ReactOS 0.4.16-dev-106-g10b08aa
SeInheritance.c File Reference
#include <kmt_test.h>
#include "se.h"
Include dependency graph for SeInheritance.c:

Go to the source code of this file.

Macros

#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl)
 
#define EndTestAssign()
 
#define StartTestAssignLoop(Parent, Explicit)
 
#define EndTestAssignLoop()
 
#define TestAssignExpectDefault(Parent, Explicit, IsDir)
 
#define TestAssignExpectDefaultAll()
 

Functions

static VOID TestSeAssignSecurity (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
static VOID NTAPI SystemThread (_In_ PVOID Context)
 
static VOID TestObRootSecurity (VOID)
 
 START_TEST (SeInheritance)
 

Variables

static GENERIC_MAPPING GenericMapping
 

Macro Definition Documentation

◆ EndTestAssign

#define EndTestAssign ( )
Value:
SeDeassignSecurity(&SecurityDescriptor); \
}
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191

◆ EndTestAssignLoop

#define EndTestAssignLoop ( )
Value:
} \
} \
} \
}
#define EndTestAssign()

◆ StartTestAssign

#define StartTestAssign (   Parent,
  Explicit,
  IsDir,
  GotDacl,
  GotSacl 
)

◆ StartTestAssignLoop

#define StartTestAssignLoop (   Parent,
  Explicit 
)
Value:
{ \
BOOLEAN IsDir; \
BOOLEAN UsingParent; \
BOOLEAN UsingExplicit; \
for (IsDir = FALSE; IsDir <= TRUE; IsDir++) \
{ \
for (UsingParent = FALSE; UsingParent <= TRUE; UsingParent++) \
{ \
for (UsingExplicit = FALSE; UsingExplicit <= TRUE; UsingExplicit++) \
{ \
StartTestAssign(UsingParent ? Parent : NULL, \
UsingExplicit ? Explicit : NULL, \
IsDir, \
TRUE, \
unsigned char BOOLEAN
ACPI_PHYSICAL_ADDRESS ACPI_SIZE BOOLEAN Warn UINT32 *TableIdx UINT32 ACPI_TABLE_HEADER *OutTableHeader ACPI_TABLE_HEADER **OutTable ACPI_HANDLE UINT32 ACPI_WALK_CALLBACK ACPI_WALK_CALLBACK void void **ReturnValue UINT32 ACPI_BUFFER *RetPathPtr ACPI_OBJECT_HANDLER void *Data ACPI_OBJECT_HANDLER void **Data ACPI_STRING ACPI_OBJECT_LIST ACPI_BUFFER *ReturnObjectBuffer ACPI_DEVICE_INFO **ReturnBuffer ACPI_HANDLE Parent
Definition: acpixf.h:732
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117

◆ TestAssignExpectDefault

#define TestAssignExpectDefault (   Parent,
  Explicit,
  IsDir 
)
Value:
StartTestAssign(Parent, Explicit, IsDir, TRUE, FALSE) \
ok_eq_uint(DaclDefaulted, FALSE); \
ok_eq_uint(OwnerDefaulted, FALSE); \
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); \
ok_eq_uint(GroupDefaulted, FALSE); \
CheckSid(Group, NO_SIZE, Token->PrimaryGroup); \
EndTestAssign()
#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl)
#define NO_SIZE
Definition: se.h:29
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1605
_In_opt_ PSID Group
Definition: rtlfuncs.h:1658
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1609
_In_opt_ PSID _In_opt_ BOOLEAN GroupDefaulted
Definition: rtlfuncs.h:1660
_In_opt_ PSID _In_opt_ BOOLEAN OwnerDefaulted
Definition: rtlfuncs.h:1684
_In_ BOOLEAN _In_opt_ PACL _In_opt_ BOOLEAN DaclDefaulted
Definition: rtlfuncs.h:1650
#define STANDARD_RIGHTS_READ
Definition: nt_native.h:65
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
PSE_EXPORTS SeExports
Definition: semgr.c:21
PSID SeAliasAdminsSid
Definition: setypes.h:1229
PSID SeLocalSystemSid
Definition: setypes.h:1228
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:717

