| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/src/policy_engine_params.h" | |
| 6 #include "sandbox/src/policy_engine_processor.h" | |
| 7 #include "sandbox/src/policy_low_level.h" | |
| 8 #include "testing/gtest/include/gtest/gtest.h" | |
| 9 | |
| 10 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { | |
| 11 #define POLPARAM(p) sandbox::ParamPickerMake(p), | |
| 12 #define POLPARAMS_END } | |
| 13 | |
| 14 namespace sandbox { | |
| 15 | |
| 16 bool SetupNtdllImports(); | |
| 17 | |
| 18 // Testing that we allow opcode generation on valid string patterns. | |
| 19 TEST(PolicyEngineTest, StringPatternsOK) { | |
| 20 SetupNtdllImports(); | |
| 21 PolicyRule pr(ASK_BROKER); | |
| 22 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE)); | |
| 23 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE)); | |
| 24 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE)); | |
| 25 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE)); | |
| 26 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe", | |
| 27 CASE_SENSITIVE)); | |
| 28 } | |
| 29 | |
| 30 // Testing that we signal invalid string patterns. | |
| 31 TEST(PolicyEngineTest, StringPatternsBAD) { | |
| 32 SetupNtdllImports(); | |
| 33 PolicyRule pr(ASK_BROKER); | |
| 34 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE)); | |
| 35 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE)); | |
| 36 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE)); | |
| 37 EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE)); | |
| 38 } | |
| 39 | |
| 40 // Helper function to allocate space (on the heap) for policy. | |
| 41 PolicyGlobal* MakePolicyMemory() { | |
| 42 const size_t kTotalPolicySz = 4096*8; | |
| 43 char* mem = new char[kTotalPolicySz]; | |
| 44 memset(mem, 0, kTotalPolicySz); | |
| 45 PolicyGlobal* policy = reinterpret_cast<PolicyGlobal*>(mem); | |
| 46 policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal); | |
| 47 return policy; | |
| 48 } | |
| 49 | |
| 50 // The simplest test using LowLevelPolicy it should test a single opcode which | |
| 51 // does a exact string comparison. | |
| 52 TEST(PolicyEngineTest, SimpleStrMatch) { | |
| 53 SetupNtdllImports(); | |
| 54 PolicyRule pr(ASK_BROKER); | |
| 55 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt", | |
| 56 CASE_INSENSITIVE)); | |
| 57 | |
| 58 PolicyGlobal* policy = MakePolicyMemory(); | |
| 59 const uint32 kFakeService = 2; | |
| 60 | |
| 61 LowLevelPolicy policyGen(policy); | |
| 62 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); | |
| 63 EXPECT_TRUE(policyGen.Done()); | |
| 64 | |
| 65 wchar_t* filename = L"Z:\\Directory\\domo.txt"; | |
| 66 | |
| 67 POLPARAMS_BEGIN(eval_params) | |
| 68 POLPARAM(filename) // Argument 0 | |
| 69 POLPARAMS_END; | |
| 70 | |
| 71 PolicyResult result; | |
| 72 PolicyProcessor pol_ev(policy->entry[kFakeService]); | |
| 73 | |
| 74 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 75 EXPECT_EQ(POLICY_MATCH, result); | |
| 76 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 77 | |
| 78 filename = L"Z:\\Directory\\domo.txt.tmp"; | |
| 79 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 80 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 81 | |
| 82 delete [] reinterpret_cast<char*>(policy); | |
| 83 } | |
| 84 | |
| 85 TEST(PolicyEngineTest, SimpleIfNotStrMatch) { | |
| 86 SetupNtdllImports(); | |
| 87 PolicyRule pr(ASK_BROKER); | |
| 88 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\", | |
| 89 CASE_SENSITIVE)); | |
| 90 | |
| 91 PolicyGlobal* policy = MakePolicyMemory(); | |
| 92 const uint32 kFakeService = 2; | |
| 93 LowLevelPolicy policyGen(policy); | |
| 94 | |
| 95 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); | |
| 96 EXPECT_TRUE(policyGen.Done()); | |
| 97 | |
| 98 wchar_t* filename = NULL; | |
| 99 POLPARAMS_BEGIN(eval_params) | |
| 100 POLPARAM(filename) // Argument 0 | |
| 101 POLPARAMS_END; | |
| 102 | |
| 103 PolicyResult result; | |
| 104 PolicyProcessor pol_ev(policy->entry[kFakeService]); | |
| 105 | |
| 106 filename = L"c:\\Microsoft\\"; | |
| 107 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 108 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 109 | |
| 110 filename = L"c:\\MicroNerd\\"; | |
| 111 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 112 EXPECT_EQ(POLICY_MATCH, result); | |
| 113 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 114 | |
| 115 filename = L"c:\\Microsoft\\domo.txt"; | |
| 116 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 117 EXPECT_EQ(POLICY_MATCH, result); | |
| 118 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 119 | |
| 120 delete [] reinterpret_cast<char*>(policy); | |
| 121 } | |
| 122 | |
| 123 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) { | |
