Include dependency graph for SeInheritance.c:
Go to the source code of this file.
Macros | |
| #define | StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl) |
| #define | EndTestAssign() |
| #define | StartTestAssignLoop(Parent, Explicit) |
| #define | EndTestAssignLoop() |
| #define | TestAssignExpectDefault(Parent, Explicit, IsDir) |
| #define | TestAssignExpectDefaultAll() |
Functions | |
| static VOID | TestSeAssignSecurity (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext) |
| static VOID NTAPI | SystemThread (_In_ PVOID Context) |
| static VOID | TestObRootSecurity (VOID) |
| START_TEST (SeInheritance) | |
Variables | |
| static GENERIC_MAPPING | GenericMapping |
Macro Definition Documentation
◆ EndTestAssign
| #define EndTestAssign | ( | ) |
Value:
SeDeassignSecurity(&SecurityDescriptor); \
}
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
◆ EndTestAssignLoop
| #define EndTestAssignLoop | ( | ) |
Value:
◆ StartTestAssign
◆ StartTestAssignLoop
Value:
{ \
BOOLEAN IsDir; \
BOOLEAN UsingParent; \
BOOLEAN UsingExplicit; \
{ \
{ \
{ \
UsingExplicit ? Explicit : NULL, \
IsDir, \
TRUE, \
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn UINT32 *TableIdx UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:732
◆ TestAssignExpectDefault
Value:
ok_eq_uint(DaclDefaulted, FALSE); \
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, \
ok_eq_uint(OwnerDefaulted, FALSE); \
ok_eq_uint(GroupDefaulted, FALSE); \
EndTestAssign()
#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl)
Definition: tokenizer.hpp:28
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1597
◆ TestAssignExpectDefaultAll
| #define TestAssignExpectDefaultAll | ( | ) |
Value:
TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, FALSE) \
TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, TRUE)
#define TestAssignExpectDefault(Parent, Explicit, IsDir)
Function Documentation
◆ START_TEST()
| START_TEST | ( | SeInheritance | ) |
Definition at line 948 of file SeInheritance.c.
949{
951
952 TestObRootSecurity();
955}
PKTHREAD KmtStartThread(IN PKSTART_ROUTINE StartRoutine, IN PVOID StartContext OPTIONAL)
Definition: kmt_test_kernel.h:136
VOID KmtFinishThread(IN PKTHREAD Thread OPTIONAL, IN PKEVENT Event OPTIONAL)
Definition: kmt_test_kernel.h:171
Definition: ketypes.h:1600
◆ SystemThread()
Definition at line 870 of file SeInheritance.c.
872{
875
878 /* TODO: Test SeSetSecurityDescrptorInfo[Ex] */
880}
#define ok_eq_pointer(value, expected)
Definition: RtlDosApplyFileIsolationRedirection_Ustr.c:11
static VOID TestSeAssignSecurity(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: SeInheritance.c:21
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
Definition: compobj.c:4795
Definition: setypes.h:217
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
Referenced by FxSystemThread::_CreateAndInit(), and START_TEST().
◆ TestObRootSecurity()
Definition at line 884 of file SeInheritance.c.
885{
893 PACL Acl;
894 BOOLEAN Present;
895 BOOLEAN Defaulted;
896
898 &ObjectPath,
900 NULL,
901 NULL);
903 0,
904 &ObjectAttributes);
907 return;
909 0,
910 NULL,
911 KernelMode,
912 &RootDirectory,
913 NULL);
917 return;
919 &SecurityDescriptor,
920 &MemoryAllocated);
924 return;
926 &Present,
927 &Acl,
928 &Defaulted);
932 {
934 CheckAcl(Acl, 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
937 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY);
938 }
940 &Present,
941 &Acl,
942 &Defaulted);
946}
Definition: nsiface.idl:2307
NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted)
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
Definition: obhandle.c:3379
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
Definition: ms-dtyp.idl:293
Definition: umtypes.h:182
Definition: ms-dtyp.idl:301
Definition: env_spec_w32.h:368
Referenced by START_TEST().