◆ TestAssignExpectDefaultAll

#define TestAssignExpectDefaultAll ( )
Value:
TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE) \
TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE) \
TestAssignExpectDefault(NULL, &ExplicitDescriptor, FALSE) \
TestAssignExpectDefault(NULL, &ExplicitDescriptor, TRUE) \
TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, FALSE) \
TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, TRUE)
#define TestAssignExpectDefault(Parent, Explicit, IsDir)
_In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor
Definition: sefuncs.h:29

Function Documentation

◆ START_TEST()

START_TEST ( SeInheritance  )

Definition at line 948 of file SeInheritance.c.

949{
951
955}
static VOID TestObRootSecurity(VOID)
static VOID NTAPI SystemThread(_In_ PVOID Context)
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
PKTHREAD KmtStartThread(IN PKSTART_ROUTINE StartRoutine, IN PVOID StartContext OPTIONAL)
VOID KmtFinishThread(IN PKTHREAD Thread OPTIONAL, IN PKEVENT Event OPTIONAL)

◆ SystemThread()

static VOID NTAPI SystemThread ( _In_ PVOID  Context)
static

Definition at line 870 of file SeInheritance.c.

872{
875
878 /* TODO: Test SeSetSecurityDescrptorInfo[Ex] */
880}
static VOID TestSeAssignSecurity(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: SeInheritance.c:21
#define ok_eq_pointer(value, expected)
Definition: apitest.h:59
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85

Referenced by FxSystemThread::_CreateAndInit(), and START_TEST().

◆ TestObRootSecurity()

static VOID TestObRootSecurity ( VOID  )
static

Definition at line 884 of file SeInheritance.c.

885{
887 UNICODE_STRING ObjectPath = RTL_CONSTANT_STRING(L"\\");
893 PACL Acl;
894 BOOLEAN Present;
895 BOOLEAN Defaulted;
896
898 &ObjectPath,
900 NULL,
901 NULL);
903 0,
906 if (skip(NT_SUCCESS(Status), "No handle\n"))
907 return;
909 0,
910 NULL,
913 NULL);
916 if (skip(NT_SUCCESS(Status), "No object\n"))
917 return;
923 if (skip(NT_SUCCESS(Status), "No security\n"))
924 return;
926 &Present,
927 &Acl,
928 &Defaulted);
930 ok_eq_uint(Present, TRUE);
931 if (!skip(NT_SUCCESS(Status) && Present, "No DACL\n"))
932 {
933 ok_eq_uint(Defaulted, FALSE);
938 }
940 &Present,
941 &Acl,
942 &Defaulted);
944 ok_eq_uint(Present, FALSE);
946}
#define ok_eq_hex(value, expected)
Definition: apitest.h:77
#define ok_eq_uint(value, expected)
Definition: apitest.h:61
#define skip(...)
Definition: atltest.h:64
LONG NTSTATUS
Definition: precomp.h:26
WCHAR RootDirectory[MAX_PATH]
Definition: format.c:74
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
ULONG Handle
Definition: gdb_input.c:15
Status
Definition: gdiplustypes.h:25
#define OBJ_KERNEL_HANDLE
Definition: winternl.h:231
#define OBJ_CASE_INSENSITIVE
Definition: winternl.h:228
#define CheckAcl(Acl, AceCount,...)
Definition: se.h:47
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
#define KernelMode
Definition: asm.h:34
NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted)
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
#define DIRECTORY_QUERY
Definition: nt_native.h:1254
#define DIRECTORY_TRAVERSE
Definition: nt_native.h:1255
#define DIRECTORY_ALL_ACCESS
Definition: nt_native.h:1259
#define L(x)
Definition: ntvdm.h:50
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
Definition: obhandle.c:3379
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
Definition: obsecure.c:611
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
Definition: obsecure.c:709
#define STATUS_SUCCESS
Definition: shellext.h:65
PSID SeRestrictedSid
Definition: setypes.h:1238
PSID SeWorldSid
Definition: setypes.h:1219
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
#define ObDereferenceObject
Definition: obfuncs.h:203
_Out_ PSECURITY_DESCRIPTOR _Out_ PBOOLEAN MemoryAllocated
Definition: obfuncs.h:24

Referenced by START_TEST().

