1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/policy_low_level_unittest.cc Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,617 @@
1.4 +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#include "sandbox/win/src/policy_engine_params.h"
1.9 +#include "sandbox/win/src/policy_engine_processor.h"
1.10 +#include "sandbox/win/src/policy_low_level.h"
1.11 +#include "testing/gtest/include/gtest/gtest.h"
1.12 +
1.13 +#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
1.14 +#define POLPARAM(p) sandbox::ParamPickerMake(p),
1.15 +#define POLPARAMS_END }
1.16 +
1.17 +namespace sandbox {
1.18 +
1.19 +bool SetupNtdllImports();
1.20 +
1.21 +// Testing that we allow opcode generation on valid string patterns.
1.22 +TEST(PolicyEngineTest, StringPatternsOK) {
1.23 + SetupNtdllImports();
1.24 + PolicyRule pr(ASK_BROKER);
1.25 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE));
1.26 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE));
1.27 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE));
1.28 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE));
1.29 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe",
1.30 + CASE_SENSITIVE));
1.31 +}
1.32 +
1.33 +// Testing that we signal invalid string patterns.
1.34 +TEST(PolicyEngineTest, StringPatternsBAD) {
1.35 + SetupNtdllImports();
1.36 + PolicyRule pr(ASK_BROKER);
1.37 + EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE));
1.38 + EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE));
1.39 + EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE));
1.40 + EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE));
1.41 +}
1.42 +
1.43 +// Helper function to allocate space (on the heap) for policy.
1.44 +PolicyGlobal* MakePolicyMemory() {
1.45 + const size_t kTotalPolicySz = 4096*8;
1.46 + char* mem = new char[kTotalPolicySz];
1.47 + memset(mem, 0, kTotalPolicySz);
1.48 + PolicyGlobal* policy = reinterpret_cast<PolicyGlobal*>(mem);
1.49 + policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal);
1.50 + return policy;
1.51 +}
1.52 +
1.53 +// The simplest test using LowLevelPolicy it should test a single opcode which
1.54 +// does a exact string comparison.
1.55 +TEST(PolicyEngineTest, SimpleStrMatch) {
1.56 + SetupNtdllImports();
1.57 + PolicyRule pr(ASK_BROKER);
1.58 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt",
1.59 + CASE_INSENSITIVE));
1.60 +
1.61 + PolicyGlobal* policy = MakePolicyMemory();
1.62 + const uint32 kFakeService = 2;
1.63 +
1.64 + LowLevelPolicy policyGen(policy);
1.65 + EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
1.66 + EXPECT_TRUE(policyGen.Done());
1.67 +
1.68 + wchar_t* filename = L"Z:\\Directory\\domo.txt";
1.69 +
1.70 + POLPARAMS_BEGIN(eval_params)
1.71 + POLPARAM(filename) // Argument 0
1.72 + POLPARAMS_END;
1.73 +
1.74 + PolicyResult result;
1.75 + PolicyProcessor pol_ev(policy->entry[kFakeService]);
1.76 +
1.77 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.78 + EXPECT_EQ(POLICY_MATCH, result);
1.79 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.80 +
1.81 + filename = L"Z:\\Directory\\domo.txt.tmp";
1.82 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.83 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.84 +
1.85 + delete [] reinterpret_cast<char*>(policy);
1.86 +}
1.87 +
1.88 +TEST(PolicyEngineTest, SimpleIfNotStrMatch) {
1.89 + SetupNtdllImports();
1.90 + PolicyRule pr(ASK_BROKER);
1.91 + EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\",
1.92 + CASE_SENSITIVE));
1.93 +
1.94 + PolicyGlobal* policy = MakePolicyMemory();
1.95 + const uint32 kFakeService = 2;
1.96 + LowLevelPolicy policyGen(policy);
1.97 +
1.98 + EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
1.99 + EXPECT_TRUE(policyGen.Done());
1.100 +
1.101 + wchar_t* filename = NULL;
1.102 + POLPARAMS_BEGIN(eval_params)
1.103 + POLPARAM(filename) // Argument 0
1.104 + POLPARAMS_END;