◆ TestSeAssignSecurity()
|
static |
Definition at line 21 of file SeInheritance.c.
23{
27 SECURITY_DESCRIPTOR ParentDescriptor;
29 ACL EmptyAcl;
30 PACL Acl;
31 PACL Acl2;
32 ULONG AclSize;
33 ULONG UsingDefault;
34 ULONG CanInherit;
36 ULONG AceFlags2;
37 ULONG Access;
38 PSID GenericSid;
39 PSID GenericSid2;
40 ACCESS_MASK GenericMask;
41 ACCESS_MASK GenericMask2;
42 PSID SpecificSid;
43 ACCESS_MASK SpecificMask;
44 ACCESS_MASK SpecificMask2;
45 BOOLEAN ParentUsable;
46
48 CheckAcl(Token->DefaultDacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, GENERIC_ALL,
49 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, GENERIC_READ | GENERIC_EXECUTE | STANDARD_RIGHTS_READ);
50 CheckSid(Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, NO_SIZE, SeExports->SeAliasAdminsSid);
52// Flags with no effect on current tests: SEF_SACL_AUTO_INHERIT, SEF_DEFAULT_DESCRIPTOR_FOR_OBJECT
53#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl) \
54 SecurityDescriptor = NULL; \
55 Status = SeAssignSecurity (Parent, \
56 Explicit, \
57 &SecurityDescriptor, \
58 /*NULL,*/ \
59 IsDir, \
60 /*0,*/ \
61 SubjectContext, \
62 &GenericMapping, \
63 PagedPool); \
64 ok_eq_hex(Status, STATUS_SUCCESS); \
65 if (!skip(NT_SUCCESS(Status), "No security\n")) \
66 { \
67 PACL Dacl, Sacl; \
68 PSID Owner, Group; \
69 BOOLEAN Present; \
70 BOOLEAN DaclDefaulted, SaclDefaulted; \
71 BOOLEAN OwnerDefaulted, GroupDefaulted; \
72 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, \
73 &Present, \
74 &Dacl, \
75 &DaclDefaulted); \
76 ok_eq_hex(Status, STATUS_SUCCESS); \
77 ok_eq_uint(Present, GotDacl); \
78 if (!NT_SUCCESS(Status) || !Present) \
79 Dacl = NULL; \
80 Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor, \
81 &Present, \
82 &Sacl, \
83 &SaclDefaulted); \
84 ok_eq_hex(Status, STATUS_SUCCESS); \
85 ok_eq_uint(Present, GotSacl); \
86 if (!NT_SUCCESS(Status) || !Present) \
87 Sacl = NULL; \
88 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor, \
89 &Owner, \
90 &OwnerDefaulted); \
91 ok_eq_hex(Status, STATUS_SUCCESS); \
92 if (skip(NT_SUCCESS(Status), "No owner\n")) \
93 Owner = NULL; \
94 Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor, \
95 &Group, \
96 &GroupDefaulted); \
97 ok_eq_hex(Status, STATUS_SUCCESS); \
98 if (skip(NT_SUCCESS(Status), "No group\n")) \
99 Group = NULL;
100
101#define EndTestAssign() \
102 SeDeassignSecurity(&SecurityDescriptor); \
103 }
104#define StartTestAssignLoop(Parent, Explicit) \
105 { \
106 BOOLEAN IsDir; \
107 BOOLEAN UsingParent; \
108 BOOLEAN UsingExplicit; \
109 for (IsDir = FALSE; IsDir <= TRUE; IsDir++) \
110 { \
111 for (UsingParent = FALSE; UsingParent <= TRUE; UsingParent++) \
112 { \
113 for (UsingExplicit = FALSE; UsingExplicit <= TRUE; UsingExplicit++) \
114 { \
115 StartTestAssign(UsingParent ? Parent : NULL, \
116 UsingExplicit ? Explicit : NULL, \
117 IsDir, \
118 TRUE, \
119 FALSE)
120#define EndTestAssignLoop() \
121 EndTestAssign() \
122 } \
123 } \
124 } \
125 }
126#define TestAssignExpectDefault(Parent, Explicit, IsDir) \
127 StartTestAssign(Parent, Explicit, IsDir, TRUE, FALSE) \
128 ok_eq_uint(DaclDefaulted, FALSE); \
129 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, \
130 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); \
131 ok_eq_uint(OwnerDefaulted, FALSE); \
132 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); \
133 ok_eq_uint(GroupDefaulted, FALSE); \
134 CheckSid(Group, NO_SIZE, Token->PrimaryGroup); \