◆ TestSeAssignSecurity()

static VOID TestSeAssignSecurity ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)
static

Definition at line 21 of file SeInheritance.c.

23{
27 SECURITY_DESCRIPTOR ParentDescriptor;
29 ACL EmptyAcl;
30 PACL Acl;
31 PACL Acl2;
32 ULONG AclSize;
33 ULONG UsingDefault;
34 ULONG CanInherit;
36 ULONG AceFlags2;
37 ULONG Access;
38 PSID GenericSid;
39 PSID GenericSid2;
40 ACCESS_MASK GenericMask;
41 ACCESS_MASK GenericMask2;
42 PSID SpecificSid;
43 ACCESS_MASK SpecificMask;
44 ACCESS_MASK SpecificMask2;
45 BOOLEAN ParentUsable;
46
47 Token = SubjectContext->PrimaryToken;
50 CheckSid(Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, NO_SIZE, SeExports->SeAliasAdminsSid);
52// Flags with no effect on current tests: SEF_SACL_AUTO_INHERIT, SEF_DEFAULT_DESCRIPTOR_FOR_OBJECT
53#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl) \
54 SecurityDescriptor = NULL; \
55 Status = SeAssignSecurity (Parent, \
56 Explicit, \
57 &SecurityDescriptor, \
58 /*NULL,*/ \
59 IsDir, \
60 /*0,*/ \
61 SubjectContext, \
62 &GenericMapping, \
63 PagedPool); \
64 ok_eq_hex(Status, STATUS_SUCCESS); \
65 if (!skip(NT_SUCCESS(Status), "No security\n")) \
66 { \
67 PACL Dacl, Sacl; \
68 PSID Owner, Group; \
69 BOOLEAN Present; \
70 BOOLEAN DaclDefaulted, SaclDefaulted; \
71 BOOLEAN OwnerDefaulted, GroupDefaulted; \
72 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, \
73 &Present, \
74 &Dacl, \
75 &DaclDefaulted); \
76 ok_eq_hex(Status, STATUS_SUCCESS); \
77 ok_eq_uint(Present, GotDacl); \
78 if (!NT_SUCCESS(Status) || !Present) \
79 Dacl = NULL; \
80 Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor, \
81 &Present, \
82 &Sacl, \
83 &SaclDefaulted); \
84 ok_eq_hex(Status, STATUS_SUCCESS); \
85 ok_eq_uint(Present, GotSacl); \
86 if (!NT_SUCCESS(Status) || !Present) \
87 Sacl = NULL; \
88 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor, \
89 &Owner, \
90 &OwnerDefaulted); \
91 ok_eq_hex(Status, STATUS_SUCCESS); \
92 if (skip(NT_SUCCESS(Status), "No owner\n")) \
93 Owner = NULL; \
94 Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor, \
95 &Group, \
96 &GroupDefaulted); \
97 ok_eq_hex(Status, STATUS_SUCCESS); \
98 if (skip(NT_SUCCESS(Status), "No group\n")) \
99 Group = NULL;
100
101#define EndTestAssign() \
102 SeDeassignSecurity(&SecurityDescriptor); \
103 }
104#define StartTestAssignLoop(Parent, Explicit) \
105 { \
106 BOOLEAN IsDir; \
107 BOOLEAN UsingParent; \
108 BOOLEAN UsingExplicit; \
109 for (IsDir = FALSE; IsDir <= TRUE; IsDir++) \
110 { \
111 for (UsingParent = FALSE; UsingParent <= TRUE; UsingParent++) \
112 { \
113 for (UsingExplicit = FALSE; UsingExplicit <= TRUE; UsingExplicit++) \
114 { \
115 StartTestAssign(UsingParent ? Parent : NULL, \
116 UsingExplicit ? Explicit : NULL, \
117 IsDir, \
118 TRUE, \
119 FALSE)
120#define EndTestAssignLoop() \
121 EndTestAssign() \
122 } \
123 } \
124 } \
125 }
126#define TestAssignExpectDefault(Parent, Explicit, IsDir) \
127 StartTestAssign(Parent, Explicit, IsDir, TRUE, FALSE) \
128 ok_eq_uint(DaclDefaulted, FALSE); \
129 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, \
130 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); \
131 ok_eq_uint(OwnerDefaulted, FALSE); \
132 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); \
133 ok_eq_uint(GroupDefaulted, FALSE); \
134 CheckSid(Group, NO_SIZE, Token->PrimaryGroup); \
135 EndTestAssign()
136#define TestAssignExpectDefaultAll() \
137 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE) \
138 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE) \
139 TestAssignExpectDefault(NULL, &ExplicitDescriptor, FALSE) \
140 TestAssignExpectDefault(NULL, &ExplicitDescriptor, TRUE) \
141 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, FALSE) \
142 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, TRUE)
143
146
147 /* Empty parent/explicit descriptors */
148 Status = RtlCreateSecurityDescriptor(&ParentDescriptor,
