1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "sandbox/win/src/policy_engine_params.h" 6 #include "sandbox/win/src/policy_engine_processor.h" 7 #include "sandbox/win/src/policy_low_level.h" 8 #include "testing/gtest/include/gtest/gtest.h" 9 10 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { 11 #define POLPARAM(p) sandbox::ParamPickerMake(p), 12 #define POLPARAMS_END } 13 14 namespace sandbox { 15 16 bool SetupNtdllImports(); 17 18 // Testing that we allow opcode generation on valid string patterns. 19 TEST(PolicyEngineTest, StringPatternsOK) { 20 SetupNtdllImports(); 21 PolicyRule pr(ASK_BROKER); 22 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE)); 23 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE)); 24 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE)); 25 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE)); 26 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe", 27 CASE_SENSITIVE)); 28 } 29 30 // Testing that we signal invalid string patterns. 31 TEST(PolicyEngineTest, StringPatternsBAD) { 32 SetupNtdllImports(); 33 PolicyRule pr(ASK_BROKER); 34 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE)); 35 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE)); 36 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE)); 37 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE)); 38 } 39 40 // Helper function to allocate space (on the heap) for policy. 41 PolicyGlobal* MakePolicyMemory() { 42 const size_t kTotalPolicySz = 4096*8; 43 char* mem = new char[kTotalPolicySz]; 44 memset(mem, 0, kTotalPolicySz); 45 PolicyGlobal* policy = reinterpret_cast<PolicyGlobal*>(mem); 46 policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal); 47 return policy; 48 } 49 50 // The simplest test using LowLevelPolicy it should test a single opcode which 51 // does a exact string comparison. 52 TEST(PolicyEngineTest, SimpleStrMatch) { 53 SetupNtdllImports(); 54 PolicyRule pr(ASK_BROKER); 55 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt", 56 CASE_INSENSITIVE)); 57 58 PolicyGlobal* policy = MakePolicyMemory(); 59 const uint32 kFakeService = 2; 60 61 LowLevelPolicy policyGen(policy); 62 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); 63 EXPECT_TRUE(policyGen.Done()); 64 65 wchar_t* filename = L"Z:\\Directory\\domo.txt"; 66 67 POLPARAMS_BEGIN(eval_params) 68 POLPARAM(filename) // Argument 0 69 POLPARAMS_END; 70 71 PolicyResult result; 72 PolicyProcessor pol_ev(policy->entry[kFakeService]); 73 74 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 75 EXPECT_EQ(POLICY_MATCH, result); 76 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 77 78 filename = L"Z:\\Directory\\domo.txt.tmp"; 79 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 80 EXPECT_EQ(NO_POLICY_MATCH, result); 81 82 delete [] reinterpret_cast<char*>(policy); 83 } 84 85 TEST(PolicyEngineTest, SimpleIfNotStrMatch) { 86 SetupNtdllImports(); 87 PolicyRule pr(ASK_BROKER); 88 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\", 89 CASE_SENSITIVE)); 90 91 PolicyGlobal* policy = MakePolicyMemory(); 92 const uint32 kFakeService = 2; 93 LowLevelPolicy policyGen(policy); 94 95 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); 96 EXPECT_TRUE(policyGen.Done()); 97 98 wchar_t* filename = NULL; 99 POLPARAMS_BEGIN(eval_params) 100 POLPARAM(filename) // Argument 0 101 POLPARAMS_END; 102 103 PolicyResult result; 104 PolicyProcessor pol_ev(policy->entry[kFakeService]); 105 106 filename = L"c:\\Microsoft\\"; 107 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 108 EXPECT_EQ(NO_POLICY_MATCH, result); 109 110 filename = L"c:\\MicroNerd\\"; 111 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 112 EXPECT_EQ(POLICY_MATCH, result); 113 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 114 115 filename = L"c:\\Microsoft\\domo.txt"; 116 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 117 EXPECT_EQ(POLICY_MATCH, result); 118 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 119 120 delete [] reinterpret_cast<char*>(policy); 121 } 122 123 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) { 124 SetupNtdllImports(); 125 PolicyRule pr(ASK_BROKER); 126 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*", 127 CASE_SENSITIVE)); 128 129 PolicyGlobal* policy = MakePolicyMemory(); 130 const uint32 kFakeService = 3; 131 LowLevelPolicy