| 124 SetupNtdllImports(); | |
| 125 PolicyRule pr(ASK_BROKER); | |
| 126 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*", | |
| 127 CASE_SENSITIVE)); | |
| 128 | |
| 129 PolicyGlobal* policy = MakePolicyMemory(); | |
| 130 const uint32 kFakeService = 3; | |
| 131 LowLevelPolicy policyGen(policy); | |
| 132 | |
| 133 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); | |
| 134 EXPECT_TRUE(policyGen.Done()); | |
| 135 | |
| 136 wchar_t* filename = NULL; | |
| 137 POLPARAMS_BEGIN(eval_params) | |
| 138 POLPARAM(filename) // Argument 0 | |
| 139 POLPARAMS_END; | |
| 140 | |
| 141 PolicyResult result; | |
| 142 PolicyProcessor pol_ev(policy->entry[kFakeService]); | |
| 143 | |
| 144 filename = L"c:\\Microsoft\\domo.txt"; | |
| 145 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 146 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 147 | |
| 148 filename = L"c:\\MicroNerd\\domo.txt"; | |
| 149 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 150 EXPECT_EQ(POLICY_MATCH, result); | |
| 151 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 152 | |
| 153 delete [] reinterpret_cast<char*>(policy); | |
| 154 } | |
| 155 | |
| 156 TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) { | |
| 157 SetupNtdllImports(); | |
| 158 PolicyRule pr(ASK_BROKER); | |
| 159 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt", | |
| 160 CASE_SENSITIVE)); | |
| 161 | |
| 162 PolicyGlobal* policy = MakePolicyMemory(); | |
| 163 const uint32 kFakeService = 3; | |
| 164 LowLevelPolicy policyGen(policy); | |
| 165 | |
| 166 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); | |
| 167 EXPECT_TRUE(policyGen.Done()); | |
| 168 | |
| 169 wchar_t* filename = NULL; | |
| 170 POLPARAMS_BEGIN(eval_params) | |
| 171 POLPARAM(filename) // Argument 0 | |
| 172 POLPARAMS_END; | |
| 173 | |
| 174 PolicyResult result; | |
| 175 PolicyProcessor pol_ev(policy->entry[kFakeService]); | |
| 176 | |
| 177 filename = L"c:\\Microsoft\\domo.txt"; | |
| 178 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 179 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 180 | |
| 181 filename = L"c:\\MicroNerd\\domo.txt"; | |
| 182 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 183 EXPECT_EQ(POLICY_MATCH, result); | |
| 184 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 185 | |
| 186 filename = L"c:\\Microsoft\\domo.bmp"; | |
| 187 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 188 EXPECT_EQ(POLICY_MATCH, result); | |
| 189 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 190 | |
| 191 delete [] reinterpret_cast<char*>(policy); | |
| 192 } | |
| 193 | |
| 194 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) { | |
| 195 SetupNtdllImports(); | |
| 196 PolicyRule pr(ASK_BROKER); | |
| 197 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*", | |
| 198 CASE_SENSITIVE)); | |
| 199 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL)); | |
| 200 | |
| 201 PolicyGlobal* policy = MakePolicyMemory(); | |
| 202 const uint32 kFakeService = 3; | |
| 203 LowLevelPolicy policyGen(policy); | |
| 204 | |
| 205 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); | |
| 206 EXPECT_TRUE(policyGen.Done()); | |
| 207 | |
| 208 wchar_t* filename = NULL; | |
| 209 unsigned long access = 0; | |
| 210 POLPARAMS_BEGIN(eval_params) | |
| 211 POLPARAM(filename) // Argument 0 | |
| 212 POLPARAM(access) // Argument 1 | |
| 213 POLPARAMS_END; | |
| 214 | |
| 215 PolicyResult result; | |
| 216 PolicyProcessor pol_ev(policy->entry[kFakeService]); | |
| 217 | |
| 218 filename = L"c:\\Microsoft\\domo.txt"; | |
| 219 access = 24; | |
| 220 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 221 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 222 | |
| 223 filename = L"c:\\Microsoft\\domo.txt"; | |
| 224 access = 42; | |
| 225 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 226 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 227 | |
| 228 filename = L"c:\\MicroNerd\\domo.txt"; | |
| 229 access = 24; | |
| 230 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 231 EXPECT_EQ(POLICY_MATCH, result); | |
| 232 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 233 | |
| 234 filename = L"c:\\Micronesia\\domo.txt"; | |
| 235 access = 42; | |
| 236 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 237 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 238 | |
| 239 delete [] reinterpret_cast<char*>(policy); | |
| 240 } | |
| 241 | |
| 242 TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) { | |
| 243 SetupNtdllImports(); | |
| 244 PolicyRule pr(ASK_BROKER); | |
| 245 EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL)); | |
| 246 EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt", | |
| 247 CASE_SENSITIVE)); | |