155
156 /* NULL DACL in parent/explicit descriptor */
157 for (UsingDefault = FALSE; UsingDefault <= TRUE; UsingDefault++)
158 {
159 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
160 TRUE,
161 NULL,
162 UsingDefault);
165 TRUE,
166 NULL,
167 UsingDefault);
169 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
170 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
172 if (UsingExplicit)
173 {
174 ok(Dacl == NULL, "Dacl = %p\n", Dacl);
175 }
176 else
177 {
180 }
186 }
187
188 /* Empty default DACL in parent/explicit descriptor */
189 for (UsingDefault = FALSE; UsingDefault <= TRUE; UsingDefault++)
190 {
191 Status = RtlCreateAcl(&EmptyAcl, sizeof(EmptyAcl), ACL_REVISION);
193 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
194 TRUE,
195 &EmptyAcl,
196 UsingDefault);
199 TRUE,
200 &EmptyAcl,
201 UsingDefault);
203 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
204 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
206 if (UsingExplicit)
207 {
208 CheckAcl(Dacl, 0);
209 }
210 else
211 {
214 }
220 }
221
222
223 AclSize = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(SeExports->SeWorldSid);
224 Acl = ExAllocatePoolWithTag(PagedPool, AclSize, 'ASmK');
225 if (skip(Acl != NULL, "Out of memory\n"))
226 return;
227
228 Acl2 = ExAllocatePoolWithTag(PagedPool, AclSize, 'ASmK');
229 if (skip(Acl2 != NULL, "Out of memory\n"))
230 {
231 ExFreePoolWithTag(Acl, 'ASmK');
232 return;
233 }
234
235 /* Simple DACL in parent/explicit descriptor */
236 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
237 {
238 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
242 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
243 TRUE,
244 Acl,
245 BooleanFlagOn(UsingDefault, 1));
248 TRUE,
249 Acl,
250 BooleanFlagOn(UsingDefault, 2));
252 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
253 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
255 if (UsingExplicit)
256 {
258 }
259 else
260 {
263 }
269 }
270
271 /* Object-inheritable DACL in parent/explicit descriptor */
272 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
273 {
274 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
278 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
279 TRUE,
280 Acl,
281 BooleanFlagOn(UsingDefault, 1));
284 TRUE,
285 Acl,
286 BooleanFlagOn(UsingDefault, 2));
288 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
289 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
291 if (UsingExplicit && (!UsingParent || !FlagOn(UsingDefault, 2)))
292 {
294 }
295 else if (UsingParent)
296 {
298 }
299 else
300 {
303 }
309 }
310
311 /* Container-inheritable DACL in parent/explicit descriptor */
312 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
313 {
314 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
318 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
319 TRUE,
320 Acl,
321 BooleanFlagOn(UsingDefault, 1));
324 TRUE,
325 Acl,
326 BooleanFlagOn(UsingDefault, 2));
328 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
329 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
331 if (UsingExplicit || (UsingParent && IsDir))
332 {
334 }
335 else
336 {
339 }
345 }
346
347 /* Fully inheritable DACL in parent/explicit descriptor */
348 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
349 {
350 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
354 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
355 TRUE,
356 Acl,
357 BooleanFlagOn(UsingDefault, 1));
360 TRUE,
361 Acl,
362 BooleanFlagOn(UsingDefault, 2));
364 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
365 //trace("Explicit %u, Parent %u, Dir %u, Default %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault);
367 if (UsingExplicit && (!UsingParent || !FlagOn(UsingDefault, 2)))
368 {
370 }
371 else if (UsingParent)
372 {
374 }
375 else
376 {
379 }
385 }
386
387 /* Different DACLs in parent and explicit descriptors */
388 for (Access = 0; Access <= 1; Access++)