policyGen(policy); 132 133 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); 134 EXPECT_TRUE(policyGen.Done()); 135 136 wchar_t* filename = NULL; 137 POLPARAMS_BEGIN(eval_params) 138 POLPARAM(filename) // Argument 0 139 POLPARAMS_END; 140 141 PolicyResult result; 142 PolicyProcessor pol_ev(policy->entry[kFakeService]); 143 144 filename = L"c:\\Microsoft\\domo.txt"; 145 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 146 EXPECT_EQ(NO_POLICY_MATCH, result); 147 148 filename = L"c:\\MicroNerd\\domo.txt"; 149 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 150 EXPECT_EQ(POLICY_MATCH, result); 151 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 152 153 delete [] reinterpret_cast<char*>(policy); 154 } 155 156 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) { 157 SetupNtdllImports(); 158 PolicyRule pr(ASK_BROKER); 159 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt", 160 CASE_SENSITIVE)); 161 162 PolicyGlobal* policy = MakePolicyMemory(); 163 const uint32 kFakeService = 3; 164 LowLevelPolicy policyGen(policy); 165 166 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); 167 EXPECT_TRUE(policyGen.Done()); 168 169 wchar_t* filename = NULL; 170 POLPARAMS_BEGIN(eval_params) 171 POLPARAM(filename) // Argument 0 172 POLPARAMS_END; 173 174 PolicyResult result; 175 PolicyProcessor pol_ev(policy->entry[kFakeService]); 176 177 filename = L"c:\\Microsoft\\domo.txt"; 178 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 179 EXPECT_EQ(NO_POLICY_MATCH, result); 180 181 filename = L"c:\\MicroNerd\\domo.txt"; 182 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 183 EXPECT_EQ(POLICY_MATCH, result); 184 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 185 186 filename = L"c:\\Microsoft\\domo.bmp"; 187 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 188 EXPECT_EQ(POLICY_MATCH, result); 189 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 190 191 delete [] reinterpret_cast<char*>(policy); 192 } 193 194 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) { 195 SetupNtdllImports(); 196 PolicyRule pr(ASK_BROKER); 197 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*", 198 CASE_SENSITIVE)); 199 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL)); 200 201 PolicyGlobal* policy = MakePolicyMemory(); 202 const uint32 kFakeService = 3; 203 LowLevelPolicy policyGen(policy); 204 205 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); 206 EXPECT_TRUE(policyGen.Done()); 207 208 wchar_t* filename = NULL; 209 unsigned long access = 0; 210 POLPARAMS_BEGIN(eval_params) 211 POLPARAM(filename) // Argument 0 212 POLPARAM(access) // Argument 1 213 POLPARAMS_END; 214 215 PolicyResult result; 216 PolicyProcessor pol_ev(policy->entry[kFakeService]); 217 218 filename = L"c:\\Microsoft\\domo.txt"; 219 access = 24; 220 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 221 EXPECT_EQ(NO_POLICY_MATCH, result); 222 223 filename = L"c:\\Microsoft\\domo.txt"; 224 access = 42; 225 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 226 EXPECT_EQ(NO_POLICY_MATCH, result); 227 228 filename = L"c:\\MicroNerd\\domo.txt"; 229 access = 24; 230 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 231 EXPECT_EQ(POLICY_MATCH, result); 232 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 233 234 filename = L"c:\\Micronesia\\domo.txt"; 235 access = 42; 236 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 237 EXPECT_EQ(NO_POLICY_MATCH, result); 238 239 delete [] reinterpret_cast<char*>(policy); 240 } 241 242 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) { 243 SetupNtdllImports(); 244 PolicyRule pr(ASK_BROKER); 245 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL)); 246 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt", 247 CASE_SENSITIVE)); 248 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL)); 249 250 PolicyGlobal* policy = MakePolicyMemory(); 251 const uint32 kFakeService = 3; 252 LowLevelPolicy policyGen(policy); 253 254 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); 255 EXPECT_TRUE(policyGen.Done()); 256 257 wchar_t* filename = NULL; 258 unsigned long access = 0; 259 unsigned long sharing = 66; 260 261 POLPARAMS_BEGIN(eval_params) 262 POLPARAM(filename) // Argument 0 263 POLPARAM(access) // Argument 1 264 POLPARAM(sharing) // Argument 2 265 POLPARAMS_END; 266 267 PolicyResult result; 268 PolicyProcessor