23{
46
52
53#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl) \
54 SecurityDescriptor = NULL; \
55 Status = SeAssignSecurity (Parent, \
56 Explicit, \
57 &SecurityDescriptor, \
58 \
59 IsDir, \
60 \
61 SubjectContext, \
62 &GenericMapping, \
63 PagedPool); \
64 ok_eq_hex(Status, STATUS_SUCCESS); \
65 if (!skip(NT_SUCCESS(Status), "No security\n")) \
66 { \
67 PACL Dacl, Sacl; \
68 PSID Owner, Group; \
69 BOOLEAN Present; \
70 BOOLEAN DaclDefaulted, SaclDefaulted; \
71 BOOLEAN OwnerDefaulted, GroupDefaulted; \
72 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, \
73 &Present, \
74 &Dacl, \
75 &DaclDefaulted); \
76 ok_eq_hex(Status, STATUS_SUCCESS); \
77 ok_eq_uint(Present, GotDacl); \
78 if (!NT_SUCCESS(Status) || !Present) \
79 Dacl = NULL; \
80 Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor, \
81 &Present, \
82 &Sacl, \
83 &SaclDefaulted); \
84 ok_eq_hex(Status, STATUS_SUCCESS); \
85 ok_eq_uint(Present, GotSacl); \
86 if (!NT_SUCCESS(Status) || !Present) \
87 Sacl = NULL; \
88 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor, \
89 &Owner, \
90 &OwnerDefaulted); \
91 ok_eq_hex(Status, STATUS_SUCCESS); \
92 if (skip(NT_SUCCESS(Status), "No owner\n")) \
93 Owner = NULL; \
94 Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor, \
95 &Group, \
96 &GroupDefaulted); \
97 ok_eq_hex(Status, STATUS_SUCCESS); \
98 if (skip(NT_SUCCESS(Status), "No group\n")) \
99 Group = NULL;
100
101#define EndTestAssign() \
102 SeDeassignSecurity(&SecurityDescriptor); \
103 }
104#define StartTestAssignLoop(Parent, Explicit) \
105 { \
106 BOOLEAN IsDir; \
107 BOOLEAN UsingParent; \
108 BOOLEAN UsingExplicit; \
109 for (IsDir = FALSE; IsDir <= TRUE; IsDir++) \
110 { \
111 for (UsingParent = FALSE; UsingParent <= TRUE; UsingParent++) \
112 { \
113 for (UsingExplicit = FALSE; UsingExplicit <= TRUE; UsingExplicit++) \
114 { \
115 StartTestAssign(UsingParent ? Parent : NULL, \
116 UsingExplicit ? Explicit : NULL, \
117 IsDir, \
118 TRUE, \
119 FALSE)
120#define EndTestAssignLoop() \
121 EndTestAssign() \
122 } \
123 } \
124 } \
125 }
126#define TestAssignExpectDefault(Parent, Explicit, IsDir) \
127 StartTestAssign(Parent, Explicit, IsDir, TRUE, FALSE) \
128 ok_eq_uint(DaclDefaulted, FALSE); \
129 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, \
130 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); \
131 ok_eq_uint(OwnerDefaulted, FALSE); \
132 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); \
133 ok_eq_uint(GroupDefaulted, FALSE); \
134 CheckSid(Group, NO_SIZE, Token->PrimaryGroup); \
135 EndTestAssign()
136#define TestAssignExpectDefaultAll() \
137 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE) \
138 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE) \
139 TestAssignExpectDefault(NULL, &ExplicitDescriptor, FALSE) \
140 TestAssignExpectDefault(NULL, &ExplicitDescriptor, TRUE) \
141 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, FALSE) \
142 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, TRUE)
143
146
147
155
156
157 for (UsingDefault =
FALSE; UsingDefault <=
TRUE; UsingDefault++)
158 {
162 UsingDefault);
167 UsingDefault);
170
172 if (UsingExplicit)
173 {
175 }
176 else
177 {
180 }
186 }
187
188
189 for (UsingDefault =
FALSE; UsingDefault <=
TRUE; UsingDefault++)
190 {
195 &EmptyAcl,
196 UsingDefault);
200 &EmptyAcl,
201 UsingDefault);
204
206 if (UsingExplicit)
207 {
209 }
210 else
211 {
214 }
220 }
221
222
225 if (
skip(Acl !=
NULL,
"Out of memory\n"))
226 return;
227
229 if (
skip(Acl2 !=
NULL,
"Out of memory\n"))
230 {
232 return;
233 }
234
235
236 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
237 {
244 Acl,
249 Acl,
253
255 if (UsingExplicit)
256 {
258 }
259 else
260 {
263 }
269 }
270
271
272 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
273 {
280 Acl,
285 Acl,
289
291 if (UsingExplicit && (!UsingParent || !