389 {
390 if (Access == 1)
391 {
392 GenericSid = SeExports->SeCreatorOwnerSid;
393 SpecificSid = SeExports->SeAliasAdminsSid;
394 GenericMask = GENERIC_READ;
395 SpecificMask = STANDARD_RIGHTS_READ | 0x0001;
396 GenericSid2 = SeExports->SeCreatorGroupSid;
397 GenericMask2 = GENERIC_EXECUTE;
398 SpecificMask2 = STANDARD_RIGHTS_EXECUTE | 0x0004;
399 }
400 else
401 {
402 GenericSid = SeExports->SeWorldSid;
403 SpecificSid = SeExports->SeWorldSid;
404 GenericMask = READ_CONTROL;
405 SpecificMask = READ_CONTROL;
406 GenericSid2 = SeExports->SeLocalSystemSid;
407 GenericMask2 = SYNCHRONIZE;
408 SpecificMask2 = SYNCHRONIZE;
409 }
410 for (CanInherit = 0; CanInherit <= 255; CanInherit++)
411 {
412 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
413 {
414 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
416 AceFlags = CanInherit & 0xf;
417 Status = RtlAddAccessAllowedAceEx(Acl, ACL_REVISION, AceFlags, GenericMask, GenericSid);
419 Status = RtlCreateAcl(Acl2, AclSize, ACL_REVISION);
421 AceFlags2 = CanInherit >> 4;
422 Status = RtlAddAccessAllowedAceEx(Acl2, ACL_REVISION, AceFlags2, GenericMask2, GenericSid2);
424 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
425 TRUE,
426 Acl,
427 BooleanFlagOn(UsingDefault, 1));
430 TRUE,
431 Acl2,
432 BooleanFlagOn(UsingDefault, 2));
434 StartTestAssignLoop(&ParentDescriptor, &ExplicitDescriptor)
435 //trace("Explicit %u, Parent %u, Dir %u, Default %u, Inherit %u, Access %u\n", UsingExplicit, UsingParent, IsDir, UsingDefault, CanInherit, Access);
437 ParentUsable = UsingParent;
438 if (!IsDir && !FlagOn(AceFlags, OBJECT_INHERIT_ACE))
439 ParentUsable = FALSE;
440 else if (IsDir && !FlagOn(AceFlags, CONTAINER_INHERIT_ACE) &&
442 ParentUsable = FALSE;
443
444 if (UsingExplicit && (!FlagOn(UsingDefault, 2) || !ParentUsable))
445 {
446 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, AceFlags2, GenericSid2, FlagOn(AceFlags2, INHERIT_ONLY_ACE) ? GenericMask2 : SpecificMask2);
447 }
448 else if (ParentUsable)
449 {
451 {
452 if (FlagOn(AceFlags, CONTAINER_INHERIT_ACE) && (SpecificMask != GenericMask || SpecificSid != GenericSid))
453 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SpecificSid, SpecificMask,
455 else
457 (AceFlags & (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)), GenericSid, GenericMask);
458 }
459 else
460 CheckAcl(Dacl, 1, ACCESS_ALLOWED_ACE_TYPE, 0, SpecificSid, SpecificMask);
461 }
462 else
463 {
466 }
472 }
473 }
474 }
475
476 /* NULL parameters */
477 ok_bool_false(KeAreApcsDisabled(), "KeAreApcsDisabled returned");
479 Status = SeAssignSecurity(NULL,
480 NULL,
481 NULL,
482 FALSE,
485 PagedPool);
488
491 Status = SeAssignSecurity(NULL,
492 NULL,
494 FALSE,
495 NULL,
497 PagedPool);
502
505 Status = SeAssignSecurity(NULL,
506 NULL,
507 NULL,
508 FALSE,
509 NULL,
511 PagedPool);
514
515 /* Test with Token == NULL */
516 if (1)
517 {
518 /* Crash in SeLockSubjectContext while holding a critical region */
519 SubjectContext->PrimaryToken = NULL;
522 Status = SeAssignSecurity(NULL,
523 NULL,
525 FALSE,
528 PagedPool);
533 SubjectContext->PrimaryToken = Token;
534 }
536
537 /* Test with NULL owner in Token */
538 if (1)
539 {
540 /* Crash after locking the subject context */
541 PSID OldOwner;
542 OldOwner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
543 Token->UserAndGroups[Token->DefaultOwnerIndex].Sid = NULL;
546 Status = SeAssignSecurity(NULL,
547 NULL,
549 FALSE,
552 PagedPool);
557 Token->UserAndGroups[Token->DefaultOwnerIndex].Sid = OldOwner;
558 }
560
561 /* Test with NULL group in Token */
562 if (1)
563 {
564 PSID OldGroup;
565 OldGroup = Token->PrimaryGroup;
566 Token->PrimaryGroup = NULL;
569 Status = SeAssignSecurity(NULL,
570 NULL,
572 FALSE,
575 PagedPool);
578 SeDeassignSecurity(&SecurityDescriptor);
580 Token->PrimaryGroup = OldGroup;
581 }
583
584 /* Test with NULL DACL in Token */
585 if (1)
586 {
587 PACL OldDacl;
588 OldDacl = Token->DefaultDacl;
