The Tor Browser: comparison security/sandbox/win/src/policy_engine

--1:000000000000
+:3997856c8022
+// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "sandbox/win/src/policy_engine_params.h"
+#include "sandbox/win/src/policy_engine_processor.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
+#define POLPARAM(p) sandbox::ParamPickerMake(p),
+#define POLPARAMS_END }
+namespace sandbox {
+bool SetupNtdllImports();
+TEST(PolicyEngineTest, Rules1) {
+SetupNtdllImports();
+// Construct two policy rules that say:
+//
+// #1
+// If the path is c:\\documents and settings\\* AND
+// If the creation mode is 'open existing' AND
+// If the security descriptor is null THEN
+// Ask the broker.
+//
+// #2
+// If the security descriptor is null AND
+// If the path ends with *.txt AND
+// If the creation mode is not 'create new' THEN
+// return Access Denied.
+enum FileCreateArgs {
+FileNameArg,
+CreationDispositionArg,
+FlagsAndAttributesArg,
+SecurityAttributes
+};
+const size_t policy_sz = 1024;
+PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
+OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
+// Add rule set #1
+opcode_maker.MakeOpWStringMatch(FileNameArg,
+L"c:\\documents and settings\\",
+0, CASE_INSENSITIVE, kPolNone);
+opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
+kPolNone);
+opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL,
+kPolNone);
+opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
+// Add rule set #2
+opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT",
+kSeekToEnd, CASE_INSENSITIVE, kPolNone);
+opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
+kPolNegateEval);
+opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
+policy->opcode_count = 7;
+wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
+unsigned long creation_mode = OPEN_EXISTING;
+unsigned long flags = FILE_ATTRIBUTE_NORMAL;
+void* security_descriptor = NULL;
+POLPARAMS_BEGIN(eval_params)
+POLPARAM(filename)
+POLPARAM(creation_mode)
+POLPARAM(flags)
+POLPARAM(security_descriptor)
+POLPARAMS_END;
+PolicyResult pr;
+PolicyProcessor pol_ev(policy);
+// Test should match the first rule set.
+pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+EXPECT_EQ(POLICY_MATCH, pr);
+EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
+// Test should still match the first rule set.
+pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+EXPECT_EQ(POLICY_MATCH, pr);
+EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
+// Changing creation_mode such that evaluation should not match any rule.
+creation_mode = CREATE_NEW;
+pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+EXPECT_EQ(NO_POLICY_MATCH, pr);
+// Changing creation_mode such that evaluation should match rule #2.
+creation_mode = OPEN_ALWAYS;
+pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+EXPECT_EQ(POLICY_MATCH, pr);
+EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
+delete [] reinterpret_cast<char*>(policy);
+}
+}  // namespace sandbox

The Tor Browser / file comparison

comparison: security/sandbox/win/src/policy_engine_unittest.cc

security/sandbox/win/src/policy_engine_unittest.cc