security/sandbox/win/src/policy_engine_unittest.cc@6474c204b198 (annotated)
security/sandbox/win/src/policy_engine_unittest.cc
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | #include "sandbox/win/src/policy_engine_params.h" |
| michael@0 | 6 | #include "sandbox/win/src/policy_engine_processor.h" |
| michael@0 | 7 | #include "testing/gtest/include/gtest/gtest.h" |
| michael@0 | 8 | |
| michael@0 | 9 | #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { |
| michael@0 | 10 | #define POLPARAM(p) sandbox::ParamPickerMake(p), |
| michael@0 | 11 | #define POLPARAMS_END } |
| michael@0 | 12 | |
| michael@0 | 13 | namespace sandbox { |
| michael@0 | 14 | |
| michael@0 | 15 | bool SetupNtdllImports(); |
| michael@0 | 16 | |
| michael@0 | 17 | TEST(PolicyEngineTest, Rules1) { |
| michael@0 | 18 | SetupNtdllImports(); |
| michael@0 | 19 | |
| michael@0 | 20 | // Construct two policy rules that say: |
| michael@0 | 21 | // |
| michael@0 | 22 | // #1 |
| michael@0 | 23 | // If the path is c:\\documents and settings\\* AND |
| michael@0 | 24 | // If the creation mode is 'open existing' AND |
| michael@0 | 25 | // If the security descriptor is null THEN |
| michael@0 | 26 | // Ask the broker. |
| michael@0 | 27 | // |
| michael@0 | 28 | // #2 |
| michael@0 | 29 | // If the security descriptor is null AND |
| michael@0 | 30 | // If the path ends with *.txt AND |
| michael@0 | 31 | // If the creation mode is not 'create new' THEN |
| michael@0 | 32 | // return Access Denied. |
| michael@0 | 33 | |
| michael@0 | 34 | enum FileCreateArgs { |
| michael@0 | 35 | FileNameArg, |
| michael@0 | 36 | CreationDispositionArg, |
| michael@0 | 37 | FlagsAndAttributesArg, |
| michael@0 | 38 | SecurityAttributes |
| michael@0 | 39 | }; |
| michael@0 | 40 | |
| michael@0 | 41 | const size_t policy_sz = 1024; |
| michael@0 | 42 | PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]); |
| michael@0 | 43 | OpcodeFactory opcode_maker(policy, policy_sz - 0x40); |
| michael@0 | 44 | |
| michael@0 | 45 | // Add rule set #1 |
| michael@0 | 46 | opcode_maker.MakeOpWStringMatch(FileNameArg, |
| michael@0 | 47 | L"c:\\documents and settings\\", |
| michael@0 | 48 | 0, CASE_INSENSITIVE, kPolNone); |
| michael@0 | 49 | opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING, |
| michael@0 | 50 | kPolNone); |
| michael@0 | 51 | opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL, |
| michael@0 | 52 | kPolNone); |
| michael@0 | 53 | opcode_maker.MakeOpAction(ASK_BROKER, kPolNone); |
| michael@0 | 54 | |
| michael@0 | 55 | // Add rule set #2 |
| michael@0 | 56 | opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT", |
| michael@0 | 57 | kSeekToEnd, CASE_INSENSITIVE, kPolNone); |
| michael@0 | 58 | opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW, |
| michael@0 | 59 | kPolNegateEval); |
| michael@0 | 60 | opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone); |
| michael@0 | 61 | policy->opcode_count = 7; |
| michael@0 | 62 | |
| michael@0 | 63 | wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; |
| michael@0 | 64 | unsigned long creation_mode = OPEN_EXISTING; |
| michael@0 | 65 | unsigned long flags = FILE_ATTRIBUTE_NORMAL; |
| michael@0 | 66 | void* security_descriptor = NULL; |
| michael@0 | 67 | |
| michael@0 | 68 | POLPARAMS_BEGIN(eval_params) |
| michael@0 | 69 | POLPARAM(filename) |
| michael@0 | 70 | POLPARAM(creation_mode) |
| michael@0 | 71 | POLPARAM(flags) |
| michael@0 | 72 | POLPARAM(security_descriptor) |
| michael@0 | 73 | POLPARAMS_END; |
| michael@0 | 74 | |
| michael@0 | 75 | PolicyResult pr; |
| michael@0 | 76 | PolicyProcessor pol_ev(policy); |
| michael@0 | 77 | |
| michael@0 | 78 | // Test should match the first rule set. |
| michael@0 | 79 | pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); |
| michael@0 | 80 | EXPECT_EQ(POLICY_MATCH, pr); |
| michael@0 | 81 | EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); |
| michael@0 | 82 | |
| michael@0 | 83 | // Test should still match the first rule set. |
| michael@0 | 84 | pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); |
| michael@0 | 85 | EXPECT_EQ(POLICY_MATCH, pr); |
| michael@0 | 86 | EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); |
| michael@0 | 87 | |
| michael@0 | 88 | // Changing creation_mode such that evaluation should not match any rule. |
| michael@0 | 89 | creation_mode = CREATE_NEW; |
| michael@0 | 90 | pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); |
| michael@0 | 91 | EXPECT_EQ(NO_POLICY_MATCH, pr); |
| michael@0 | 92 | |
| michael@0 | 93 | // Changing creation_mode such that evaluation should match rule #2. |
| michael@0 | 94 | creation_mode = OPEN_ALWAYS; |
| michael@0 | 95 | pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); |
| michael@0 | 96 | EXPECT_EQ(POLICY_MATCH, pr); |
| michael@0 | 97 | EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction()); |
| michael@0 | 98 | |
| michael@0 | 99 | delete [] reinterpret_cast<char*>(policy); |
| michael@0 | 100 | } |
| michael@0 | 101 | |
| michael@0 | 102 | } // namespace sandbox |