589 Token->DefaultDacl = NULL;
593 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
598 Token->DefaultDacl = OldDacl;
599 }
601
602 /* SEF_DEFAULT_OWNER_FROM_PARENT/SEF_DEFAULT_GROUP_FROM_PARENT */
605 NULL,
607 NULL,
608 FALSE,
612 PagedPool);
615 SeDeassignSecurity(&SecurityDescriptor);
618 NULL,
620 NULL,
621 FALSE,
625 PagedPool);
628 SeDeassignSecurity(&SecurityDescriptor);
631 NULL,
633 NULL,
634 FALSE,
638 PagedPool);
641 SeDeassignSecurity(&SecurityDescriptor);
642
643 /* Quick test whether inheritance for SACLs behaves the same as DACLs */
644 Status = RtlSetDaclSecurityDescriptor(&ParentDescriptor,
645 FALSE,
646 NULL,
647 FALSE);
650 FALSE,
651 NULL,
652 FALSE);
654 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
655 {
656 Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
657 TRUE,
658 NULL,
659 BooleanFlagOn(UsingDefault, 1));
662 TRUE,
663 NULL,
664 BooleanFlagOn(UsingDefault, 2));
666
667 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
668 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
676 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
678 CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
680 }
681
682 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
683 {
684 Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
685 TRUE,
686 &EmptyAcl,
687 BooleanFlagOn(UsingDefault, 1));
690 TRUE,
691 &EmptyAcl,
692 BooleanFlagOn(UsingDefault, 2));
694
695 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
696 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
702 CheckAcl(Sacl, 0);
704 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
706 CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
708 }
709
710 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
711 {
712 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
716 Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
717 TRUE,
718 Acl,
719 BooleanFlagOn(UsingDefault, 1));
722 TRUE,
723 Acl,
724 BooleanFlagOn(UsingDefault, 2));
726
727 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
728 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
736 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
738 CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
740 }
741
742 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
743 {
744 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
748 Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
749 TRUE,
750 Acl,
751 BooleanFlagOn(UsingDefault, 1));
754 TRUE,
755 Acl,
756 BooleanFlagOn(UsingDefault, 2));
758
759 StartTestAssign(&ParentDescriptor, NULL, FALSE, TRUE, TRUE)
766 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
768 CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
777 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
781 }
782
783 /* ACE type that Win2003 doesn't know about (> ACCESS_MAX_MS_ACE_TYPE) */
784 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
785 {
786 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
790 Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
791 TRUE,
792 Acl,
793 BooleanFlagOn(UsingDefault, 1));
796 TRUE,
797 Acl,
798 BooleanFlagOn(UsingDefault, 2));
800
801 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
802 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
810 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
812 CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
814 }
815
816 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
817 {
818 Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
822 Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
823 TRUE,
824 Acl,
825 BooleanFlagOn(UsingDefault, 1));
828 TRUE,
829 Acl,
830 BooleanFlagOn(UsingDefault, 2));
832
833 StartTestAssign(&ParentDescriptor, NULL, FALSE, TRUE, TRUE)
838 CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
840 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
842 CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
