53#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl) \
54 SecurityDescriptor = NULL; \
55 Status = SeAssignSecurity (Parent, \
57 &SecurityDescriptor, \
64 ok_eq_hex(Status, STATUS_SUCCESS); \
65 if (!skip(NT_SUCCESS(Status), "No security\n")) \
70 BOOLEAN DaclDefaulted, SaclDefaulted; \
71 BOOLEAN OwnerDefaulted, GroupDefaulted; \
72 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, \
76 ok_eq_hex(Status, STATUS_SUCCESS); \
77 ok_eq_uint(Present, GotDacl); \
78 if (!NT_SUCCESS(Status) || !Present) \
80 Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor, \
84 ok_eq_hex(Status, STATUS_SUCCESS); \
85 ok_eq_uint(Present, GotSacl); \
86 if (!NT_SUCCESS(Status) || !Present) \
88 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor, \
91 ok_eq_hex(Status, STATUS_SUCCESS); \
92 if (skip(NT_SUCCESS(Status), "No owner\n")) \
94 Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor, \
97 ok_eq_hex(Status, STATUS_SUCCESS); \
98 if (skip(NT_SUCCESS(Status), "No group\n")) \
101#define EndTestAssign() \
102 SeDeassignSecurity(&SecurityDescriptor); \
104#define StartTestAssignLoop(Parent, Explicit) \
107 BOOLEAN UsingParent; \
108 BOOLEAN UsingExplicit; \
109 for (IsDir = FALSE; IsDir <= TRUE; IsDir++) \
111 for (UsingParent = FALSE; UsingParent <= TRUE; UsingParent++) \
113 for (UsingExplicit = FALSE; UsingExplicit <= TRUE; UsingExplicit++) \
115 StartTestAssign(UsingParent ? Parent : NULL, \
116 UsingExplicit ? Explicit : NULL, \
120#define EndTestAssignLoop() \
126#define TestAssignExpectDefault(Parent, Explicit, IsDir) \
127 StartTestAssign(Parent, Explicit, IsDir, TRUE, FALSE) \
128 ok_eq_uint(DaclDefaulted, FALSE); \
129 CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, \
130 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); \
131 ok_eq_uint(OwnerDefaulted, FALSE); \
132 CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); \
133 ok_eq_uint(GroupDefaulted, FALSE); \
134 CheckSid(Group, NO_SIZE, Token->PrimaryGroup); \
136#define TestAssignExpectDefaultAll() \
137 TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE) \
138 TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE) \
139 TestAssignExpectDefault(NULL, &ExplicitDescriptor, FALSE) \
140 TestAssignExpectDefault(NULL, &ExplicitDescriptor, TRUE) \
141 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, FALSE) \
142 TestAssignExpectDefault(&ParentDescriptor, &ExplicitDescriptor, TRUE)
157 for (UsingDefault =
FALSE; UsingDefault <=
TRUE; UsingDefault++)
189 for (UsingDefault =
FALSE; UsingDefault <=
TRUE; UsingDefault++)
225 if (
skip(Acl !=
NULL,
"Out of memory\n"))
229 if (
skip(Acl2 !=
NULL,
"Out of memory\n"))
236 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
272 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
291 if (UsingExplicit && (!UsingParent || !
FlagOn(UsingDefault, 2)))
295 else if (UsingParent)
312 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
331 if (UsingExplicit || (UsingParent && IsDir))
348 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
367 if (UsingExplicit && (!UsingParent || !
FlagOn(UsingDefault, 2)))
371 else if (UsingParent)
388 for (Access = 0; Access <= 1; Access++)
410 for (CanInherit = 0; CanInherit <= 255; CanInherit++)
412 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
421 AceFlags2 = CanInherit >> 4;
437 ParentUsable = UsingParent;
439 ParentUsable =
FALSE;
442 ParentUsable =
FALSE;
444 if (UsingExplicit && (!
