security/sandbox/win/src/policy_engine_processor.cc@6474c204b198 (annotated)
security/sandbox/win/src/policy_engine_processor.cc
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | #include "sandbox/win/src/policy_engine_processor.h" |
| michael@0 | 6 | |
| michael@0 | 7 | namespace sandbox { |
| michael@0 | 8 | |
| michael@0 | 9 | void PolicyProcessor::SetInternalState(size_t index, EvalResult result) { |
| michael@0 | 10 | state_.current_index_ = index; |
| michael@0 | 11 | state_.current_result_ = result; |
| michael@0 | 12 | } |
| michael@0 | 13 | |
| michael@0 | 14 | EvalResult PolicyProcessor::GetAction() const { |
| michael@0 | 15 | return state_.current_result_; |
| michael@0 | 16 | } |
| michael@0 | 17 | |
| michael@0 | 18 | // Decides if an opcode can be skipped (not evaluated) or not. The function |
| michael@0 | 19 | // takes as inputs the opcode and the current evaluation context and returns |
| michael@0 | 20 | // true if the opcode should be skipped or not and also can set keep_skipping |
| michael@0 | 21 | // to false to signal that the current instruction should be skipped but not |
| michael@0 | 22 | // the next after the current one. |
| michael@0 | 23 | bool SkipOpcode(const PolicyOpcode& opcode, MatchContext* context, |
| michael@0 | 24 | bool* keep_skipping) { |
| michael@0 | 25 | if (opcode.IsAction()) { |
| michael@0 | 26 | uint32 options = context->options; |
| michael@0 | 27 | context->Clear(); |
| michael@0 | 28 | *keep_skipping = false; |
| michael@0 | 29 | return (kPolUseOREval != options); |
| michael@0 | 30 | } |
| michael@0 | 31 | *keep_skipping = true; |
| michael@0 | 32 | return true; |
| michael@0 | 33 | } |
| michael@0 | 34 | |
| michael@0 | 35 | PolicyResult PolicyProcessor::Evaluate(uint32 options, |
| michael@0 | 36 | ParameterSet* parameters, |
| michael@0 | 37 | size_t param_count) { |
| michael@0 | 38 | if (NULL == policy_) { |
| michael@0 | 39 | return NO_POLICY_MATCH; |
| michael@0 | 40 | } |
| michael@0 | 41 | if (0 == policy_->opcode_count) { |
| michael@0 | 42 | return NO_POLICY_MATCH; |
| michael@0 | 43 | } |
| michael@0 | 44 | if (!(kShortEval & options)) { |
| michael@0 | 45 | return POLICY_ERROR; |
| michael@0 | 46 | } |
| michael@0 | 47 | |
| michael@0 | 48 | MatchContext context; |
| michael@0 | 49 | bool evaluation = false; |
| michael@0 | 50 | bool skip_group = false; |
| michael@0 | 51 | SetInternalState(0, EVAL_FALSE); |
| michael@0 | 52 | size_t count = policy_->opcode_count; |
| michael@0 | 53 | |
| michael@0 | 54 | // Loop over all the opcodes Evaluating in sequence. Since we only support |
| michael@0 | 55 | // short circuit evaluation, we stop as soon as we find an 'action' opcode |
| michael@0 | 56 | // and the current evaluation is true. |
| michael@0 | 57 | // |
| michael@0 | 58 | // Skipping opcodes can happen when we are in AND mode (!kPolUseOREval) and |
| michael@0 | 59 | // have got EVAL_FALSE or when we are in OR mode (kPolUseOREval) and got |
| michael@0 | 60 | // EVAL_TRUE. Skipping will stop at the next action opcode or at the opcode |
| michael@0 | 61 | // after the action depending on kPolUseOREval. |
| michael@0 | 62 | |
| michael@0 | 63 | for (size_t ix = 0; ix != count; ++ix) { |
| michael@0 | 64 | PolicyOpcode& opcode = policy_->opcodes[ix]; |
| michael@0 | 65 | // Skipping block. |
| michael@0 | 66 | if (skip_group) { |
| michael@0 | 67 | if (SkipOpcode(opcode, &context, &skip_group)) { |
| michael@0 | 68 | continue; |
| michael@0 | 69 | } |
| michael@0 | 70 | } |
| michael@0 | 71 | // Evaluation block. |
| michael@0 | 72 | EvalResult result = opcode.Evaluate(parameters, param_count, &context); |
| michael@0 | 73 | switch (result) { |
| michael@0 | 74 | case EVAL_FALSE: |
| michael@0 | 75 | evaluation = false; |
| michael@0 | 76 | if (kPolUseOREval != context.options) { |
| michael@0 | 77 | skip_group = true; |
| michael@0 | 78 | } |
| michael@0 | 79 | break; |
| michael@0 | 80 | case EVAL_ERROR: |
| michael@0 | 81 | if (kStopOnErrors & options) { |
| michael@0 | 82 | return POLICY_ERROR; |
| michael@0 | 83 | } |
| michael@0 | 84 | break; |
| michael@0 | 85 | case EVAL_TRUE: |
| michael@0 | 86 | evaluation = true; |
| michael@0 | 87 | if (kPolUseOREval == context.options) { |
| michael@0 | 88 | skip_group = true; |
| michael@0 | 89 | } |
| michael@0 | 90 | break; |
| michael@0 | 91 | default: |
| michael@0 | 92 | // We have evaluated an action. |
| michael@0 | 93 | SetInternalState(ix, result); |
| michael@0 | 94 | return POLICY_MATCH; |
| michael@0 | 95 | } |
| michael@0 | 96 | } |
| michael@0 | 97 | |
| michael@0 | 98 | if (evaluation) { |
| michael@0 | 99 | // Reaching the end of the policy with a positive evaluation is probably |
| michael@0 | 100 | // an error: we did not find a final action opcode? |
| michael@0 | 101 | return POLICY_ERROR; |
| michael@0 | 102 | } |
| michael@0 | 103 | return NO_POLICY_MATCH; |
| michael@0 | 104 | } |
| michael@0 | 105 | |
| michael@0 | 106 | |
| michael@0 | 107 | } // namespace sandbox |