851 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
855 }
856
857 /* TODO: Test object/compound ACEs */
858 /* TODO: Test duplicate ACEs */
859 /* TODO: Test INHERITED_ACE flag */
860 /* TODO: Test invalid ACE flags */
861 /* TODO: Test more AutoInheritFlags values */
862
863 ExFreePoolWithTag(Acl2, 'ASmK');
864 ExFreePoolWithTag(Acl, 'ASmK');
865}
#define EndTestAssignLoop()
#define TestAssignExpectDefaultAll()
#define StartTestAssignLoop(Parent, Explicit)
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define ok_bool_false(value, desc)
Definition: apitest.h:79
#define ok_bool_true(value, desc)
Definition: apitest.h:78
#define ok(value,...)
Definition: atltest.h:57
static const ACEFLAG AceFlags[]
Definition: security.c:2624
#define GENERIC_READ
Definition: compat.h:135
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PagedPool
Definition: env_spec_w32.h:308
#define FlagOn(_F, _SF)
Definition: ext2fs.h:179
#define BooleanFlagOn(F, SF)
Definition: ext2fs.h:183
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAceEx(PACL, DWORD, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
#define KeLeaveCriticalRegion()
Definition: ke_x.h:119
#define KmtStartSeh()
Definition: kmt_test.h:282
#define KmtInvalidPointer
Definition: kmt_test.h:280
#define KmtEndSeh(ExpectedStatus)
Definition: kmt_test.h:288
if(dx< 0)
Definition: linetemp.h:194
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1109
#define for
Definition: utility.h:88
#define CheckSid(Sid, SidSize, ExpectedSid)
Definition: se.h:31
NTSTATUS RtlxAddAuditAccessAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
Definition: SeHelpers.c:12
NTSTATUS RtlxAddMandatoryLabelAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)
Definition: SeHelpers.c:53
struct _ACL ACL
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG _Out_writes_bytes_to_opt_ PrimaryGroupSize PSID PrimaryGroup
Definition: rtlfuncs.h:1611
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1607
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1145
#define SYNCHRONIZE
Definition: nt_native.h:61
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define GENERIC_ALL
Definition: nt_native.h:92
#define READ_CONTROL
Definition: nt_native.h:58
#define STANDARD_RIGHTS_EXECUTE
Definition: nt_native.h:67
#define GENERIC_EXECUTE
Definition: nt_native.h:91
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
PSID SeLocalSystemSid
Definition: sid.c:38
PSID SeAliasAdminsSid
Definition: sid.c:41
PSID SeCreatorOwnerSid
Definition: sid.c:27
BOOLEAN NTAPI KeAreApcsDisabled(VOID)
Definition: apc.c:958
#define STATUS_NO_TOKEN
Definition: ntstatus.h:360
#define STATUS_ACCESS_VIOLATION
Definition: ntstatus.h:242
#define STATUS_INVALID_PRIMARY_GROUP
Definition: ntstatus.h:327
#define STATUS_INVALID_OWNER
Definition: ntstatus.h:326
PSID SeCreatorGroupSid
Definition: setypes.h:1222
PSID SeCreatorOwnerSid
Definition: setypes.h:1221
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: subject.c:138
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
uint32_t ULONG
Definition: typedefs.h:59
_Out_ PBOOLEAN _Out_ PACL _Out_ PBOOLEAN SaclDefaulted
Definition: rtlfuncs.h:2429
NTKERNELAPI NTSTATUS NTAPI SeAssignSecurityEx(_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PGENERIC_MAPPING GenericMapping, _In_ POOL_TYPE PoolType)
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
#define SYSTEM_AUDIT_ACE_TYPE
Definition: setypes.h:719
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
#define SEF_DEFAULT_GROUP_FROM_PARENT
Definition: setypes.h:141
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE
Definition: setypes.h:741
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
Definition: setypes.h:808
#define ACL_REVISION
Definition: setypes.h:39
#define SEF_DEFAULT_OWNER_FROM_PARENT
Definition: setypes.h:140
#define FAILED_ACCESS_ACE_FLAG
Definition: setypes.h:754
#define SUCCESSFUL_ACCESS_ACE_FLAG
Definition: setypes.h:753

