sandbox/win/src/policy_engine_processor.cc

   1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/policy_engine_processor.h"
   6
   7 namespace sandbox {
   8
   9 void PolicyProcessor::SetInternalState(size_t index, EvalResult result) {
  10   state_.current_index_ = index;
  11   state_.current_result_ = result;
  12 }
  13
  14 EvalResult PolicyProcessor::GetAction() const {
  15   return state_.current_result_;
  16 }
  17
  18 // Decides if an opcode can be skipped (not evaluated) or not. The function
  19 // takes as inputs the opcode and the current evaluation context and returns
  20 // true if the opcode should be skipped or not and also can set keep_skipping
  21 // to false to signal that the current instruction should be skipped but not
  22 // the next after the current one.
  23 bool SkipOpcode(const PolicyOpcode& opcode, MatchContext* context,
  24                 bool* keep_skipping) {
  25   if (opcode.IsAction()) {
  26     uint32 options = context->options;
  27     context->Clear();
  28     *keep_skipping = false;
  29     return (kPolUseOREval != options);
  30   }
  31   *keep_skipping = true;
  32   return true;
  33 }
  34
  35 PolicyResult PolicyProcessor::Evaluate(uint32 options,
  36                                        ParameterSet* parameters,
  37                                        size_t param_count) {
  38   if (NULL == policy_) {
  39     return NO_POLICY_MATCH;
  40   }
  41   if (0 == policy_->opcode_count) {
  42     return NO_POLICY_MATCH;
  43   }
  44   if (!(kShortEval & options)) {
  45     return POLICY_ERROR;
  46   }
  47
  48   MatchContext context;
  49   bool evaluation = false;
  50   bool skip_group = false;
  51   SetInternalState(0, EVAL_FALSE);
  52   size_t count = policy_->opcode_count;
  53
  54   // Loop over all the opcodes Evaluating in sequence. Since we only support
  55   // short circuit evaluation, we stop as soon as we find an 'action' opcode
  56   // and the current evaluation is true.
  57   //
  58   // Skipping opcodes can happen when we are in AND mode (!kPolUseOREval) and
  59   // have got EVAL_FALSE or when we are in OR mode (kPolUseOREval) and got
  60   // EVAL_TRUE. Skipping will stop at the next action opcode or at the opcode
  61   // after the action depending on kPolUseOREval.
  62
  63   for (size_t ix = 0; ix != count; ++ix) {
  64     PolicyOpcode& opcode = policy_->opcodes[ix];
  65     // Skipping block.
  66     if (skip_group) {
  67       if (SkipOpcode(opcode, &context, &skip_group)) {
  68         continue;
  69       }
  70     }
  71     // Evaluation block.
  72     EvalResult result = opcode.Evaluate(parameters, param_count, &context);
  73     switch (result) {
  74       case EVAL_FALSE:
  75         evaluation = false;
  76         if (kPolUseOREval != context.options) {
  77           skip_group = true;
  78         }
  79         break;
  80       case EVAL_ERROR:
  81         if (kStopOnErrors & options) {
  82           return POLICY_ERROR;
  83         }
  84         break;
  85       case EVAL_TRUE:
  86         evaluation = true;
  87         if (kPolUseOREval == context.options) {
  88           skip_group = true;
  89         }
  90         break;
  91       default:
  92         // We have evaluated an action.
  93         SetInternalState(ix, result);
  94         return POLICY_MATCH;
  95     }
  96   }
  97
  98   if (evaluation) {
  99     // Reaching the end of the policy with a positive evaluation is probably
 100     // an error: we did not find a final action opcode?
 101     return POLICY_ERROR;
 102   }
 103   return NO_POLICY_MATCH;
 104 }
 105
 106
 107 }  // namespace sandbox