| 248 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL)); | |
| 249 | |
| 250 PolicyGlobal* policy = MakePolicyMemory(); | |
| 251 const uint32 kFakeService = 3; | |
| 252 LowLevelPolicy policyGen(policy); | |
| 253 | |
| 254 EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); | |
| 255 EXPECT_TRUE(policyGen.Done()); | |
| 256 | |
| 257 wchar_t* filename = NULL; | |
| 258 unsigned long access = 0; | |
| 259 unsigned long sharing = 66; | |
| 260 | |
| 261 POLPARAMS_BEGIN(eval_params) | |
| 262 POLPARAM(filename) // Argument 0 | |
| 263 POLPARAM(access) // Argument 1 | |
| 264 POLPARAM(sharing) // Argument 2 | |
| 265 POLPARAMS_END; | |
| 266 | |
| 267 PolicyResult result; | |
| 268 PolicyProcessor pol_ev(policy->entry[kFakeService]); | |
| 269 | |
| 270 filename = L"c:\\GoogleV2\\domo.txt"; | |
| 271 access = 24; | |
| 272 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 273 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 274 | |
| 275 filename = L"c:\\GoogleV2\\domo.bmp"; | |
| 276 access = 24; | |
| 277 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 278 EXPECT_EQ(POLICY_MATCH, result); | |
| 279 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 280 | |
| 281 filename = L"c:\\GoogleV23\\domo.txt"; | |
| 282 access = 24; | |
| 283 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 284 EXPECT_EQ(POLICY_MATCH, result); | |
| 285 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 286 | |
| 287 | |
| 288 filename = L"c:\\GoogleV2\\domo.txt"; | |
| 289 access = 42; | |
| 290 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 291 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 292 | |
| 293 filename = L"c:\\Google\\domo.txt"; | |
| 294 access = 24; | |
| 295 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 296 EXPECT_EQ(POLICY_MATCH, result); | |
| 297 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 298 | |
| 299 filename = L"c:\\Micronesia\\domo.txt"; | |
| 300 access = 42; | |
| 301 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 302 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 303 | |
| 304 filename = L"c:\\GoogleV2\\domo.bmp"; | |
| 305 access = 24; | |
| 306 sharing = 0; | |
| 307 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 308 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 309 | |
| 310 delete [] reinterpret_cast<char*>(policy); | |
| 311 } | |
| 312 | |
| 313 // Testing one single rule in one single service. The service is made to | |
| 314 // resemble NtCreateFile. | |
| 315 TEST(PolicyEngineTest, OneRuleTest) { | |
| 316 SetupNtdllImports(); | |
| 317 PolicyRule pr(ASK_BROKER); | |
| 318 EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt", | |
| 319 CASE_SENSITIVE)); | |
| 320 EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL)); | |
| 321 EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); | |
| 322 | |
| 323 PolicyGlobal* policy = MakePolicyMemory(); | |
| 324 | |
| 325 const uint32 kNtFakeCreateFile = 7; | |
| 326 | |
| 327 LowLevelPolicy policyGen(policy); | |
| 328 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr)); | |
| 329 EXPECT_TRUE(policyGen.Done()); | |
| 330 | |
| 331 wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; | |
| 332 unsigned long creation_mode = OPEN_EXISTING; | |
| 333 unsigned long flags = FILE_ATTRIBUTE_NORMAL; | |
| 334 void* security_descriptor = NULL; | |
| 335 | |
| 336 POLPARAMS_BEGIN(eval_params) | |
| 337 POLPARAM(filename) // Argument 0 | |
| 338 POLPARAM(creation_mode) // Argument 1 | |
| 339 POLPARAM(flags) // Argument 2 | |
| 340 POLPARAM(security_descriptor) | |
| 341 POLPARAMS_END; | |
| 342 | |
| 343 PolicyResult result; | |
| 344 PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]); | |
| 345 | |
| 346 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 347 EXPECT_EQ(POLICY_MATCH, result); | |
| 348 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 349 | |
| 350 creation_mode = CREATE_ALWAYS; | |
| 351 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 352 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 353 | |
| 354 creation_mode = OPEN_EXISTING; | |
| 355 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt"; | |
| 356 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 357 EXPECT_EQ(POLICY_MATCH, result); | |
| 358 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 359 | |
| 360 filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp"; | |
| 361 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 362 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 363 | |
| 364 flags = FILE_ATTRIBUTE_DEVICE; | |
| 365 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 366 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 367 | |
| 368 filename = L"c:\\Other\\Macrosoft\\Another file.txt"; | |