Referenced by SystemThread().

Variable Documentation

◆ GenericMapping

GENERIC_MAPPING GenericMapping
static
Initial value:
=
{
}
#define STANDARD_RIGHTS_WRITE
Definition: nt_native.h:66

Definition at line 11 of file SeInheritance.c.

Referenced by AccessCheck(), AccessCheckAndAuditAlarmA(), AccessCheckAndAuditAlarmW(), AccessCheckByType(), AccessCheckByTypeResultList(), CheckTokenMembership(), CmpSecurityMethod(), CreatePrivateObjectSecurity(), CreatePrivateObjectSecurityWithMultipleInheritance(), IopGetSetSecurityObject(), IopSetDeviceSecurityDescriptor(), IopSetDeviceSecurityDescriptors(), NtAccessCheck(), NtAccessCheckAndAuditAlarm(), NtAccessCheckByType(), NtAccessCheckByTypeAndAuditAlarm(), NtAccessCheckByTypeResultList(), NtAccessCheckByTypeResultListAndAuditAlarm(), NtAccessCheckByTypeResultListAndAuditAlarmByHandle(), ObOpenObjectByName(), ObSetSecurityDescriptorInfo(), RtlConvertToAutoInheritSecurityObject(), RtlCreateUserSecurityObject(), RtlMapGenericMask(), RtlNewInstanceSecurityObject(), RtlNewSecurityGrantedAccess(), RtlNewSecurityObject(), RtlNewSecurityObjectEx(), RtlNewSecurityObjectWithMultipleInheritance(), RtlSetSecurityObject(), RtlSetSecurityObjectEx(), SeAccessCheck(), SeCreateAccessState(), SeCreateAccessStateEx(), SeDefaultObjectMethod(), SepAccessCheck(), SepAccessCheckAndAuditAlarm(), SepAccessCheckWorker(), SepAnalyzeAcesFromDacl(), SepPropagateAcl(), SepSelectAcl(), SeSetAccessStateGenericMapping(), SetPrivateObjectSecurity(), TestSeAssignSecurity(), and WmipSecurityMethod().