pol_ev(policy->entry[kFakeService]); 269 270 filename = L"c:\\GoogleV2\\domo.txt"; 271 access = 24; 272 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 273 EXPECT_EQ(NO_POLICY_MATCH, result); 274 275 filename = L"c:\\GoogleV2\\domo.bmp"; 276 access = 24; 277 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 278 EXPECT_EQ(POLICY_MATCH, result); 279 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 280 281 filename = L"c:\\GoogleV23\\domo.txt"; 282 access = 24; 283 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 284 EXPECT_EQ(POLICY_MATCH, result); 285 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 286 287 288 filename = L"c:\\GoogleV2\\domo.txt"; 289 access = 42; 290 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 291 EXPECT_EQ(NO_POLICY_MATCH, result); 292 293 filename = L"c:\\Google\\domo.txt"; 294 access = 24; 295 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 296 EXPECT_EQ(POLICY_MATCH, result); 297 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 298 299 filename = L"c:\\Micronesia\\domo.txt"; 300 access = 42; 301 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 302 EXPECT_EQ(NO_POLICY_MATCH, result); 303 304 filename = L"c:\\GoogleV2\\domo.bmp"; 305 access = 24; 306 sharing = 0; 307 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 308 EXPECT_EQ(NO_POLICY_MATCH, result); 309 310 delete [] reinterpret_cast<char*>(policy); 311 } 312 313 // Testing one single rule in one single service. The service is made to 314 // resemble NtCreateFile. 315 TEST(PolicyEngineTest, OneRuleTest) { 316 SetupNtdllImports(); 317 PolicyRule pr(ASK_BROKER); 318 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt", 319 CASE_SENSITIVE)); 320 EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL)); 321 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); 322 323 PolicyGlobal* policy = MakePolicyMemory(); 324 325 const uint32 kNtFakeCreateFile = 7; 326 327 LowLevelPolicy policyGen(policy); 328 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr)); 329 EXPECT_TRUE(policyGen.Done()); 330 331 wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; 332 unsigned long creation_mode = OPEN_EXISTING; 333 unsigned long flags = FILE_ATTRIBUTE_NORMAL; 334 void* security_descriptor = NULL; 335 336 POLPARAMS_BEGIN(eval_params) 337 POLPARAM(filename) // Argument 0 338 POLPARAM(creation_mode) // Argument 1 339 POLPARAM(flags) // Argument 2 340 POLPARAM(security_descriptor) 341 POLPARAMS_END; 342 343 PolicyResult result; 344 PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]); 345 346 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 347 EXPECT_EQ(POLICY_MATCH, result); 348 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 349 350 creation_mode = CREATE_ALWAYS; 351 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 352 EXPECT_EQ(NO_POLICY_MATCH, result); 353 354 creation_mode = OPEN_EXISTING; 355 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt"; 356 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 357 EXPECT_EQ(POLICY_MATCH, result); 358 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 359 360 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp"; 361 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 362 EXPECT_EQ(NO_POLICY_MATCH, result); 363 364 flags = FILE_ATTRIBUTE_DEVICE; 365 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 366 EXPECT_EQ(NO_POLICY_MATCH, result); 367 368 filename = L"c:\\Other\\Macrosoft\\Another file.txt"; 369 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 370 EXPECT_EQ(NO_POLICY_MATCH, result); 371 372 filename = L"c:\\Microsoft\\1.txt"; 373 flags = FILE_ATTRIBUTE_NORMAL; 374 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 375 EXPECT_EQ(POLICY_MATCH, result); 376 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); 377 378 filename = L"c:\\Microsoft\\1.ttt"; 379 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); 380 EXPECT_EQ(NO_POLICY_MATCH, result); 381 382 delete [] reinterpret_cast<char*>(policy); 383 } 384 385 // Testing 3 rules in 3 services. Two of the services resemble File services. 