| 369 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 370 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 371 | |
| 372 filename = L"c:\\Microsoft\\1.txt"; | |
| 373 flags = FILE_ATTRIBUTE_NORMAL; | |
| 374 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 375 EXPECT_EQ(POLICY_MATCH, result); | |
| 376 EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); | |
| 377 | |
| 378 filename = L"c:\\Microsoft\\1.ttt"; | |
| 379 result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); | |
| 380 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 381 | |
| 382 delete [] reinterpret_cast<char*>(policy); | |
| 383 } | |
| 384 | |
| 385 // Testing 3 rules in 3 services. Two of the services resemble File services. | |
| 386 TEST(PolicyEngineTest, ThreeRulesTest) { | |
| 387 SetupNtdllImports(); | |
| 388 PolicyRule pr_pipe(FAKE_SUCCESS); | |
| 389 EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*", | |
| 390 CASE_INSENSITIVE)); | |
| 391 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL)); | |
| 392 EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); | |
| 393 | |
| 394 size_t opc1 = pr_pipe.GetOpcodeCount(); | |
| 395 EXPECT_EQ(3, opc1); | |
| 396 | |
| 397 PolicyRule pr_dump(ASK_BROKER); | |
| 398 EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*", | |
| 399 CASE_INSENSITIVE)); | |
| 400 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL)); | |
| 401 EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); | |
| 402 | |
| 403 size_t opc2 = pr_dump.GetOpcodeCount(); | |
| 404 EXPECT_EQ(4, opc2); | |
| 405 | |
| 406 PolicyRule pr_winexe(SIGNAL_ALARM); | |
| 407 EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe", | |
| 408 CASE_INSENSITIVE)); | |
| 409 EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); | |
| 410 | |
| 411 size_t opc3 = pr_winexe.GetOpcodeCount(); | |
| 412 EXPECT_EQ(3, opc3); | |
| 413 | |
| 414 PolicyRule pr_adobe(GIVE_CACHED); | |
| 415 EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\", | |
| 416 CASE_SENSITIVE)); | |
| 417 EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); | |
| 418 | |
| 419 size_t opc4 = pr_adobe.GetOpcodeCount(); | |
| 420 EXPECT_EQ(4, opc4); | |
| 421 | |
| 422 PolicyRule pr_none(GIVE_FIRST); | |
| 423 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND)); | |
| 424 EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND)); | |
| 425 | |
| 426 size_t opc5 = pr_none.GetOpcodeCount(); | |
| 427 EXPECT_EQ(2, opc5); | |
| 428 | |
| 429 PolicyGlobal* policy = MakePolicyMemory(); | |
| 430 | |
| 431 const uint32 kNtFakeNone = 4; | |
| 432 const uint32 kNtFakeCreateFile = 5; | |
| 433 const uint32 kNtFakeOpenFile = 6; | |
| 434 | |
| 435 LowLevelPolicy policyGen(policy); | |
| 436 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe)); | |
| 437 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump)); | |
| 438 EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe)); | |
| 439 | |
| 440 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe)); | |
| 441 EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe)); | |
| 442 | |
| 443 EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none)); | |
| 444 | |
| 445 EXPECT_TRUE(policyGen.Done()); | |
| 446 | |
| 447 // Inspect the policy structure manually. | |
| 448 EXPECT_TRUE(NULL == policy->entry[0]); | |
| 449 EXPECT_TRUE(NULL == policy->entry[1]); | |
| 450 EXPECT_TRUE(NULL == policy->entry[2]); | |
| 451 EXPECT_TRUE(NULL == policy->entry[3]); | |
| 452 EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone. | |
| 453 EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile. | |
| 454 EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile. | |
| 455 EXPECT_TRUE(NULL == policy->entry[7]); | |
| 456 | |
| 457 // The total per service opcode counts now must take in account one | |
| 458 // extra opcode (action opcode) per rule. | |
| 459 ++opc1; | |
| 460 ++opc2; | |
| 461 ++opc3; | |
| 462 ++opc4; | |
| 463 ++opc5; | |
| 464 | |
| 465 size_t tc1 = policy->entry[kNtFakeNone]->opcode_count; | |
| 466 size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count; | |
| 467 size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count; | |
| 468 | |
| 469 EXPECT_EQ(opc5, tc1); | |
| 470 EXPECT_EQ((opc1 + opc2 + opc3), tc2); | |
| 471 EXPECT_EQ((opc1 + opc4), tc3); | |
| 472 | |
| 473 // Check the type of the first and last opcode of each service. | |
| 474 | |
| 475 EXPECT_EQ(OP_ULONG_AND_MATCH, policy->entry[kNtFakeNone]->opcodes[0].GetID()); | |
| 476 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID()); | |
| 477 EXPECT_EQ(OP_WSTRING_MATCH, | |
| 478 policy->entry[kNtFakeCreateFile]->opcodes[0].GetID()); | |
| 479 EXPECT_EQ(OP_ACTION, | |
