define POLPARAMS_END } 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)bool SetupNtdllImports(); 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST(PolicyEngineTest, Rules1) { 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SetupNtdllImports(); 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Construct two policy rules that say: 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // #1 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If the path is c:\\documents and settings\\* AND 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If the creation mode is 'open existing' AND 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If the security descriptor is null THEN 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Ask the broker. 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // #2 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If the security descriptor is null AND 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If the path ends with *.txt AND 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // If the creation mode is not 'create new' THEN 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // return Access Denied. 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) enum FileCreateArgs { 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FileNameArg, 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreationDispositionArg, 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) FlagsAndAttributesArg, 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SecurityAttributes 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const size_t policy_sz = 1024; 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]); 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) OpcodeFactory opcode_maker(policy, policy_sz - 0x40); 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Add rule set #1 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpWStringMatch(FileNameArg, 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) L"c:\\documents and settings\\", 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 0, CASE_INSENSITIVE, kPolNone); 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING, 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPolNone); 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL, 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPolNone); 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpAction(ASK_BROKER, kPolNone); 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Add rule set #2 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT", 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kSeekToEnd, CASE_INSENSITIVE, kPolNone); 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW, 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) kPolNegateEval); 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone); 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) policy->opcode_count = 7; 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 63cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) unsigned long creation_mode = OPEN_EXISTING; 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) unsigned long flags = FILE_ATTRIBUTE_NORMAL; 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void* security_descriptor = NULL; 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLPARAMS_BEGIN(eval_params) 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLPARAM(filename) 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLPARAM(creation_mode) 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLPARAM(flags) 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLPARAM(security_descriptor) 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POLPARAMS_END; 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PolicyResult pr; 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PolicyProcessor pol_ev(policy); 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Test should match the first rule set. 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(POLICY_MATCH, pr); 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Test should still match the first rule set. 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(POLICY_MATCH, pr); 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Changing creation_mode such that evaluation should not match any rule. 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) creation_mode = CREATE_NEW; 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NO_POLICY_MATCH, pr); 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Changing creation_mode such that evaluation should match rule #2. 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) creation_mode = OPEN_ALWAYS; 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(POLICY_MATCH, pr); 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction()); 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) delete [] reinterpret_cast<char*>(policy); 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 103