sandbox/win/src/policy_engine_unittest.cc

   1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "sandbox/win/src/policy_engine_params.h"
   6 #include "sandbox/win/src/policy_engine_processor.h"
   7 #include "testing/gtest/include/gtest/gtest.h"
   8
   9 #define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
  10 #define POLPARAM(p) sandbox::ParamPickerMake(p),
  11 #define POLPARAMS_END }
  12
  13 namespace sandbox {
  14
  15 bool SetupNtdllImports();
  16
  17 TEST(PolicyEngineTest, Rules1) {
  18   SetupNtdllImports();
  19
  20   // Construct two policy rules that say:
  21   //
  22   // #1
  23   // If the path is c:\\documents and settings\\* AND
  24   // If the creation mode is 'open existing' AND
  25   // If the security descriptor is null THEN
  26   // Ask the broker.
  27   //
  28   // #2
  29   // If the security descriptor is null AND
  30   // If the path ends with *.txt AND
  31   // If the creation mode is not 'create new' THEN
  32   // return Access Denied.
  33
  34   enum FileCreateArgs {
  35     FileNameArg,
  36     CreationDispositionArg,
  37     FlagsAndAttributesArg,
  38     SecurityAttributes
  39   };
  40
  41   const size_t policy_sz = 1024;
  42   PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
  43   OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
  44
  45   // Add rule set #1
  46   opcode_maker.MakeOpWStringMatch(FileNameArg,
  47                                   L"c:\\documents and settings\\",
  48                                   0, CASE_INSENSITIVE, kPolNone);
  49   opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
  50                                  kPolNone);
  51   opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL,
  52                                  kPolNone);
  53   opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
  54
  55   // Add rule set #2
  56   opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT",
  57                                   kSeekToEnd, CASE_INSENSITIVE, kPolNone);
  58   opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
  59                                  kPolNegateEval);
  60   opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
  61   policy->opcode_count = 7;
  62
  63   const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
  64   uint32 creation_mode = OPEN_EXISTING;
  65   uint32 flags = FILE_ATTRIBUTE_NORMAL;
  66   void* security_descriptor = NULL;
  67
  68   POLPARAMS_BEGIN(eval_params)
  69     POLPARAM(filename)
  70     POLPARAM(creation_mode)
  71     POLPARAM(flags)
  72     POLPARAM(security_descriptor)
  73   POLPARAMS_END;
  74
  75   PolicyResult pr;
  76   PolicyProcessor pol_ev(policy);
  77
  78   // Test should match the first rule set.
  79   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
  80   EXPECT_EQ(POLICY_MATCH, pr);
  81   EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
  82
  83   // Test should still match the first rule set.
  84   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
  85   EXPECT_EQ(POLICY_MATCH, pr);
  86   EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
  87
  88   // Changing creation_mode such that evaluation should not match any rule.
  89   creation_mode = CREATE_NEW;
  90   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
  91   EXPECT_EQ(NO_POLICY_MATCH, pr);
  92
  93   // Changing creation_mode such that evaluation should match rule #2.
  94   creation_mode = OPEN_ALWAYS;
  95   pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
  96   EXPECT_EQ(POLICY_MATCH, pr);
  97   EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
  98
  99   delete [] reinterpret_cast<char*>(policy);
 100 }
 101
 102 }  // namespace sandbox