1.105 +
1.106 + PolicyResult result;
1.107 + PolicyProcessor pol_ev(policy->entry[kFakeService]);
1.108 +
1.109 + filename = L"c:\\Microsoft\\";
1.110 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.111 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.112 +
1.113 + filename = L"c:\\MicroNerd\\";
1.114 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.115 + EXPECT_EQ(POLICY_MATCH, result);
1.116 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.117 +
1.118 + filename = L"c:\\Microsoft\\domo.txt";
1.119 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.120 + EXPECT_EQ(POLICY_MATCH, result);
1.121 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.122 +
1.123 + delete [] reinterpret_cast<char*>(policy);
1.124 +}
1.125 +
1.126 +TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) {
1.127 + SetupNtdllImports();
1.128 + PolicyRule pr(ASK_BROKER);
1.129 + EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
1.130 + CASE_SENSITIVE));
1.131 +
1.132 + PolicyGlobal* policy = MakePolicyMemory();
1.133 + const uint32 kFakeService = 3;
1.134 + LowLevelPolicy policyGen(policy);
1.135 +
1.136 + EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
1.137 + EXPECT_TRUE(policyGen.Done());
1.138 +
1.139 + wchar_t* filename = NULL;
1.140 + POLPARAMS_BEGIN(eval_params)
1.141 + POLPARAM(filename) // Argument 0
1.142 + POLPARAMS_END;
1.143 +
1.144 + PolicyResult result;
1.145 + PolicyProcessor pol_ev(policy->entry[kFakeService]);
1.146 +
1.147 + filename = L"c:\\Microsoft\\domo.txt";
1.148 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.149 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.150 +
1.151 + filename = L"c:\\MicroNerd\\domo.txt";
1.152 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.153 + EXPECT_EQ(POLICY_MATCH, result);
1.154 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.155 +
1.156 + delete [] reinterpret_cast<char*>(policy);
1.157 +}
1.158 +
1.159 +TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) {
1.160 + SetupNtdllImports();
1.161 + PolicyRule pr(ASK_BROKER);
1.162 + EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt",
1.163 + CASE_SENSITIVE));
1.164 +
1.165 + PolicyGlobal* policy = MakePolicyMemory();
1.166 + const uint32 kFakeService = 3;
1.167 + LowLevelPolicy policyGen(policy);
1.168 +
1.169 + EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
1.170 + EXPECT_TRUE(policyGen.Done());
1.171 +
1.172 + wchar_t* filename = NULL;
1.173 + POLPARAMS_BEGIN(eval_params)
1.174 + POLPARAM(filename) // Argument 0
1.175 + POLPARAMS_END;
1.176 +
1.177 + PolicyResult result;
1.178 + PolicyProcessor pol_ev(policy->entry[kFakeService]);
1.179 +
1.180 + filename = L"c:\\Microsoft\\domo.txt";
1.181 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.182 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.183 +
1.184 + filename = L"c:\\MicroNerd\\domo.txt";
1.185 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.186 + EXPECT_EQ(POLICY_MATCH, result);
1.187 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.188 +
1.189 + filename = L"c:\\Microsoft\\domo.bmp";
1.190 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.191 + EXPECT_EQ(POLICY_MATCH, result);
1.192 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.193 +
1.194 + delete [] reinterpret_cast<char*>(policy);
1.195 +}
1.196 +
1.197 +TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) {
1.198 + SetupNtdllImports();
1.199 + PolicyRule pr(ASK_BROKER);
1.200 + EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
1.201 + CASE_SENSITIVE));
1.202 + EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
1.203 +
1.204 + PolicyGlobal* policy = MakePolicyMemory();
1.205 + const uint32 kFakeService = 3;
1.206 + LowLevelPolicy policyGen(policy);
1.207 +
1.208 + EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
1.209 + EXPECT_TRUE(policyGen.Done());
1.210 +