135 EndTestAssign()
136#define TestAssignExpectDefaultAll() \
137 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE) \
138 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE) \
139 TestAssignExpectDefault(NULL, &ExplicitDescriptor, FALSE) \
140 TestAssignExpectDefault(NULL, &ExplicitDescriptor, TRUE) \
141 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, FALSE) \
142 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, TRUE)
143
146
147 /* Empty parent/explicit descriptors */
155
156 /* NULL DACL in parent/explicit descriptor */
158 {
160 TRUE,
161 NULL,
162 UsingDefault);
165 TRUE,
166 NULL,
167 UsingDefault);
170 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
172 if (UsingExplicit)
173 {
175 }
176 else
177 {
178 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
180 }
185 EndTestAssignLoop()
186 }
187
188 /* Empty default DACL in parent/explicit descriptor */
190 {
194 TRUE,
195 &EmptyAcl,
196 UsingDefault);
199 TRUE,
200 &EmptyAcl,
201 UsingDefault);
204 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
206 if (UsingExplicit)
207 {
209 }
210 else
211 {
212 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
214 }
219 EndTestAssignLoop()
220 }
221
222
223 AclSize = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(SeExports->SeWorldSid);
226 return;
227
230 {
232 return;
233 }
234
235 /* Simple DACL in parent/explicit descriptor */
236 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
237 {
243 TRUE,
244 Acl,
245 BooleanFlagOn(UsingDefault, 1));
248 TRUE,
249 Acl,
250 BooleanFlagOn(UsingDefault, 2));
253 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
255 if (UsingExplicit)
256 {
258 }
259 else
260 {
261 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
263 }
268 EndTestAssignLoop()
269 }
270
271 /* Object-inheritable DACL in parent/explicit descriptor */
272 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
273 {
276 Status = RtlAddAccessAllowedAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, READ_CONTROL, SeExports->SeWorldSid);
279 TRUE,
280 Acl,
281 BooleanFlagOn(UsingDefault, 1));
284 TRUE,
285 Acl,
286 BooleanFlagOn(UsingDefault, 2));
289 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
292 {
293 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, OBJECT_INHERIT_ACE, SeExports->SeWorldSid, READ_CONTROL);
294 }
295 else if (UsingParent)
296 {
297 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, IsDir ? INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE : 0, SeExports->SeWorldSid, READ_CONTROL);
298 }
299 else
300 {
301 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
303 }
308 EndTestAssignLoop()
309 }
310
311 /* Container-inheritable DACL in parent/explicit descriptor */
312 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
313 {
316 Status = RtlAddAccessAllowedAceEx(Acl, ACL_REVISION, CONTAINER_INHERIT_ACE, READ_CONTROL, SeExports->SeWorldSid);
319 TRUE,
320 Acl,
321 BooleanFlagOn(UsingDefault, 1));
324 TRUE,
325 Acl,
326 BooleanFlagOn(UsingDefault, 2));
329 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
331 if (UsingExplicit || (UsingParent && IsDir))
332 {
333 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, READ_CONTROL);
334 }
335 else
336 {
337 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
339 }
344 EndTestAssignLoop()
345 }
346
347 /* Fully inheritable DACL in parent/explicit descriptor */
348 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
