sandbox/win/src/policy_engine_processor.h

   1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
   6 #define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
   7
   8 #include "base/basictypes.h"
   9 #include "sandbox/win/src/policy_engine_params.h"
  10 #include "sandbox/win/src/policy_engine_opcodes.h"
  11
  12 namespace sandbox {
  13
  14 // This header contains the core policy evaluator. In its simplest form
  15 // it evaluates a stream of opcodes assuming that they are laid out in
  16 // memory as opcode groups.
  17 //
  18 // An opcode group has N comparison opcodes plus 1 action opcode. For
  19 // example here we have 3 opcode groups (A, B,C):
  20 //
  21 // [comparison 1]  <-- group A start
  22 // [comparison 2]
  23 // [comparison 3]
  24 // [action A    ]
  25 // [comparison 1]  <-- group B start
  26 // [action B    ]
  27 // [comparison 1]  <-- group C start
  28 // [comparison 2]
  29 // [action C    ]
  30 //
  31 // The opcode evaluator proceeds from the top, evaluating each opcode in
  32 // sequence. An opcode group is evaluated until the first comparison that
  33 // returns false. At that point the rest of the group is skipped and evaluation
  34 // resumes with the first comparison of the next group. When all the comparisons
  35 // in a group have evaluated to true and the action is reached. The group is
  36 // considered a matching group.
  37 //
  38 // In the 'ShortEval' mode evaluation stops when it reaches the end or the first
  39 // matching group. The action opcode from this group is the resulting policy
  40 // action.
  41 //
  42 // In the 'RankedEval' mode evaluation stops only when it reaches the end of the
  43 // the opcode stream. In the process all matching groups are saved and at the
  44 // end the 'best' group is selected (what makes the best is TBD) and the action
  45 // from this group is the resulting policy action.
  46 //
  47 // As explained above, the policy evaluation of a group is a logical AND of
  48 // the evaluation of each opcode. However an opcode can request kPolUseOREval
  49 // which makes the evaluation to use logical OR. Given that each opcode can
  50 // request its evaluation result to be negated with kPolNegateEval you can
  51 // achieve the negation of the total group evaluation. This means that if you
  52 // need to express:
  53 //             if (!(c1 && c2 && c3))
  54 // You can do it by:
  55 //             if ((!c1) || (!c2) || (!c3))
  56 //
  57
  58 // Possible outcomes of policy evaluation.
  59 enum PolicyResult {
  60   NO_POLICY_MATCH,
  61   POLICY_MATCH,
  62   POLICY_ERROR
  63 };
  64
  65 // Policy evaluation flags
  66 // TODO(cpu): implement the options kStopOnErrors & kRankedEval.
  67 //
  68 // Stop evaluating as soon as an error is encountered.
  69 const uint32 kStopOnErrors = 1;
  70 // Ignore all non fatal opcode evaluation errors.
  71 const uint32 kIgnoreErrors = 2;
  72 // Short-circuit evaluation: Only evaluate until opcode group that
  73 // evaluated to true has been found.
  74 const uint32 kShortEval = 4;
  75 // Discussed briefly at the policy design meeting. It will evaluate
  76 // all rules and then return the 'best' rule that evaluated true.
  77 const uint32 kRankedEval = 8;
  78
  79 // This class evaluates a policy-opcode stream given the memory where the
  80 // opcodes are and an input 'parameter set'.
  81 //
  82 // This class is designed to be callable from interception points
  83 // as low as the NtXXXX service level (it is not currently safe, but
  84 // it is designed to be made safe).
  85 //
  86 // Its usage in an interception is:
  87 //
  88 //   POLPARAMS_BEGIN(eval_params)
  89 //     POLPARAM(param1)
  90 //     POLPARAM(param2)
  91 //     POLPARAM(param3)
  92 //     POLPARAM(param4)
  93 //     POLPARAM(param5)
  94 //   POLPARAMS_END;
  95 //
  96 //   PolicyProcessor pol_evaluator(policy_memory);
  97 //   PolicyResult pr = pol_evaluator.Evaluate(ShortEval, eval_params,
  98 //                                            _countof(eval_params));
  99 //   if (NO_POLICY_MATCH == pr) {
 100 //     EvalResult policy_action =  pol_evaluator.GetAction();
 101 //     // apply policy here...
 102 //   }
 103 //
 104 // Where the POLPARAM() arguments are derived from the intercepted function
 105 // arguments, and represent all the 'interesting' policy inputs, and
 106 // policy_memory is a memory buffer containing the opcode stream that is the
 107 // relevant policy for this intercept.
 108 class PolicyProcessor {
 109  public:
 110   // policy_buffer contains opcodes made with OpcodeFactory. They are usually
 111   // created in the broker process and evaluated in the target process.
 112
 113   // This constructor is just a variant of the previous constructor.
 114   explicit PolicyProcessor(PolicyBuffer* policy)
 115       : policy_(policy) {
 116     SetInternalState(0, EVAL_FALSE);
 117   }
 118
 119   // Evaluates a policy-opcode stream. See the comments at the top of this
 120   // class for more info. Returns POLICY_MATCH if a rule set was found that
 121   // matches an active policy.
 122   PolicyResult Evaluate(uint32 options,
 123                         ParameterSet* parameters,
 124                         size_t parameter_count);
 125
 126   // If the result of Evaluate() was POLICY_MATCH, calling this function returns
 127   // the recommended policy action.
 128   EvalResult GetAction() const;
 129
 130  private:
 131   struct {
 132     size_t current_index_;
 133     EvalResult current_result_;
 134   } state_;
 135
 136   // Sets the currently matching action result.
 137   void SetInternalState(size_t index, EvalResult result);
 138
 139   PolicyBuffer* policy_;
 140   DISALLOW_COPY_AND_ASSIGN(PolicyProcessor);
 141 };
 142
 143 }  // namespace sandbox
 144
 145 #endif  // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__