michael@0: // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #include "sandbox/win/src/policy_engine_params.h" michael@0: #include "sandbox/win/src/policy_engine_processor.h" michael@0: #include "sandbox/win/src/policy_low_level.h" michael@0: #include "testing/gtest/include/gtest/gtest.h" michael@0: michael@0: #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = { michael@0: #define POLPARAM(p) sandbox::ParamPickerMake(p), michael@0: #define POLPARAMS_END } michael@0: michael@0: namespace sandbox { michael@0: michael@0: bool SetupNtdllImports(); michael@0: michael@0: // Testing that we allow opcode generation on valid string patterns. michael@0: TEST(PolicyEngineTest, StringPatternsOK) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe", michael@0: CASE_SENSITIVE)); michael@0: } michael@0: michael@0: // Testing that we signal invalid string patterns. michael@0: TEST(PolicyEngineTest, StringPatternsBAD) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE)); michael@0: EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE)); michael@0: EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE)); michael@0: EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE)); michael@0: } michael@0: michael@0: // Helper function to allocate space (on the heap) for policy. michael@0: PolicyGlobal* MakePolicyMemory() { michael@0: const size_t kTotalPolicySz = 4096*8; michael@0: char* mem = new char[kTotalPolicySz]; michael@0: memset(mem, 0, kTotalPolicySz); michael@0: PolicyGlobal* policy = reinterpret_cast(mem); michael@0: policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal); michael@0: return policy; michael@0: } michael@0: michael@0: // The simplest test using LowLevelPolicy it should test a single opcode which michael@0: // does a exact string comparison. michael@0: TEST(PolicyEngineTest, SimpleStrMatch) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt", michael@0: CASE_INSENSITIVE)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: const uint32 kFakeService = 2; michael@0: michael@0: LowLevelPolicy policyGen(policy); michael@0: EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = L"Z:\\Directory\\domo.txt"; michael@0: michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kFakeService]); michael@0: michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"Z:\\Directory\\domo.txt.tmp"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: TEST(PolicyEngineTest, SimpleIfNotStrMatch) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\", michael@0: CASE_SENSITIVE)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: const uint32 kFakeService = 2; michael@0: LowLevelPolicy policyGen(policy); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = NULL; michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kFakeService]); michael@0: michael@0: filename = L"c:\\Microsoft\\"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\MicroNerd\\"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\Microsoft\\domo.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*", michael@0: CASE_SENSITIVE)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: const uint32 kFakeService = 3; michael@0: LowLevelPolicy policyGen(policy); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = NULL; michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kFakeService]); michael@0: michael@0: filename = L"c:\\Microsoft\\domo.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\MicroNerd\\domo.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt", michael@0: CASE_SENSITIVE)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: const uint32 kFakeService = 3; michael@0: LowLevelPolicy policyGen(policy); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = NULL; michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kFakeService]); michael@0: michael@0: filename = L"c:\\Microsoft\\domo.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\MicroNerd\\domo.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\Microsoft\\domo.bmp"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*", michael@0: CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: const uint32 kFakeService = 3; michael@0: LowLevelPolicy policyGen(policy); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = NULL; michael@0: unsigned long access = 0; michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAM(access) // Argument 1 michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kFakeService]); michael@0: michael@0: filename = L"c:\\Microsoft\\domo.txt"; michael@0: access = 24; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\Microsoft\\domo.txt"; michael@0: access = 42; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\MicroNerd\\domo.txt"; michael@0: access = 24; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\Micronesia\\domo.txt"; michael@0: access = 42; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL)); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt", michael@0: CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: const uint32 kFakeService = 3; michael@0: LowLevelPolicy policyGen(policy); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = NULL; michael@0: unsigned long access = 0; michael@0: unsigned long sharing = 66; michael@0: michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAM(access) // Argument 1 michael@0: POLPARAM(sharing) // Argument 2 michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kFakeService]); michael@0: michael@0: filename = L"c:\\GoogleV2\\domo.txt"; michael@0: access = 24; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\GoogleV2\\domo.bmp"; michael@0: access = 24; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\GoogleV23\\domo.txt"; michael@0: access = 24; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: michael@0: filename = L"c:\\GoogleV2\\domo.txt"; michael@0: access = 42; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\Google\\domo.txt"; michael@0: access = 24; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\Micronesia\\domo.txt"; michael@0: access = 42; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\GoogleV2\\domo.bmp"; michael@0: access = 24; michael@0: sharing = 0; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: // Testing one single rule in one single service. The service is made to michael@0: // resemble NtCreateFile. michael@0: TEST(PolicyEngineTest, OneRuleTest) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr(ASK_BROKER); michael@0: EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt", michael@0: CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL)); michael@0: EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: michael@0: const uint32 kNtFakeCreateFile = 7; michael@0: michael@0: LowLevelPolicy policyGen(policy); michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt"; michael@0: unsigned long creation_mode = OPEN_EXISTING; michael@0: unsigned long flags = FILE_ATTRIBUTE_NORMAL; michael@0: void* security_descriptor = NULL; michael@0: michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAM(creation_mode) // Argument 1 michael@0: POLPARAM(flags) // Argument 2 michael@0: POLPARAM(security_descriptor) michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]); michael@0: michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: creation_mode = CREATE_ALWAYS; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: creation_mode = OPEN_EXISTING; michael@0: filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: flags = FILE_ATTRIBUTE_DEVICE; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\Other\\Macrosoft\\Another file.txt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\Microsoft\\1.txt"; michael@0: flags = FILE_ATTRIBUTE_NORMAL; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev.GetAction()); michael@0: michael@0: filename = L"c:\\Microsoft\\1.ttt"; michael@0: result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: // Testing 3 rules in 3 services. Two of the services resemble File services. michael@0: TEST(PolicyEngineTest, ThreeRulesTest) { michael@0: SetupNtdllImports(); michael@0: PolicyRule pr_pipe(FAKE_SUCCESS); michael@0: EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*", michael@0: CASE_INSENSITIVE)); michael@0: EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL)); michael@0: EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); michael@0: michael@0: size_t opc1 = pr_pipe.GetOpcodeCount(); michael@0: EXPECT_EQ(3, opc1); michael@0: michael@0: PolicyRule pr_dump(ASK_BROKER); michael@0: EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*", michael@0: CASE_INSENSITIVE)); michael@0: EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL)); michael@0: EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); michael@0: michael@0: size_t opc2 = pr_dump.GetOpcodeCount(); michael@0: EXPECT_EQ(4, opc2); michael@0: michael@0: PolicyRule pr_winexe(SIGNAL_ALARM); michael@0: EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe", michael@0: CASE_INSENSITIVE)); michael@0: EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); michael@0: michael@0: size_t opc3 = pr_winexe.GetOpcodeCount(); michael@0: EXPECT_EQ(3, opc3); michael@0: michael@0: PolicyRule pr_adobe(GIVE_CACHED); michael@0: EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\", michael@0: CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL)); michael@0: michael@0: size_t opc4 = pr_adobe.GetOpcodeCount(); michael@0: EXPECT_EQ(4, opc4); michael@0: michael@0: PolicyRule pr_none(GIVE_FIRST); michael@0: EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND)); michael@0: EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND)); michael@0: michael@0: size_t opc5 = pr_none.GetOpcodeCount(); michael@0: EXPECT_EQ(2, opc5); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: michael@0: const uint32 kNtFakeNone = 4; michael@0: const uint32 kNtFakeCreateFile = 5; michael@0: const uint32 kNtFakeOpenFile = 6; michael@0: michael@0: LowLevelPolicy policyGen(policy); michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe)); michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump)); michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe)); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe)); michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe)); michael@0: michael@0: EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none)); michael@0: michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: // Inspect the policy structure manually. michael@0: EXPECT_TRUE(NULL == policy->entry[0]); michael@0: EXPECT_TRUE(NULL == policy->entry[1]); michael@0: EXPECT_TRUE(NULL == policy->entry[2]); michael@0: EXPECT_TRUE(NULL == policy->entry[3]); michael@0: EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone. michael@0: EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile. michael@0: EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile. michael@0: EXPECT_TRUE(NULL == policy->entry[7]); michael@0: michael@0: // The total per service opcode counts now must take in account one michael@0: // extra opcode (action opcode) per rule. michael@0: ++opc1; michael@0: ++opc2; michael@0: ++opc3; michael@0: ++opc4; michael@0: ++opc5; michael@0: michael@0: size_t tc1 = policy->entry[kNtFakeNone]->opcode_count; michael@0: size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count; michael@0: size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count; michael@0: michael@0: EXPECT_EQ(opc5, tc1); michael@0: EXPECT_EQ((opc1 + opc2 + opc3), tc2); michael@0: EXPECT_EQ((opc1 + opc4), tc3); michael@0: michael@0: // Check the type of the first and last opcode of each service. michael@0: michael@0: EXPECT_EQ(OP_ULONG_AND_MATCH, policy->entry[kNtFakeNone]->opcodes[0].GetID()); michael@0: EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID()); michael@0: EXPECT_EQ(OP_WSTRING_MATCH, michael@0: policy->entry[kNtFakeCreateFile]->opcodes[0].GetID()); michael@0: EXPECT_EQ(OP_ACTION, michael@0: policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID()); michael@0: EXPECT_EQ(OP_WSTRING_MATCH, michael@0: policy->entry[kNtFakeOpenFile]->opcodes[0].GetID()); michael@0: EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID()); michael@0: michael@0: // Test the policy evaluation. michael@0: michael@0: wchar_t* filename = L""; michael@0: unsigned long creation_mode = OPEN_EXISTING; michael@0: unsigned long flags = FILE_ATTRIBUTE_NORMAL; michael@0: void* security_descriptor = NULL; michael@0: michael@0: POLPARAMS_BEGIN(params) michael@0: POLPARAM(filename) // Argument 0 michael@0: POLPARAM(creation_mode) // Argument 1 michael@0: POLPARAM(flags) // Argument 2 michael@0: POLPARAM(security_descriptor) michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]); michael@0: PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]); michael@0: PolicyProcessor eval_None(policy->entry[kNtFakeNone]); michael@0: michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe"; michael@0: flags = FILE_ATTRIBUTE_SYSTEM; michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: flags += FILE_ATTRIBUTE_READONLY; michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(GIVE_FIRST, eval_None.GetAction()); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: flags = FILE_ATTRIBUTE_NORMAL; michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction()); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"c:\\adobe\\ver3.2\\temp"; michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction()); michael@0: michael@0: filename = L"c:\\adobe\\ver3.22\\temp"; michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path"; michael@0: creation_mode = CREATE_ALWAYS; michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction()); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: filename = L"\\\\??\\Pipe\\Chrome.12345"; michael@0: creation_mode = OPEN_EXISTING; michael@0: result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction()); michael@0: result = eval_None.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction()); michael@0: michael@0: delete [] reinterpret_cast(policy); michael@0: } michael@0: michael@0: TEST(PolicyEngineTest, PolicyRuleCopyConstructorTwoStrings) { michael@0: SetupNtdllImports(); michael@0: // Both pr_orig and pr_copy should allow hello.* but not *.txt files. michael@0: PolicyRule pr_orig(ASK_BROKER); michael@0: EXPECT_TRUE(pr_orig.AddStringMatch(IF, 0, L"hello.*", CASE_SENSITIVE)); michael@0: michael@0: PolicyRule pr_copy(pr_orig); michael@0: EXPECT_TRUE(pr_orig.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE)); michael@0: EXPECT_TRUE(pr_copy.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE)); michael@0: michael@0: PolicyGlobal* policy = MakePolicyMemory(); michael@0: LowLevelPolicy policyGen(policy); michael@0: EXPECT_TRUE(policyGen.AddRule(1, &pr_orig)); michael@0: EXPECT_TRUE(policyGen.AddRule(2, &pr_copy)); michael@0: EXPECT_TRUE(policyGen.Done()); michael@0: michael@0: wchar_t* name = NULL; michael@0: POLPARAMS_BEGIN(eval_params) michael@0: POLPARAM(name) michael@0: POLPARAMS_END; michael@0: michael@0: PolicyResult result; michael@0: PolicyProcessor pol_ev_orig(policy->entry[1]); michael@0: name = L"domo.txt"; michael@0: result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: name = L"hello.bmp"; michael@0: result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev_orig.GetAction()); michael@0: michael@0: PolicyProcessor pol_ev_copy(policy->entry[2]); michael@0: name = L"domo.txt"; michael@0: result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(NO_POLICY_MATCH, result); michael@0: michael@0: name = L"hello.bmp"; michael@0: result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params)); michael@0: EXPECT_EQ(POLICY_MATCH, result); michael@0: EXPECT_EQ(ASK_BROKER, pol_ev_copy.GetAction()); michael@0: } michael@0: } // namespace sandbox