1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/policy_engine_unittest.cc Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,102 @@
1.4 +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#include "sandbox/win/src/policy_engine_params.h"
1.9 +#include "sandbox/win/src/policy_engine_processor.h"
1.10 +#include "testing/gtest/include/gtest/gtest.h"
1.11 +
1.12 +#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
1.13 +#define POLPARAM(p) sandbox::ParamPickerMake(p),
1.14 +#define POLPARAMS_END }
1.15 +
1.16 +namespace sandbox {
1.17 +
1.18 +bool SetupNtdllImports();
1.19 +
1.20 +TEST(PolicyEngineTest, Rules1) {
1.21 + SetupNtdllImports();
1.22 +
1.23 + // Construct two policy rules that say:
1.24 + //
1.25 + // #1
1.26 + // If the path is c:\\documents and settings\\* AND
1.27 + // If the creation mode is 'open existing' AND
1.28 + // If the security descriptor is null THEN
1.29 + // Ask the broker.
1.30 + //
1.31 + // #2
1.32 + // If the security descriptor is null AND
1.33 + // If the path ends with *.txt AND
1.34 + // If the creation mode is not 'create new' THEN
1.35 + // return Access Denied.
1.36 +
1.37 + enum FileCreateArgs {
1.38 + FileNameArg,
1.39 + CreationDispositionArg,
1.40 + FlagsAndAttributesArg,
1.41 + SecurityAttributes
1.42 + };
1.43 +
1.44 + const size_t policy_sz = 1024;
1.45 + PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
1.46 + OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
1.47 +
1.48 + // Add rule set #1
1.49 + opcode_maker.MakeOpWStringMatch(FileNameArg,
1.50 + L"c:\\documents and settings\\",
1.51 + 0, CASE_INSENSITIVE, kPolNone);
1.52 + opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
1.53 + kPolNone);
1.54 + opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL,
1.55 + kPolNone);
1.56 + opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
1.57 +
1.58 + // Add rule set #2
1.59 + opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT",
1.60 + kSeekToEnd, CASE_INSENSITIVE, kPolNone);
1.61 + opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
1.62 + kPolNegateEval);
1.63 + opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
1.64 + policy->opcode_count = 7;
1.65 +
1.66 + wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
1.67 + unsigned long creation_mode = OPEN_EXISTING;
1.68 + unsigned long flags = FILE_ATTRIBUTE_NORMAL;
1.69 + void* security_descriptor = NULL;
1.70 +
1.71 + POLPARAMS_BEGIN(eval_params)
1.72 + POLPARAM(filename)
1.73 + POLPARAM(creation_mode)
1.74 + POLPARAM(flags)
1.75 + POLPARAM(security_descriptor)
1.76 + POLPARAMS_END;
1.77 +
1.78 + PolicyResult pr;
1.79 + PolicyProcessor pol_ev(policy);
1.80 +
1.81 + // Test should match the first rule set.
1.82 + pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.83 + EXPECT_EQ(POLICY_MATCH, pr);
1.84 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.85 +
1.86 + // Test should still match the first rule set.
1.87 + pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.88 + EXPECT_EQ(POLICY_MATCH, pr);
1.89 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.90 +
1.91 + // Changing creation_mode such that evaluation should not match any rule.
1.92 + creation_mode = CREATE_NEW;
1.93 + pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.94 + EXPECT_EQ(NO_POLICY_MATCH, pr);
1.95 +
1.96 + // Changing creation_mode such that evaluation should match rule #2.
1.97 + creation_mode = OPEN_ALWAYS;
1.98 + pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.99 + EXPECT_EQ(POLICY_MATCH, pr);
1.100 + EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
1.101 +
1.102 + delete [] reinterpret_cast<char*>(policy);
1.103 +}
1.104 +
1.105 +} // namespace sandbox
