1 files changed, 103 insertions, 0 deletions
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc b/security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc
new file mode 100644
index 0000000000..b8b2002108
--- /dev/null
+++ b/security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc
@@ -0,0 +1,103 @@
+// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "sandbox/win/src/policy_engine_params.h"
+#include "sandbox/win/src/policy_engine_processor.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
+#define POLPARAM(p) sandbox::ParamPickerMake(p),
+#define POLPARAMS_END }
+
+namespace sandbox {
+
+bool SetupNtdllImports();
+
+TEST(PolicyEngineTest, Rules1) {
+  SetupNtdllImports();
+
+  // Construct two policy rules that say:
+  //
+  // #1
+  // If the path is c:\\documents and settings\\* AND
+  // If the creation mode is 'open existing' AND
+  // If the security descriptor is null THEN
+  // Ask the broker.
+  //
+  // #2
+  // If the security descriptor is null AND
+  // If the path ends with *.txt AND
+  // If the creation mode is not 'create new' THEN
+  // return Access Denied.
+
+  enum FileCreateArgs {
+    FileNameArg,
+    CreationDispositionArg,
+    FlagsAndAttributesArg,
+    SecurityAttributes
+  };
+
+  const size_t policy_sz = 1024;
+  PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
+  OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
+
+  // Add rule set #1
+  opcode_maker.MakeOpWStringMatch(FileNameArg, L"c:\\documents and settings\\",
+                                  0, CASE_INSENSITIVE, kPolNone);
+  opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
+                                 kPolNone);
+  opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, nullptr, kPolNone);
+  opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
+
+  // Add rule set #2
+  opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT", kSeekToEnd,
+                                  CASE_INSENSITIVE, kPolNone);
+  opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
+                                 kPolNegateEval);
+  opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
+  policy->opcode_count = 7;
+
+  const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
+  uint32_t creation_mode = OPEN_EXISTING;
+  uint32_t flags = FILE_ATTRIBUTE_NORMAL;
+  void* security_descriptor = nullptr;
+
+  POLPARAMS_BEGIN(eval_params)
+    POLPARAM(filename)
+    POLPARAM(creation_mode)
+    POLPARAM(flags)
+    POLPARAM(security_descriptor)
+  POLPARAMS_END;
+
+  PolicyResult pr;
+  PolicyProcessor pol_ev(policy);
+
+  // Test should match the first rule set.
+  pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+  EXPECT_EQ(POLICY_MATCH, pr);
+  EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
+
+  // Test should still match the first rule set.
+  pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+  EXPECT_EQ(POLICY_MATCH, pr);
+  EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
+
+  // Changing creation_mode such that evaluation should not match any rule.
+  creation_mode = CREATE_NEW;
+  pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+  EXPECT_EQ(NO_POLICY_MATCH, pr);
+
+  // Changing creation_mode such that evaluation should match rule #2.
+  creation_mode = OPEN_ALWAYS;
+  pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
+  EXPECT_EQ(POLICY_MATCH, pr);
+  EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
+
+  delete[] reinterpret_cast<char*>(policy);
+}
+
+}  // namespace sandbox