FlagOn(UsingDefault, 2)))
292 {
294 }
295 else if (UsingParent)
296 {
298 }
299 else
300 {
303 }
309 }
310
311
312 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
313 {
320 Acl,
325 Acl,
329
331 if (UsingExplicit || (UsingParent && IsDir))
332 {
334 }
335 else
336 {
339 }
345 }
346
347
348 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
349 {
356 Acl,
361 Acl,
365
367 if (UsingExplicit && (!UsingParent || !
FlagOn(UsingDefault, 2)))
368 {
370 }
371 else if (UsingParent)
372 {
374 }
375 else
376 {
379 }
385 }
386
387
388 for (Access = 0; Access <= 1; Access++)
389 {
390 if (Access == 1)
391 {
399 }
400 else
401 {
409 }
410 for (CanInherit = 0; CanInherit <= 255; CanInherit++)
411 {
412 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
413 {
421 AceFlags2 = CanInherit >> 4;
426 Acl,
431 Acl2,
435
437 ParentUsable = UsingParent;
439 ParentUsable =
FALSE;
442 ParentUsable =
FALSE;
443
444 if (UsingExplicit && (!
FlagOn(UsingDefault, 2) || !ParentUsable))
445 {
447 }
448 else if (ParentUsable)
449 {
451 {
455 else
458 }
459 else
461 }
462 else
463 {
466 }
472 }
473 }
474 }
475
476
488
502
514
515
517 {
518
534 }
536
537
539 {
540
542 OldOwner =
Token->UserAndGroups[
Token->DefaultOwnerIndex].Sid;
557 Token->UserAndGroups[
Token->DefaultOwnerIndex].
Sid = OldOwner;
558 }
560
561
563 {
565 OldGroup =
Token->PrimaryGroup;
581 }
583
584
586 {
588 OldDacl =
Token->DefaultDacl;
598 Token->DefaultDacl = OldDacl;
599 }
601
602
642
643
654 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
655 {
666
680 }
681
682 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
683 {
686 &EmptyAcl,
691 &EmptyAcl,
694
708 }
709
710 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
711 {
718 Acl,
723 Acl,
726
740 }
741
742 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
743 {
750 Acl,
755 Acl,
758
781 }
782
783
784 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
785 {
792 Acl,
797 Acl,
800
814 }
815
816 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
817 {
824 Acl,
829 Acl,
832
855 }
856
857
858
859
860
861
862
865}
#define EndTestAssignLoop()
#define TestAssignExpectDefaultAll()
#define StartTestAssignLoop(Parent, Explicit)
static GENERIC_MAPPING GenericMapping
#define ok_bool_false(value, desc)
#define ok_bool_true(value, desc)
static const ACEFLAG AceFlags[]
#define ExAllocatePoolWithTag(hernya, size, tag)
#define BooleanFlagOn(F, SF)
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAceEx(PACL, DWORD, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
#define KeLeaveCriticalRegion()
#define KmtInvalidPointer
#define KmtEndSeh(ExpectedStatus)
#define ExFreePoolWithTag(_P, _T)
#define CheckSid(Sid, SidSize, ExpectedSid)
NTSTATUS RtlxAddAuditAccessAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
NTSTATUS RtlxAddMandatoryLabelAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG _Out_writes_bytes_to_opt_ PrimaryGroupSize PSID PrimaryGroup
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
#define STANDARD_RIGHTS_EXECUTE
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
BOOLEAN NTAPI KeAreApcsDisabled(VOID)
#define STATUS_ACCESS_VIOLATION
#define STATUS_INVALID_PRIMARY_GROUP
#define STATUS_INVALID_OWNER
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
#define FIELD_OFFSET(t, f)
_Out_ PBOOLEAN _Out_ PACL _Out_ PBOOLEAN SaclDefaulted
NTKERNELAPI NTSTATUS NTAPI SeAssignSecurityEx(_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PGENERIC_MAPPING GenericMapping, _In_ POOL_TYPE PoolType)
#define CONTAINER_INHERIT_ACE
#define SYSTEM_AUDIT_ACE_TYPE
#define OBJECT_INHERIT_ACE
#define NO_PROPAGATE_INHERIT_ACE
#define SEF_DEFAULT_GROUP_FROM_PARENT
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE
#define SECURITY_DESCRIPTOR_REVISION
#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
#define SEF_DEFAULT_OWNER_FROM_PARENT
#define FAILED_ACCESS_ACE_FLAG
#define SUCCESSFUL_ACCESS_ACE_FLAG