386 TEST(PolicyEngineTest, ThreeRulesTest) { 387 SetupNtdllImports(); 388 PolicyRule pr_pipe(FAKE_SUCCESS); 389 EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*", 390 CASE_INSENSITIVE)); 391 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL)); 392 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); 393 394 size_t opc1 = pr_pipe.GetOpcodeCount(); 395 EXPECT_EQ(3, opc1); 396 397 PolicyRule pr_dump(ASK_BROKER); 398 EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*", 399 CASE_INSENSITIVE)); 400 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL)); 401 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); 402 403 size_t opc2 = pr_dump.GetOpcodeCount(); 404 EXPECT_EQ(4, opc2); 405 406 PolicyRule pr_winexe(SIGNAL_ALARM); 407 EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe", 408 CASE_INSENSITIVE)); 409 EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); 410 411 size_t opc3 = pr_winexe.GetOpcodeCount(); 412 EXPECT_EQ(3, opc3); 413 414 PolicyRule pr_adobe(GIVE_CACHED); 415 EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\", 416 CASE_SENSITIVE)); 417 EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); 418 419 size_t opc4 = pr_adobe.GetOpcodeCount(); 420 EXPECT_EQ(4, opc4); 421 422 PolicyRule pr_none(GIVE_FIRST); 423 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND)); 424 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND)); 425 426 size_t opc5 = pr_none.GetOpcodeCount(); 427 EXPECT_EQ(2, opc5); 428 429 PolicyGlobal* policy = MakePolicyMemory(); 430 431 const uint32 kNtFakeNone = 4; 432 const uint32 kNtFakeCreateFile = 5; 433 const uint32 kNtFakeOpenFile = 6; 434 435 LowLevelPolicy policyGen(policy); 436 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe)); 437 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump)); 438 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe)); 439 440 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe)); 441 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe)); 442 443 EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none)); 444 445 EXPECT_TRUE(policyGen.Done()); 446 447 // Inspect the policy structure manually. 448 EXPECT_TRUE(NULL == policy->entry[0]); 449 EXPECT_TRUE(NULL == policy->entry[1]); 450 EXPECT_TRUE(NULL == policy->entry[2]); 451 EXPECT_TRUE(NULL == policy->entry[3]); 452 EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone. 453 EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile. 454 EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile. 455 EXPECT_TRUE(NULL == policy->entry[7]); 456 457 // The total per service opcode counts now must take in account one 458 // extra opcode (action opcode) per rule. 459 ++opc1; 460 ++opc2; 461 ++opc3; 462 ++opc4; 463 ++opc5; 464 465 size_t tc1 = policy->entry[kNtFakeNone]->opcode_count; 466 size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count; 467 size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count; 468 469 EXPECT_EQ(opc5, tc1); 470 EXPECT_EQ((opc1 + opc2 + opc3), tc2); 471 EXPECT_EQ((opc1 + opc4), tc3); 472 473 // Check the type of the first and last opcode of each service. 474 475 EXPECT_EQ(OP_ULONG_AND_MATCH, policy->entry[kNtFakeNone]->opcodes[0].GetID()); 476 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID()); 477 EXPECT_EQ(OP_WSTRING_MATCH, 478 policy->entry[kNtFakeCreateFile]->opcodes[0].GetID()); 479 EXPECT_EQ(OP_ACTION, 480 policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID()); 481 EXPECT_EQ(OP_WSTRING_MATCH, 482 policy->entry[kNtFakeOpenFile]->opcodes[0].GetID()); 483 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID()); 484 485 // Test the policy evaluation. 486 487 wchar_t* filename = L""; 488 unsigned long creation_mode = OPEN_EXISTING; 489 unsigned long flags = FILE_ATTRIBUTE_NORMAL; 490 void* security_descriptor = NULL; 491 492 POLPARAMS_BEGIN(params) 493 POLPARAM(filename) // Argument 0 494 POLPARAM(creation_mode) // Argument 1 495 POLPARAM(flags) // Argument 2 496 POLPARAM(security_descriptor) 497 POLPARAMS_END; 498 499 PolicyResult result; 500 PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]); 501 PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]); 502 PolicyProcessor eval_None(policy->entry[kNtFakeNone]); 503 504 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 505 EXPECT_EQ(NO_POLICY_MATCH, result); 506 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 507 EXPECT_EQ(NO_POLICY_MATCH, result); 508 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 509 EXPECT_EQ(NO_POLICY_MATCH, result); 510 511 filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe"; 512 