security/sandbox/win/src/policy_engine_processor.cc@6474c204b198
security/sandbox/win/src/policy_engine_processor.cc
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/win/src/policy_engine_processor.h"
7 namespace sandbox {
9 void PolicyProcessor::SetInternalState(size_t index, EvalResult result) {
10 state_.current_index_ = index;
11 state_.current_result_ = result;
12 }
14 EvalResult PolicyProcessor::GetAction() const {
15 return state_.current_result_;
16 }
18 // Decides if an opcode can be skipped (not evaluated) or not. The function
19 // takes as inputs the opcode and the current evaluation context and returns
20 // true if the opcode should be skipped or not and also can set keep_skipping
21 // to false to signal that the current instruction should be skipped but not
22 // the next after the current one.
23 bool SkipOpcode(const PolicyOpcode& opcode, MatchContext* context,
24 bool* keep_skipping) {
25 if (opcode.IsAction()) {
26 uint32 options = context->options;
27 context->Clear();
28 *keep_skipping = false;
29 return (kPolUseOREval != options);
30 }
31 *keep_skipping = true;
32 return true;
33 }
35 PolicyResult PolicyProcessor::Evaluate(uint32 options,
36 ParameterSet* parameters,
37 size_t param_count) {
38 if (NULL == policy_) {
39 return NO_POLICY_MATCH;
40 }
41 if (0 == policy_->opcode_count) {
42 return NO_POLICY_MATCH;
43 }
44 if (!(kShortEval & options)) {
45 return POLICY_ERROR;
46 }
48 MatchContext context;
49 bool evaluation = false;
50 bool skip_group = false;
51 SetInternalState(0, EVAL_FALSE);
52 size_t count = policy_->opcode_count;
54 // Loop over all the opcodes Evaluating in sequence. Since we only support
55 // short circuit evaluation, we stop as soon as we find an 'action' opcode
56 // and the current evaluation is true.
57 //
58 // Skipping opcodes can happen when we are in AND mode (!kPolUseOREval) and
59 // have got EVAL_FALSE or when we are in OR mode (kPolUseOREval) and got
60 // EVAL_TRUE. Skipping will stop at the next action opcode or at the opcode
61 // after the action depending on kPolUseOREval.
63 for (size_t ix = 0; ix != count; ++ix) {
64 PolicyOpcode& opcode = policy_->opcodes[ix];
65 // Skipping block.
66 if (skip_group) {
67 if (SkipOpcode(opcode, &context, &skip_group)) {
68 continue;
69 }
70 }
71 // Evaluation block.
72 EvalResult result = opcode.Evaluate(parameters, param_count, &context);
73 switch (result) {
74 case EVAL_FALSE:
75 evaluation = false;
76 if (kPolUseOREval != context.options) {
77 skip_group = true;
78 }
79 break;
80 case EVAL_ERROR:
81 if (kStopOnErrors & options) {
82 return POLICY_ERROR;
83 }
84 break;
85 case EVAL_TRUE:
86 evaluation = true;
87 if (kPolUseOREval == context.options) {
88 skip_group = true;
89 }
90 break;
91 default:
92 // We have evaluated an action.
93 SetInternalState(ix, result);
94 return POLICY_MATCH;
95 }
96 }
98 if (evaluation) {
99 // Reaching the end of the policy with a positive evaluation is probably
100 // an error: we did not find a final action opcode?
101 return POLICY_ERROR;
102 }
103 return NO_POLICY_MATCH;
104 }
107 } // namespace sandbox