349 {
352 Status = RtlAddAccessAllowedAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE, READ_CONTROL, SeExports->SeWorldSid);
355 TRUE,
356 Acl,
357 BooleanFlagOn(UsingDefault, 1));
360 TRUE,
361 Acl,
362 BooleanFlagOn(UsingDefault, 2));
365 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
368 {
369 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, READ_CONTROL);
370 }
371 else if (UsingParent)
372 {
373 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, IsDir ? OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE : 0, SeExports->SeWorldSid, READ_CONTROL);
374 }
375 else
376 {
377 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
379 }
384 EndTestAssignLoop()
385 }
386
387 /* Different DACLs in parent and explicit descriptors */
388 for (Access = 0; Access <= 1; Access++)
389 {
390 if (Access == 1)
391 {
394 GenericMask = GENERIC_READ;
395 SpecificMask = STANDARD_RIGHTS_READ | 0x0001;
397 GenericMask2 = GENERIC_EXECUTE;
398 SpecificMask2 = STANDARD_RIGHTS_EXECUTE | 0x0004;
399 }
400 else
401 {
404 GenericMask = READ_CONTROL;
405 SpecificMask = READ_CONTROL;
407 GenericMask2 = SYNCHRONIZE;
408 SpecificMask2 = SYNCHRONIZE;
409 }
410 for (CanInherit = 0; CanInherit <= 255; CanInherit++)
411 {
412 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
413 {
416 AceFlags = CanInherit & 0xf;
421 AceFlags2 = CanInherit >> 4;
425 TRUE,
426 Acl,
427 BooleanFlagOn(UsingDefault, 1));
430 TRUE,
431 Acl2,
432 BooleanFlagOn(UsingDefault, 2));
435 //trace("Explicit %u, Parent %u, Dir %u, Default %u, Inherit %u, Access %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault, CanInherit, Access);
437 ParentUsable = UsingParent;
439 ParentUsable = FALSE;
442 ParentUsable = FALSE;
443
445 {
446 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, AceFlags2, GenericSid2, FlagOn(AceFlags2, INHERIT_ONLY_ACE) ? GenericMask2 : SpecificMask2);
447 }
448 else if (ParentUsable)
449 {
451 {
452 if (FlagOn(AceFlags, CONTAINER_INHERIT_ACE) && (SpecificMask != GenericMask || SpecificSid != GenericSid))
454 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | (AceFlags & OBJECT_INHERIT_ACE), GenericSid, GenericMask);
455 else
456 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, (FlagOn(AceFlags, CONTAINER_INHERIT_ACE) ? 0 : INHERIT_ONLY_ACE) |
458 }
459 else
461 }
462 else
463 {
464 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
466 }
471 EndTestAssignLoop()
472 }
473 }
474 }
475
476 /* NULL parameters */
478 KmtStartSeh()
480 NULL,
481 NULL,
482 FALSE,
483 SubjectContext,
484 &GenericMapping,
485 PagedPool);
488
490 KmtStartSeh()
492 NULL,
493 &SecurityDescriptor,
494 FALSE,
495 NULL,
496 &GenericMapping,
497 PagedPool);
502
504 KmtStartSeh()
506 NULL,
507 NULL,
508 FALSE,
509 NULL,
510 &GenericMapping,
511 PagedPool);
514
515 /* Test with Token == NULL */
516 if (1)
517 {
518 /* Crash in SeLockSubjectContext while holding a critical region */
520 KmtStartSeh()
523 NULL,
524 &SecurityDescriptor,
525 FALSE,
526 SubjectContext,
527 &GenericMapping,
528 PagedPool);
531 KeLeaveCriticalRegion();
534 }
536
537 /* Test with NULL owner in Token */
538 if (1)
539 {
540 /* Crash after locking the subject context */
541 PSID OldOwner;
544 KmtStartSeh()
547 NULL,
548 &SecurityDescriptor,
549 FALSE,
550 SubjectContext,
551 &GenericMapping,
552 PagedPool);
558 }
560
561 /* Test with NULL group in Token */
562 if (1)
563 {
564 PSID OldGroup;
