The Tor Browser / file comparison
comparison: security/sandbox/win/src/policy_engine_processor.cc
security/sandbox/win/src/policy_engine_processor.cc
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:ad1f01b222d4 |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/win/src/policy_engine_processor.h" | |
| 6 | |
| 7 namespace sandbox { | |
| 8 | |
| 9 void PolicyProcessor::SetInternalState(size_t index, EvalResult result) { | |
| 10 state_.current_index_ = index; | |
| 11 state_.current_result_ = result; | |
| 12 } | |
| 13 | |
| 14 EvalResult PolicyProcessor::GetAction() const { | |
| 15 return state_.current_result_; | |
| 16 } | |
| 17 | |
| 18 // Decides if an opcode can be skipped (not evaluated) or not. The function | |
| 19 // takes as inputs the opcode and the current evaluation context and returns | |
| 20 // true if the opcode should be skipped or not and also can set keep_skipping | |
| 21 // to false to signal that the current instruction should be skipped but not | |
| 22 // the next after the current one. | |
| 23 bool SkipOpcode(const PolicyOpcode& opcode, MatchContext* context, | |
| 24 bool* keep_skipping) { | |
| 25 if (opcode.IsAction()) { | |
| 26 uint32 options = context->options; | |
| 27 context->Clear(); | |
| 28 *keep_skipping = false; | |
| 29 return (kPolUseOREval != options); | |
| 30 } | |
| 31 *keep_skipping = true; | |
| 32 return true; | |
| 33 } | |
| 34 | |
| 35 PolicyResult PolicyProcessor::Evaluate(uint32 options, | |
| 36 ParameterSet* parameters, | |
| 37 size_t param_count) { | |
| 38 if (NULL == policy_) { | |
| 39 return NO_POLICY_MATCH; | |
| 40 } | |
| 41 if (0 == policy_->opcode_count) { | |
| 42 return NO_POLICY_MATCH; | |
| 43 } | |
| 44 if (!(kShortEval & options)) { | |
| 45 return POLICY_ERROR; | |
| 46 } | |
| 47 | |
| 48 MatchContext context; | |
| 49 bool evaluation = false; | |
| 50 bool skip_group = false; | |
| 51 SetInternalState(0, EVAL_FALSE); | |
| 52 size_t count = policy_->opcode_count; | |
| 53 | |
| 54 // Loop over all the opcodes Evaluating in sequence. Since we only support | |
| 55 // short circuit evaluation, we stop as soon as we find an 'action' opcode | |
| 56 // and the current evaluation is true. | |
| 57 // | |
| 58 // Skipping opcodes can happen when we are in AND mode (!kPolUseOREval) and | |
| 59 // have got EVAL_FALSE or when we are in OR mode (kPolUseOREval) and got | |
| 60 // EVAL_TRUE. Skipping will stop at the next action opcode or at the opcode | |
| 61 // after the action depending on kPolUseOREval. | |
| 62 | |
| 63 for (size_t ix = 0; ix != count; ++ix) { | |
| 64 PolicyOpcode& opcode = policy_->opcodes[ix]; | |
| 65 // Skipping block. | |
| 66 if (skip_group) { | |
| 67 if (SkipOpcode(opcode, &context, &skip_group)) { | |
| 68 continue; | |
| 69 } | |
| 70 } | |
| 71 // Evaluation block. | |
| 72 EvalResult result = opcode.Evaluate(parameters, param_count, &context); | |
| 73 switch (result) { | |
| 74 case EVAL_FALSE: | |
| 75 evaluation = false; | |
| 76 if (kPolUseOREval != context.options) { | |
| 77 skip_group = true; | |
| 78 } | |
| 79 break; | |
| 80 case EVAL_ERROR: | |
| 81 if (kStopOnErrors & options) { | |
| 82 return POLICY_ERROR; | |
| 83 } | |
| 84 break; | |
| 85 case EVAL_TRUE: | |
| 86 evaluation = true; | |
| 87 if (kPolUseOREval == context.options) { | |
| 88 skip_group = true; | |
| 89 } | |
| 90 break; | |
| 91 default: | |
| 92 // We have evaluated an action. | |
| 93 SetInternalState(ix, result); | |
| 94 return POLICY_MATCH; | |
| 95 } | |
| 96 } | |
| 97 | |
| 98 if (evaluation) { | |
| 99 // Reaching the end of the policy with a positive evaluation is probably | |
| 100 // an error: we did not find a final action opcode? | |
| 101 return POLICY_ERROR; | |
| 102 } | |
| 103 return NO_POLICY_MATCH; | |
| 104 } | |
| 105 | |
| 106 | |
| 107 } // namespace sandbox |