FlagOn(UsingDefault, 2) || !ParentUsable))
448 else if (ParentUsable)
542 OldOwner =
Token->UserAndGroups[
Token->DefaultOwnerIndex].Sid;
557 Token->UserAndGroups[
Token->DefaultOwnerIndex].Sid = OldOwner;
565 OldGroup =
Token->PrimaryGroup;
580 Token->PrimaryGroup = OldGroup;
588 OldDacl =
Token->DefaultDacl;
598 Token->DefaultDacl = OldDacl;
654 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
682 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
710 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
742 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
784 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
816 for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
#define StartTestAssign(Parent, Explicit, IsDir, GotDacl, GotSacl)
static VOID TestObRootSecurity(VOID)
static VOID TestSeAssignSecurity(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
#define EndTestAssignLoop()
#define TestAssignExpectDefaultAll()
static VOID NTAPI SystemThread(_In_ PVOID Context)
#define TestAssignExpectDefault(Parent, Explicit, IsDir)
#define StartTestAssignLoop(Parent, Explicit)
static GENERIC_MAPPING GenericMapping
#define ok_eq_pointer(value, expected)
#define ok_eq_hex(value, expected)
#define ok_bool_false(value, desc)
#define ok_eq_uint(value, expected)
#define ok_bool_true(value, desc)
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
#define NT_SUCCESS(StatCode)
static const ACEFLAG AceFlags[]
#define ExAllocatePoolWithTag(hernya, size, tag)
#define BooleanFlagOn(F, SF)
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
#define OBJ_KERNEL_HANDLE
#define OBJ_CASE_INSENSITIVE
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAceEx(PACL, DWORD, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
#define KeLeaveCriticalRegion()
#define KmtInvalidPointer
#define KmtEndSeh(ExpectedStatus)
PKTHREAD KmtStartThread(IN PKSTART_ROUTINE StartRoutine, IN PVOID StartContext OPTIONAL)
VOID KmtFinishThread(IN PKTHREAD Thread OPTIONAL, IN PKEVENT Event OPTIONAL)
#define ExFreePoolWithTag(_P, _T)
#define CheckAcl(Acl, AceCount,...)
#define CheckSid(Sid, SidSize, ExpectedSid)
NTSTATUS RtlxAddAuditAccessAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
NTSTATUS RtlxAddMandatoryLabelAceEx(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ULONG Flags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)
#define InitializeObjectAttributes(p, n, a, r, s)
NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
_In_opt_ PSID _In_opt_ BOOLEAN GroupDefaulted
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted)
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
_In_opt_ PSID _In_opt_ BOOLEAN OwnerDefaulted
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
_In_ BOOLEAN _In_opt_ PACL _In_opt_ BOOLEAN DaclDefaulted
#define DIRECTORY_TRAVERSE
#define STANDARD_RIGHTS_READ
#define STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_WRITE
#define DIRECTORY_ALL_ACCESS
#define STANDARD_RIGHTS_EXECUTE
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
BOOLEAN NTAPI KeAreApcsDisabled(VOID)
#define STATUS_ACCESS_VIOLATION
#define STATUS_INVALID_PRIMARY_GROUP
#define STATUS_INVALID_OWNER
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
NTSTATUS NTAPI ObGetObjectSecurity(IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
VOID NTAPI ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
#define RTL_CONSTANT_STRING(s)
#define FIELD_OFFSET(t, f)
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
#define ObDereferenceObject
_Out_ PSECURITY_DESCRIPTOR _Out_ PBOOLEAN MemoryAllocated
_Out_ PBOOLEAN _Out_ PACL _Out_ PBOOLEAN SaclDefaulted
_In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor
NTKERNELAPI NTSTATUS NTAPI SeAssignSecurityEx(_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PGENERIC_MAPPING GenericMapping, _In_ POOL_TYPE PoolType)
#define CONTAINER_INHERIT_ACE
#define SYSTEM_AUDIT_ACE_TYPE
#define ACCESS_ALLOWED_ACE_TYPE
#define OBJECT_INHERIT_ACE
#define NO_PROPAGATE_INHERIT_ACE
#define SEF_DEFAULT_GROUP_FROM_PARENT
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE
#define SECURITY_DESCRIPTOR_REVISION
#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
#define SEF_DEFAULT_OWNER_FROM_PARENT
#define FAILED_ACCESS_ACE_FLAG
#define SUCCESSFUL_ACCESS_ACE_FLAG