565 OldGroup = Token->PrimaryGroup;
567 KmtStartSeh()
570 NULL,
571 &SecurityDescriptor,
572 FALSE,
573 SubjectContext,
574 &GenericMapping,
575 PagedPool);
578 SeDeassignSecurity(&SecurityDescriptor);
581 }
583
584 /* Test with NULL DACL in Token */
585 if (1)
586 {
587 PACL OldDacl;
588 OldDacl = Token->DefaultDacl;
590 KmtStartSeh()
596 EndTestAssign()
598 Token->DefaultDacl = OldDacl;
599 }
601
602 /* SEF_DEFAULT_OWNER_FROM_PARENT/SEF_DEFAULT_GROUP_FROM_PARENT */
605 NULL,
606 &SecurityDescriptor,
607 NULL,
608 FALSE,
610 SubjectContext,
611 &GenericMapping,
612 PagedPool);
615 SeDeassignSecurity(&SecurityDescriptor);
618 NULL,
619 &SecurityDescriptor,
620 NULL,
621 FALSE,
623 SubjectContext,
624 &GenericMapping,
625 PagedPool);
628 SeDeassignSecurity(&SecurityDescriptor);
631 NULL,
632 &SecurityDescriptor,
633 NULL,
634 FALSE,
636 SubjectContext,
637 &GenericMapping,
638 PagedPool);
641 SeDeassignSecurity(&SecurityDescriptor);
642
643 /* Quick test whether inheritance for SACLs behaves the same as DACLs */
645 FALSE,
646 NULL,
647 FALSE);
650 FALSE,
651 NULL,
652 FALSE);
654 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
655 {
657 TRUE,
658 NULL,
659 BooleanFlagOn(UsingDefault, 1));
662 TRUE,
663 NULL,
664 BooleanFlagOn(UsingDefault, 2));
666
671 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
679 EndTestAssign()
680 }
681
682 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
683 {
685 TRUE,
686 &EmptyAcl,
687 BooleanFlagOn(UsingDefault, 1));
690 TRUE,
691 &EmptyAcl,
692 BooleanFlagOn(UsingDefault, 2));
694
699 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
707 EndTestAssign()
708 }
709
710 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
711 {
714 Status = RtlxAddAuditAccessAceEx(Acl, ACL_REVISION, 0, READ_CONTROL, SeExports->SeWorldSid, TRUE, TRUE);
717 TRUE,
718 Acl,
719 BooleanFlagOn(UsingDefault, 1));
722 TRUE,
723 Acl,
724 BooleanFlagOn(UsingDefault, 2));
726
731 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
734 CheckAcl(Sacl, 1, SYSTEM_AUDIT_ACE_TYPE, SUCCESSFUL_ACCESS_ACE_FLAG | FAILED_ACCESS_ACE_FLAG, SeExports->SeWorldSid, READ_CONTROL);
739 EndTestAssign()
740 }
741
742 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
743 {
746 Status = RtlxAddAuditAccessAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, READ_CONTROL, SeExports->SeCreatorOwnerSid, TRUE, TRUE);
749 TRUE,
750 Acl,
751 BooleanFlagOn(UsingDefault, 1));
754 TRUE,
755 Acl,
756 BooleanFlagOn(UsingDefault, 2));
758
761 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
764 CheckAcl(Sacl, 1, SYSTEM_AUDIT_ACE_TYPE, SUCCESSFUL_ACCESS_ACE_FLAG | FAILED_ACCESS_ACE_FLAG, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, READ_CONTROL);
769 EndTestAssign()
772 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
775 CheckAcl(Sacl, 1, SYSTEM_AUDIT_ACE_TYPE, OBJECT_INHERIT_ACE | SUCCESSFUL_ACCESS_ACE_FLAG | FAILED_ACCESS_ACE_FLAG, SeExports->SeCreatorOwnerSid, READ_CONTROL);
780 EndTestAssign()
781 }
782
783 /* ACE type that Win2003 doesn't know about (> ACCESS_MAX_MS_ACE_TYPE) */
784 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
785 {
788 Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeWorldSid);
791 TRUE,
792 Acl,
793 BooleanFlagOn(UsingDefault, 1));
796 TRUE,
797 Acl,
798 BooleanFlagOn(UsingDefault, 2));
800
805 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