1.211 + wchar_t* filename = NULL;
1.212 + unsigned long access = 0;
1.213 + POLPARAMS_BEGIN(eval_params)
1.214 + POLPARAM(filename) // Argument 0
1.215 + POLPARAM(access) // Argument 1
1.216 + POLPARAMS_END;
1.217 +
1.218 + PolicyResult result;
1.219 + PolicyProcessor pol_ev(policy->entry[kFakeService]);
1.220 +
1.221 + filename = L"c:\\Microsoft\\domo.txt";
1.222 + access = 24;
1.223 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.224 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.225 +
1.226 + filename = L"c:\\Microsoft\\domo.txt";
1.227 + access = 42;
1.228 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.229 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.230 +
1.231 + filename = L"c:\\MicroNerd\\domo.txt";
1.232 + access = 24;
1.233 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.234 + EXPECT_EQ(POLICY_MATCH, result);
1.235 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.236 +
1.237 + filename = L"c:\\Micronesia\\domo.txt";
1.238 + access = 42;
1.239 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.240 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.241 +
1.242 + delete [] reinterpret_cast<char*>(policy);
1.243 +}
1.244 +
1.245 +TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) {
1.246 + SetupNtdllImports();
1.247 + PolicyRule pr(ASK_BROKER);
1.248 + EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
1.249 + EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt",
1.250 + CASE_SENSITIVE));
1.251 + EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL));
1.252 +
1.253 + PolicyGlobal* policy = MakePolicyMemory();
1.254 + const uint32 kFakeService = 3;
1.255 + LowLevelPolicy policyGen(policy);
1.256 +
1.257 + EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
1.258 + EXPECT_TRUE(policyGen.Done());
1.259 +
1.260 + wchar_t* filename = NULL;
1.261 + unsigned long access = 0;
1.262 + unsigned long sharing = 66;
1.263 +
1.264 + POLPARAMS_BEGIN(eval_params)
1.265 + POLPARAM(filename) // Argument 0
1.266 + POLPARAM(access) // Argument 1
1.267 + POLPARAM(sharing) // Argument 2
1.268 + POLPARAMS_END;
1.269 +
1.270 + PolicyResult result;
1.271 + PolicyProcessor pol_ev(policy->entry[kFakeService]);
1.272 +
1.273 + filename = L"c:\\GoogleV2\\domo.txt";
1.274 + access = 24;
1.275 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.276 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.277 +
1.278 + filename = L"c:\\GoogleV2\\domo.bmp";
1.279 + access = 24;
1.280 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.281 + EXPECT_EQ(POLICY_MATCH, result);
1.282 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.283 +
1.284 + filename = L"c:\\GoogleV23\\domo.txt";
1.285 + access = 24;
1.286 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.287 + EXPECT_EQ(POLICY_MATCH, result);
1.288 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.289 +
1.290 +
1.291 + filename = L"c:\\GoogleV2\\domo.txt";
1.292 + access = 42;
1.293 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.294 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.295 +
1.296 + filename = L"c:\\Google\\domo.txt";
1.297 + access = 24;
1.298 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.299 + EXPECT_EQ(POLICY_MATCH, result);
1.300 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.301 +
1.302 + filename = L"c:\\Micronesia\\domo.txt";
1.303 + access = 42;
1.304 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.305 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.306 +
1.307 + filename = L"c:\\GoogleV2\\domo.bmp";
1.308 + access = 24;
1.309 + sharing = 0;
1.310 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.311 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.312 +
1.313 + delete [] reinterpret_cast<char*>(policy);
1.314 +}
1.315 +
1.316 +// Testing one single rule in one single service. The service is made to
1.317 +// resemble NtCreateFile.