flags = FILE_ATTRIBUTE_SYSTEM; 513 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 514 EXPECT_EQ(NO_POLICY_MATCH, result); 515 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 516 EXPECT_EQ(NO_POLICY_MATCH, result); 517 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 518 EXPECT_EQ(NO_POLICY_MATCH, result); 519 520 flags += FILE_ATTRIBUTE_READONLY; 521 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 522 EXPECT_EQ(NO_POLICY_MATCH, result); 523 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 524 EXPECT_EQ(POLICY_MATCH, result); 525 EXPECT_EQ(GIVE_FIRST, eval_None.GetAction()); 526 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 527 EXPECT_EQ(NO_POLICY_MATCH, result); 528 529 flags = FILE_ATTRIBUTE_NORMAL; 530 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 531 EXPECT_EQ(POLICY_MATCH, result); 532 EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction()); 533 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 534 EXPECT_EQ(NO_POLICY_MATCH, result); 535 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 536 EXPECT_EQ(NO_POLICY_MATCH, result); 537 538 filename = L"c:\\adobe\\ver3.2\\temp"; 539 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 540 EXPECT_EQ(NO_POLICY_MATCH, result); 541 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 542 EXPECT_EQ(NO_POLICY_MATCH, result); 543 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 544 EXPECT_EQ(POLICY_MATCH, result); 545 EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction()); 546 547 filename = L"c:\\adobe\\ver3.22\\temp"; 548 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 549 EXPECT_EQ(NO_POLICY_MATCH, result); 550 551 filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path"; 552 creation_mode = CREATE_ALWAYS; 553 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 554 EXPECT_EQ(POLICY_MATCH, result); 555 EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction()); 556 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 557 EXPECT_EQ(NO_POLICY_MATCH, result); 558 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 559 EXPECT_EQ(NO_POLICY_MATCH, result); 560 561 filename = L"\\\\??\\Pipe\\Chrome.12345"; 562 creation_mode = OPEN_EXISTING; 563 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); 564 EXPECT_EQ(POLICY_MATCH, result); 565 EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction()); 566 result = eval_None.Evaluate(kShortEval, params, _countof(params)); 567 EXPECT_EQ(NO_POLICY_MATCH, result); 568 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); 569 EXPECT_EQ(POLICY_MATCH, result); 570 EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction()); 571 572 delete [] reinterpret_cast<char*>(policy); 573 } 574 575 TEST(PolicyEngineTest, PolicyRuleCopyConstructorTwoStrings) { 576 SetupNtdllImports(); 577 // Both pr_orig and pr_copy should allow hello.* but not *.txt files. 578 PolicyRule pr_orig(ASK_BROKER); 579 EXPECT_TRUE(pr_orig.AddStringMatch(IF, 0, L"hello.*", CASE_SENSITIVE)); 580 581 PolicyRule pr_copy(pr_orig); 582 EXPECT_TRUE(pr_orig.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE)); 583 EXPECT_TRUE(pr_copy.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE)); 584 585 PolicyGlobal* policy = MakePolicyMemory(); 586 LowLevelPolicy policyGen(policy); 587 EXPECT_TRUE(policyGen.AddRule(1, &pr_orig)); 588 EXPECT_TRUE(policyGen.AddRule(2, &pr_copy)); 589 EXPECT_TRUE(policyGen.Done()); 590 591 wchar_t* name = NULL; 592 POLPARAMS_BEGIN(eval_params) 593 POLPARAM(name) 594 POLPARAMS_END; 595 596 PolicyResult result; 597 PolicyProcessor pol_ev_orig(policy->entry[1]); 598 name = L"domo.txt"; 599 result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params)); 600 EXPECT_EQ(NO_POLICY_MATCH, result); 601 602 name = L"hello.bmp"; 603 result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params)); 604 EXPECT_EQ(POLICY_MATCH, result); 605 EXPECT_EQ(ASK_BROKER, pol_ev_orig.GetAction()); 606 607 PolicyProcessor pol_ev_copy(policy->entry[2]); 608 name = L"domo.txt"; 609 result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params)); 610 EXPECT_EQ(NO_POLICY_MATCH, result); 611 612 name = L"hello.bmp"; 613 result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params)); 614 EXPECT_EQ(POLICY_MATCH, result); 615 EXPECT_EQ(ASK_BROKER, pol_ev_copy.GetAction()); 616 } 617 } // namespace sandbox 618