808 CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, SeExports->SeWorldSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
813 EndTestAssign()
814 }
815
816 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
817 {
820 Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeCreatorOwnerSid);
823 TRUE,
824 Acl,
825 BooleanFlagOn(UsingDefault, 1));
828 TRUE,
829 Acl,
830 BooleanFlagOn(UsingDefault, 2));
832
835 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
838 CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
843 EndTestAssign()
846 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
849 CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
854 EndTestAssign()
855 }
856
857 /* TODO: Test object/compound ACEs */
858 /* TODO: Test duplicate ACEs */
859 /* TODO: Test INHERITED_ACE flag */
860 /* TODO: Test invalid ACE flags */
861 /* TODO: Test more AutoInheritFlags values */
862
863 ExFreePoolWithTag(Acl2, 'ASmK');
864 ExFreePoolWithTag(Acl, 'ASmK');
865}
#define EndTestAssignLoop()
#define TestAssignExpectDefaultAll()
#define StartTestAssignLoop(Parent, Explicit)
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAceEx(PACL, DWORD, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
NTSTATUS RtlxAddAuditAccessAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
Definition: SeHelpers.c:12
NTSTATUS RtlxAddMandatoryLabelAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)
Definition: SeHelpers.c:53
struct _ACL ACL
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG _Out_writes_bytes_to_opt_ PrimaryGroupSize PSID PrimaryGroup
Definition: rtlfuncs.h:1599
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1595
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
Definition: ms-dtyp.idl:215
Definition: ms-dtyp.idl:198
Definition: setypes.h:216
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: subject.c:138
NTKERNELAPI NTSTATUS NTAPI SeAssignSecurityEx(_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PGENERIC_MAPPING GenericMapping, _In_ POOL_TYPE PoolType)
#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
Definition: setypes.h:804
Referenced by SystemThread().
Variable Documentation
◆ GenericMapping
|
static |
Initial value:
=
{
STANDARD_RIGHTS_READ | 0x1001,
STANDARD_RIGHTS_WRITE | 0x2002,
STANDARD_RIGHTS_EXECUTE | 0x4004,
STANDARD_RIGHTS_ALL | 0x800F,
}
Definition at line 11 of file SeInheritance.c.
Referenced by AccessCheck(), AccessCheckAndAuditAlarmA(), AccessCheckAndAuditAlarmW(), CheckTokenMembership(), CmpSecurityMethod(), CreatePrivateObjectSecurity(), CreatePrivateObjectSecurityWithMultipleInheritance(), IopGetSetSecurityObject(), IopSetDeviceSecurityDescriptor(), IopSetDeviceSecurityDescriptors(), NtAccessCheck(), NtAccessCheckAndAuditAlarm(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarmByHandle(), ObOpenObjectByName(), ObSetSecurityDescriptorInfo(), RtlConvertToAutoInheritSecurityObject(), RtlCreateUserSecurityObject(), RtlMapGenericMask(), RtlNewInstanceSecurityObject(), RtlNewSecurityGrantedAccess(), RtlNewSecurityObject(), RtlNewSecurityObjectEx(), RtlNewSecurityObjectWithMultipleInheritance(), RtlSetSecurityObject(), RtlSetSecurityObjectEx(), SeAccessCheck(), SeCreateAccessState(), SeCreateAccessStateEx(), SeDefaultObjectMethod(), SepAccessCheck(), SepAccessCheckAndAuditAlarm(), SepAnalyzeAcesFromDacl(), SepPropagateAcl(), SepSelectAcl(), SeSetAccessStateGenericMapping(), SetPrivateObjectSecurity(), START_TEST(), TestSeAssignSecurity(), and WmipSecurityMethod().