1.318 +TEST(PolicyEngineTest, OneRuleTest) {
1.319 + SetupNtdllImports();
1.320 + PolicyRule pr(ASK_BROKER);
1.321 + EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt",
1.322 + CASE_SENSITIVE));
1.323 + EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL));
1.324 + EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
1.325 +
1.326 + PolicyGlobal* policy = MakePolicyMemory();
1.327 +
1.328 + const uint32 kNtFakeCreateFile = 7;
1.329 +
1.330 + LowLevelPolicy policyGen(policy);
1.331 + EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr));
1.332 + EXPECT_TRUE(policyGen.Done());
1.333 +
1.334 + wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
1.335 + unsigned long creation_mode = OPEN_EXISTING;
1.336 + unsigned long flags = FILE_ATTRIBUTE_NORMAL;
1.337 + void* security_descriptor = NULL;
1.338 +
1.339 + POLPARAMS_BEGIN(eval_params)
1.340 + POLPARAM(filename) // Argument 0
1.341 + POLPARAM(creation_mode) // Argument 1
1.342 + POLPARAM(flags) // Argument 2
1.343 + POLPARAM(security_descriptor)
1.344 + POLPARAMS_END;
1.345 +
1.346 + PolicyResult result;
1.347 + PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]);
1.348 +
1.349 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.350 + EXPECT_EQ(POLICY_MATCH, result);
1.351 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.352 +
1.353 + creation_mode = CREATE_ALWAYS;
1.354 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.355 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.356 +
1.357 + creation_mode = OPEN_EXISTING;
1.358 + filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt";
1.359 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.360 + EXPECT_EQ(POLICY_MATCH, result);
1.361 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.362 +
1.363 + filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp";
1.364 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.365 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.366 +
1.367 + flags = FILE_ATTRIBUTE_DEVICE;
1.368 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.369 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.370 +
1.371 + filename = L"c:\\Other\\Macrosoft\\Another file.txt";
1.372 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.373 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.374 +
1.375 + filename = L"c:\\Microsoft\\1.txt";
1.376 + flags = FILE_ATTRIBUTE_NORMAL;
1.377 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.378 + EXPECT_EQ(POLICY_MATCH, result);
1.379 + EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
1.380 +
1.381 + filename = L"c:\\Microsoft\\1.ttt";
1.382 + result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.383 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.384 +
1.385 + delete [] reinterpret_cast<char*>(policy);
1.386 +}
1.387 +
1.388 +// Testing 3 rules in 3 services. Two of the services resemble File services.
1.389 +TEST(PolicyEngineTest, ThreeRulesTest) {
1.390 + SetupNtdllImports();
1.391 + PolicyRule pr_pipe(FAKE_SUCCESS);
1.392 + EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*",
1.393 + CASE_INSENSITIVE));
1.394 + EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL));
1.395 + EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
1.396 +
1.397 + size_t opc1 = pr_pipe.GetOpcodeCount();
1.398 + EXPECT_EQ(3, opc1);
1.399 +
1.400 + PolicyRule pr_dump(ASK_BROKER);
1.401 + EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*",
1.402 + CASE_INSENSITIVE));
1.403 + EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL));
1.404 + EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
1.405 +
1.406 + size_t opc2 = pr_dump.GetOpcodeCount();
1.407 + EXPECT_EQ(4, opc2);
1.408 +
1.409 + PolicyRule pr_winexe(SIGNAL_ALARM);
1.410 + EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe",
1.411 + CASE_INSENSITIVE));
1.412 + EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
1.413 +
1.414 + size_t opc3 = pr_winexe.GetOpcodeCount();
1.415 + EXPECT_EQ(3, opc3);
1.416 +
1.417 + PolicyRule pr_adobe(GIVE_CACHED);
1.418 + EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\",
1.419 + CASE_SENSITIVE));
1.420 + EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
1.421 +
1.422 + size_t opc4 = pr_adobe.GetOpcodeCount();
1.423 + EXPECT_EQ(4, opc4);
1.424 +
1.425 + PolicyRule pr_none(GIVE_FIRST);
1.426 + EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND));
1.427 + EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND));
1.428 +
1.429 + size_t opc5 = pr_none.GetOpcodeCount();
1.430 + EXPECT_EQ(2, opc5);
1.431 +
1.432 + PolicyGlobal* policy = MakePolicyMemory();
1.433 +
1.434 + const uint32 kNtFakeNone = 4;
1.435 + const uint32 kNtFakeCreateFile = 5;
1.436 + const uint32 kNtFakeOpenFile = 6;
1.437 +
1.438 + LowLevelPolicy policyGen(policy);
1.439 + EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe));
1.440 + EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump));
1.441 + EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe));
1.442 +
1.443 + EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe));
1.444 + EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe));
1.445 +
1.446 + EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none));
1.447 +
1.448 + EXPECT_TRUE(policyGen.Done());
1.449 +
1.450 + // Inspect the policy structure manually.