| 480 policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID()); | |
| 481 EXPECT_EQ(OP_WSTRING_MATCH, | |
| 482 policy->entry[kNtFakeOpenFile]->opcodes[0].GetID()); | |
| 483 EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID()); | |
| 484 | |
| 485 // Test the policy evaluation. | |
| 486 | |
| 487 wchar_t* filename = L""; | |
| 488 unsigned long creation_mode = OPEN_EXISTING; | |
| 489 unsigned long flags = FILE_ATTRIBUTE_NORMAL; | |
| 490 void* security_descriptor = NULL; | |
| 491 | |
| 492 POLPARAMS_BEGIN(params) | |
| 493 POLPARAM(filename) // Argument 0 | |
| 494 POLPARAM(creation_mode) // Argument 1 | |
| 495 POLPARAM(flags) // Argument 2 | |
| 496 POLPARAM(security_descriptor) | |
| 497 POLPARAMS_END; | |
| 498 | |
| 499 PolicyResult result; | |
| 500 PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]); | |
| 501 PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]); | |
| 502 PolicyProcessor eval_None(policy->entry[kNtFakeNone]); | |
| 503 | |
| 504 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 505 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 506 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 507 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 508 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 509 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 510 | |
| 511 filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe"; | |
| 512 flags = FILE_ATTRIBUTE_SYSTEM; | |
| 513 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 514 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 515 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 516 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 517 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 518 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 519 | |
| 520 flags += FILE_ATTRIBUTE_READONLY; | |
| 521 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 522 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 523 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 524 EXPECT_EQ(POLICY_MATCH, result); | |
| 525 EXPECT_EQ(GIVE_FIRST, eval_None.GetAction()); | |
| 526 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 527 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 528 | |
| 529 flags = FILE_ATTRIBUTE_NORMAL; | |
| 530 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 531 EXPECT_EQ(POLICY_MATCH, result); | |
| 532 EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction()); | |
| 533 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 534 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 535 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 536 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 537 | |
| 538 filename = L"c:\\adobe\\ver3.2\\temp"; | |
| 539 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 540 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 541 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 542 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 543 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 544 EXPECT_EQ(POLICY_MATCH, result); | |
| 545 EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction()); | |
| 546 | |
| 547 filename = L"c:\\adobe\\ver3.22\\temp"; | |
| 548 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 549 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 550 | |
| 551 filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path"; | |
| 552 creation_mode = CREATE_ALWAYS; | |
| 553 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 554 EXPECT_EQ(POLICY_MATCH, result); | |
| 555 EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction()); | |
| 556 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 557 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 558 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 559 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 560 | |
| 561 filename = L"\\\\??\\Pipe\\Chrome.12345"; | |
| 562 creation_mode = OPEN_EXISTING; | |
| 563 result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); | |
| 564 EXPECT_EQ(POLICY_MATCH, result); | |
| 565 EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction()); | |
| 566 result = eval_None.Evaluate(kShortEval, params, _countof(params)); | |
| 567 EXPECT_EQ(NO_POLICY_MATCH, result); | |
| 568 result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); | |
| 569 EXPECT_EQ(POLICY_MATCH, result); | |
| 570 EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction()); | |
| 571 | |
| 572 delete [] reinterpret_cast<char*>(policy); | |
| 573 } | |
| 574 | |
| 575 } // namespace sandbox | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10689170:
Move the Windows sandbox to sandbox/win (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src