The Tor Browser: comparison security/sandbox/win/src/policy_engine

--1:000000000000
+:823370bd7eed
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
+#define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
+#include "base/basictypes.h"
+#include "sandbox/win/src/policy_engine_params.h"
+#include "sandbox/win/src/policy_engine_opcodes.h"
+namespace sandbox {
+// This header contains the core policy evaluator. In its simplest form
+// it evaluates a stream of opcodes assuming that they are laid out in
+// memory as opcode groups.
+//
+// An opcode group has N comparison opcodes plus 1 action opcode. For
+// example here we have 3 opcode groups (A, B,C):
+//
+// [comparison 1]  <-- group A start
+// [comparison 2]
+// [comparison 3]
+// [action A    ]
+// [comparison 1]  <-- group B start
+// [action B    ]
+// [comparison 1]  <-- group C start
+// [comparison 2]
+// [action C    ]
+//
+// The opcode evaluator proceeds from the top, evaluating each opcode in
+// sequence. An opcode group is evaluated until the first comparison that
+// returns false. At that point the rest of the group is skipped and evaluation
+// resumes with the first comparison of the next group. When all the comparisons
+// in a group have evaluated to true and the action is reached. The group is
+// considered a matching group.
+//
+// In the 'ShortEval' mode evaluation stops when it reaches the end or the first
+// matching group. The action opcode from this group is the resulting policy
+// action.
+//
+// In the 'RankedEval' mode evaluation stops only when it reaches the end of the
+// the opcode stream. In the process all matching groups are saved and at the
+// end the 'best' group is selected (what makes the best is TBD) and the action
+// from this group is the resulting policy action.
+//
+// As explained above, the policy evaluation of a group is a logical AND of
+// the evaluation of each opcode. However an opcode can request kPolUseOREval
+// which makes the evaluation to use logical OR. Given that each opcode can
+// request its evaluation result to be negated with kPolNegateEval you can
+// achieve the negation of the total group evaluation. This means that if you
+// need to express:
+//             if (!(c1 && c2 && c3))
+// You can do it by:
+//             if ((!c1) || (!c2) || (!c3))
+//
+// Possible outcomes of policy evaluation.
+enum PolicyResult {
+NO_POLICY_MATCH,
+POLICY_MATCH,
+POLICY_ERROR
+};
+// Policy evaluation flags
+// TODO(cpu): implement the options 0 & 4.
+//
+// Stop evaluating as soon as an error is encountered.
+const uint32 kStopOnErrors = 0;
+// Ignore all non fatal opcode evaluation errors.
+const uint32 kIgnoreErrors = 1;
+// Short-circuit evaluation: Only evaluate until opcode group that
+// evaluated to true has been found.
+const uint32 kShortEval = 2;
+// Discussed briefly at the policy design meeting. It will evaluate
+// all rules and then return the 'best' rule that evaluated true.
+const uint32 kRankedEval = 4;
+// This class evaluates a policy-opcode stream given the memory where the
+// opcodes are and an input 'parameter set'.
+//
+// This class is designed to be callable from interception points
+// as low as the NtXXXX service level (it is not currently safe, but
+// it is designed to be made safe).
+//
+// Its usage in an interception is:
+//
+//   POLPARAMS_BEGIN(eval_params)
+//     POLPARAM(param1)
+//     POLPARAM(param2)
+//     POLPARAM(param3)
+//     POLPARAM(param4)
+//     POLPARAM(param5)
+//   POLPARAMS_END;
+//
+//   PolicyProcessor pol_evaluator(policy_memory);
+//   PolicyResult pr = pol_evaluator.Evaluate(ShortEval, eval_params,
+//                                            _countof(eval_params));
+//   if (NO_POLICY_MATCH == pr) {
+//     EvalResult policy_action =  pol_evaluator.GetAction();
+//     // apply policy here...
+//   }
+//
+// Where the POLPARAM() arguments are derived from the intercepted function
+// arguments, and represent all the 'interesting' policy inputs, and
+// policy_memory is a memory buffer containing the opcode stream that is the
+// relevant policy for this intercept.
+class PolicyProcessor {
+public:
+// policy_buffer contains opcodes made with OpcodeFactory. They are usually
+// created in the broker process and evaluated in the target process.
+// This constructor is just a variant of the previous constructor.
+explicit PolicyProcessor(PolicyBuffer* policy)
+: policy_(policy) {
+SetInternalState(0, EVAL_FALSE);
+}
+// Evaluates a policy-opcode stream. See the comments at the top of this
+// class for more info. Returns POLICY_MATCH if a rule set was found that
+// matches an active policy.
+PolicyResult Evaluate(uint32 options,
+ParameterSet* parameters,
+size_t parameter_count);
+// If the result of Evaluate() was POLICY_MATCH, calling this function returns
+// the recommended policy action.
+EvalResult GetAction() const;
+private:
+struct {
+size_t current_index_;
+EvalResult current_result_;
+} state_;
+// Sets the currently matching action result.
+void SetInternalState(size_t index, EvalResult result);
+PolicyBuffer* policy_;
+DISALLOW_COPY_AND_ASSIGN(PolicyProcessor);
+};
+}  // namespace sandbox
+#endif  // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__

The Tor Browser / file comparison

comparison: security/sandbox/win/src/policy_engine_processor.h

security/sandbox/win/src/policy_engine_processor.h