1.451 + EXPECT_TRUE(NULL == policy->entry[0]);
1.452 + EXPECT_TRUE(NULL == policy->entry[1]);
1.453 + EXPECT_TRUE(NULL == policy->entry[2]);
1.454 + EXPECT_TRUE(NULL == policy->entry[3]);
1.455 + EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone.
1.456 + EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile.
1.457 + EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile.
1.458 + EXPECT_TRUE(NULL == policy->entry[7]);
1.459 +
1.460 + // The total per service opcode counts now must take in account one
1.461 + // extra opcode (action opcode) per rule.
1.462 + ++opc1;
1.463 + ++opc2;
1.464 + ++opc3;
1.465 + ++opc4;
1.466 + ++opc5;
1.467 +
1.468 + size_t tc1 = policy->entry[kNtFakeNone]->opcode_count;
1.469 + size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count;
1.470 + size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count;
1.471 +
1.472 + EXPECT_EQ(opc5, tc1);
1.473 + EXPECT_EQ((opc1 + opc2 + opc3), tc2);
1.474 + EXPECT_EQ((opc1 + opc4), tc3);
1.475 +
1.476 + // Check the type of the first and last opcode of each service.
1.477 +
1.478 + EXPECT_EQ(OP_ULONG_AND_MATCH, policy->entry[kNtFakeNone]->opcodes[0].GetID());
1.479 + EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID());
1.480 + EXPECT_EQ(OP_WSTRING_MATCH,
1.481 + policy->entry[kNtFakeCreateFile]->opcodes[0].GetID());
1.482 + EXPECT_EQ(OP_ACTION,
1.483 + policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID());
1.484 + EXPECT_EQ(OP_WSTRING_MATCH,
1.485 + policy->entry[kNtFakeOpenFile]->opcodes[0].GetID());
1.486 + EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID());
1.487 +
1.488 + // Test the policy evaluation.
