Home | History | Annotate | Download | only in src
      1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "sandbox/win/src/policy_engine_params.h"
      6 #include "sandbox/win/src/policy_engine_processor.h"
      7 #include "testing/gtest/include/gtest/gtest.h"
      8 
      9 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
     10 #define POLPARAM(p) sandbox::ParamPickerMake(p),
     11 #define POLPARAMS_END }
     12 
     13 namespace sandbox {
     14 
     15 bool SetupNtdllImports();
     16 
     17 TEST(PolicyEngineTest, Rules1) {
     18   SetupNtdllImports();
     19 
     20   // Construct two policy rules that say:
     21   //
     22   // #1
     23   // If the path is c:\\documents and settings\\* AND
     24   // If the creation mode is 'open existing' AND
     25   // If the security descriptor is null THEN
     26   // Ask the broker.
     27   //
     28   // #2
     29   // If the security descriptor is null AND
     30   // If the path ends with *.txt AND
     31   // If the creation mode is not 'create new' THEN
     32   // return Access Denied.
     33 
     34   enum FileCreateArgs {
     35     FileNameArg,
     36     CreationDispositionArg,
     37     FlagsAndAttributesArg,
     38     SecurityAttributes
     39   };
     40 
     41   const size_t policy_sz = 1024;
     42   PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
     43   OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
     44 
     45   // Add rule set #1
     46   opcode_maker.MakeOpWStringMatch(FileNameArg,
     47                                   L"c:\\documents and settings\\",
     48                                   0, CASE_INSENSITIVE, kPolNone);
     49   opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
     50                                  kPolNone);
     51   opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL,
     52                                  kPolNone);
     53   opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
     54 
     55   // Add rule set #2
     56   opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT",
     57                                   kSeekToEnd, CASE_INSENSITIVE, kPolNone);
     58   opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
     59                                  kPolNegateEval);
     60   opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
     61   policy->opcode_count = 7;
     62 
     63   wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
     64   unsigned long creation_mode = OPEN_EXISTING;
     65   unsigned long flags = FILE_ATTRIBUTE_NORMAL;
     66   void* security_descriptor = NULL;
     67 
     68   POLPARAMS_BEGIN(eval_params)
     69     POLPARAM(filename)
     70     POLPARAM(creation_mode)
     71     POLPARAM(flags)
     72     POLPARAM(security_descriptor)
     73   POLPARAMS_END;
     74 
     75   PolicyResult pr;
     76   PolicyProcessor pol_ev(policy);
     77 
     78   // Test should match the first rule set.
     79   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
     80   EXPECT_EQ(POLICY_MATCH, pr);
     81   EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
     82 
     83   // Test should still match the first rule set.
     84   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
     85   EXPECT_EQ(POLICY_MATCH, pr);
     86   EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
     87 
     88   // Changing creation_mode such that evaluation should not match any rule.
     89   creation_mode = CREATE_NEW;
     90   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
     91   EXPECT_EQ(NO_POLICY_MATCH, pr);
     92 
     93   // Changing creation_mode such that evaluation should match rule #2.
     94   creation_mode = OPEN_ALWAYS;
     95   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
     96   EXPECT_EQ(POLICY_MATCH, pr);
     97   EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
     98 
     99   delete [] reinterpret_cast<char*>(policy);
    100 }
    101 
    102 }  // namespace sandbox
    103