1.489 +
1.490 + wchar_t* filename = L"";
1.491 + unsigned long creation_mode = OPEN_EXISTING;
1.492 + unsigned long flags = FILE_ATTRIBUTE_NORMAL;
1.493 + void* security_descriptor = NULL;
1.494 +
1.495 + POLPARAMS_BEGIN(params)
1.496 + POLPARAM(filename) // Argument 0
1.497 + POLPARAM(creation_mode) // Argument 1
1.498 + POLPARAM(flags) // Argument 2
1.499 + POLPARAM(security_descriptor)
1.500 + POLPARAMS_END;
1.501 +
1.502 + PolicyResult result;
1.503 + PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]);
1.504 + PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]);
1.505 + PolicyProcessor eval_None(policy->entry[kNtFakeNone]);
1.506 +
1.507 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.508 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.509 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.510 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.511 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.512 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.513 +
1.514 + filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe";
1.515 + flags = FILE_ATTRIBUTE_SYSTEM;
1.516 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.517 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.518 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.519 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.520 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.521 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.522 +
1.523 + flags += FILE_ATTRIBUTE_READONLY;
1.524 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.525 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.526 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.527 + EXPECT_EQ(POLICY_MATCH, result);
1.528 + EXPECT_EQ(GIVE_FIRST, eval_None.GetAction());
1.529 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.530 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.531 +
1.532 + flags = FILE_ATTRIBUTE_NORMAL;
1.533 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.534 + EXPECT_EQ(POLICY_MATCH, result);
1.535 + EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction());
1.536 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.537 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.538 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.539 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.540 +
1.541 + filename = L"c:\\adobe\\ver3.2\\temp";
1.542 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.543 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.544 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.545 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.546 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.547 + EXPECT_EQ(POLICY_MATCH, result);
1.548 + EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction());
1.549 +
1.550 + filename = L"c:\\adobe\\ver3.22\\temp";
1.551 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.552 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.553 +
1.554 + filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path";
1.555 + creation_mode = CREATE_ALWAYS;
1.556 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.557 + EXPECT_EQ(POLICY_MATCH, result);
1.558 + EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction());
1.559 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.560 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.561 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.562 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.563 +
1.564 + filename = L"\\\\??\\Pipe\\Chrome.12345";
1.565 + creation_mode = OPEN_EXISTING;
1.566 + result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
1.567 + EXPECT_EQ(POLICY_MATCH, result);
1.568 + EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction());
1.569 + result = eval_None.Evaluate(kShortEval, params, _countof(params));
1.570 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.571 + result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
1.572 + EXPECT_EQ(POLICY_MATCH, result);
1.573 + EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction());
1.574 +
1.575 + delete [] reinterpret_cast<char*>(policy);
1.576 +}
1.577 +
1.578 +TEST(PolicyEngineTest, PolicyRuleCopyConstructorTwoStrings) {
1.579 + SetupNtdllImports();
1.580 + // Both pr_orig and pr_copy should allow hello.* but not *.txt files.
1.581 + PolicyRule pr_orig(ASK_BROKER);
1.582 + EXPECT_TRUE(pr_orig.AddStringMatch(IF, 0, L"hello.*", CASE_SENSITIVE));
1.583 +
1.584 + PolicyRule pr_copy(pr_orig);
1.585 + EXPECT_TRUE(pr_orig.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
1.586 + EXPECT_TRUE(pr_copy.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
1.587 +
1.588 + PolicyGlobal* policy = MakePolicyMemory();
1.589 + LowLevelPolicy policyGen(policy);
1.590 + EXPECT_TRUE(policyGen.AddRule(1, &pr_orig));
1.591 + EXPECT_TRUE(policyGen.AddRule(2, &pr_copy));
1.592 + EXPECT_TRUE(policyGen.Done());
1.593 +
1.594 + wchar_t* name = NULL;
1.595 + POLPARAMS_BEGIN(eval_params)
1.596 + POLPARAM(name)
1.597 + POLPARAMS_END;
1.598 +
1.599 + PolicyResult result;
1.600 + PolicyProcessor pol_ev_orig(policy->entry[1]);
1.601 + name = L"domo.txt";
1.602 + result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.603 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.604 +
1.605 + name = L"hello.bmp";
1.606 + result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.607 + EXPECT_EQ(POLICY_MATCH, result);
1.608 + EXPECT_EQ(ASK_BROKER, pol_ev_orig.GetAction());
1.609 +
1.610 + PolicyProcessor pol_ev_copy(policy->entry[2]);
1.611 + name = L"domo.txt";
1.612 + result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.613 + EXPECT_EQ(NO_POLICY_MATCH, result);
1.614 +
1.615 + name = L"hello.bmp";
1.616 + result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
1.617 + EXPECT_EQ(POLICY_MATCH, result);
1.618 + EXPECT_EQ(ASK_BROKER, pol_ev_copy.GetAction());
1.619 +}
1.620 +} // namespace sandbox
