ReactOS 0.4.16-dev-125-g798ea90
NtAccessCheckByTypeResultList.c File Reference
#include "precomp.h"
Include dependency graph for NtAccessCheckByTypeResultList.c:

Go to the source code of this file.

Functions

static HANDLE GetTokenProcess (_In_ BOOLEAN WantImpersonateLevel, _In_ BOOLEAN WantImpersonateType)
 
static VOID ParamValidationNoObjsList (VOID)
 
static VOID PrintAccessStatusAndGrantedAccess (_In_ PNTSTATUS AccessStatus, _In_ PACCESS_MASK GrantedAccess, _In_ ULONG ObjectTypeListLength)
 
static VOID GrantedAccessTests (VOID)
 
static VOID DenyAccessTests (VOID)
 
 START_TEST (NtAccessCheckByTypeResultList)
 

Variables

static GENERIC_MAPPING RegMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS}
 
static GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}}
 
static GUID ChildObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}}
 
static SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY}
 
static SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}
 

Function Documentation

◆ DenyAccessTests()

static VOID DenyAccessTests ( VOID  )
static

Definition at line 433 of file NtAccessCheckByTypeResultList.c.

434{
438 PPRIVILEGE_SET PrivilegeSet = NULL;
439 ULONG PrivilegeSetLength;
440 HANDLE Token = NULL;
441 PACL Dacl = NULL;
443 ULONG i;
445 OBJECT_TYPE_LIST ObjTypeList[6];
446 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
447 GUID ChildObjectType2 = {0x34578901, 0x3456, 0x7896, {0x3, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00}};
448 GUID ChildObjectType3 = {0x45678901, 0x4567, 0x1122, {0x4, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x01}};
449 GUID ChildObjectType4 = {0x56788901, 0x1111, 0x2222, {0x5, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x02}};
450 GUID ChildObjectType5 = {0x67901234, 0x2222, 0x3333, {0x4, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x03}};
451
452 /* Allocate all the stuff we need */
453 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
454 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
455 if (PrivilegeSet == NULL)
456 {
457 skip("Failed to allocate PrivilegeSet, skipping tests\n");
458 return;
459 }
460
462 1,
464 0,
465 0,
466 0,
467 0,
468 0,
469 0,
470 0,
471 &EveryoneSid);
472 if (!NT_SUCCESS(Status))
473 {
474 skip("Failed to create Everyone SID, skipping tests\n");
475 goto Quit;
476 }
477
479 2,
482 0,
483 0,
484 0,
485 0,
486 0,
487 0,
488 &AdminSid);
489 if (!NT_SUCCESS(Status))
490 {
491 skip("Failed to create Admins SID, skipping tests\n");
492 goto Quit;
493 }
494
496 2,
499 0,
500 0,
501 0,
502 0,
503 0,
504 0,
505 &UsersSid);
506 if (!NT_SUCCESS(Status))
507 {
508 skip("Failed to create User SID, skipping tests\n");
509 goto Quit;
510 }
511
513 if (Token == NULL)
514 {
515 skip("Failed to get token, skipping tests\n");
516 goto Quit;
517 }
518
520 if (!NT_SUCCESS(Status))
521 {
522 skip("Failed to create a security descriptor, skipping tests\n");
523 goto Quit;
524 }
525
526 DaclSize = sizeof(ACL) +
528 sizeof(ACCESS_DENIED_OBJECT_ACE) + RtlLengthSid(EveryoneSid) +
529 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(EveryoneSid);
530 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
532 DaclSize);
533 if (Dacl == NULL)
534 {
535 skip("Failed to allocate memory for DACL, skipping tests\n");
536 goto Quit;
537 }
538
540 DaclSize,
542 if (!NT_SUCCESS(Status))
543 {
544 skip("Failed to create DACL, skipping tests\n");
545 goto Quit;
546 }
547
548 /*
549 * Admins can't read the main object, whereas everyone else can't write
550 * into the child object.
551 */
554 0,
555 KEY_READ,
556 &ObjectType,
557 NULL,
558 AdminSid);
559 if (!NT_SUCCESS(Status))
560 {
561 skip("Failed to add deny object ACE for Admins SID, skipping tests\n");
562 goto Quit;
563 }
564
567 0,
568 KEY_WRITE,
570 NULL,
571 EveryoneSid);
572 if (!NT_SUCCESS(Status))
573 {
574 skip("Failed to add deny object ACE for Everyone SID, skipping tests\n");
575 goto Quit;
576 }
577
578 /* Setup the descriptor */
579 RtlSetGroupSecurityDescriptor(&Sd, UsersSid, FALSE);
582
583 /* Setup the object type list */
584 ObjTypeList[0].Level = ACCESS_OBJECT_GUID;
585 ObjTypeList[0].Sbz = 0;
586 ObjTypeList[0].ObjectType = &ObjectType;
587
588 ObjTypeList[1].Level = ACCESS_PROPERTY_SET_GUID;
589 ObjTypeList[1].Sbz = 0;
590 ObjTypeList[1].ObjectType = &ChildObjectType;
591
592 ObjTypeList[2].Level = ACCESS_PROPERTY_GUID;
593 ObjTypeList[2].Sbz = 0;
594 ObjTypeList[2].ObjectType = &ChildObjectType2;
595
596 ObjTypeList[3].Level = ACCESS_PROPERTY_GUID;
597 ObjTypeList[3].Sbz = 0;
598 ObjTypeList[3].ObjectType = &ChildObjectType3;
599
600 ObjTypeList[4].Level = ACCESS_PROPERTY_SET_GUID;
601 ObjTypeList[4].Sbz = 0;
602 ObjTypeList[4].ObjectType = &ChildObjectType4;
603
604 ObjTypeList[5].Level = ACCESS_PROPERTY_GUID;
605 ObjTypeList[5].Sbz = 0;
606 ObjTypeList[5].ObjectType = &ChildObjectType5;
607
608 /*
609 * Admins shouldn't be able to read from the main object.
610 * NtAccessCheckByTypeResultList will return partial rights
611 * that have been granted to the caller even if the caller
612 * did not get all the rights he wanted.
613 */
615 NULL,
616 Token,
617 KEY_READ,
618 ObjTypeList,
619 RTL_NUMBER_OF(ObjTypeList),
620 &RegMapping,
621 PrivilegeSet,
622 &PrivilegeSetLength,
626
628 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
629 {
630 ok(AccessStatus[i] == STATUS_ACCESS_DENIED, "Expected STATUS_ACCESS_DENIED but got 0x%08lx\n", AccessStatus[i]);
631 ok(GrantedAccess[i] == READ_CONTROL, "Expected READ_CONTROL as given partial right but got 0x%08lx\n", GrantedAccess[i]);
632 }
633
634 /* Everyone else can't write into the child object */
636 NULL,
637 Token,
638 KEY_WRITE,
639 ObjTypeList,
640 RTL_NUMBER_OF(ObjTypeList),
641 &RegMapping,
642 PrivilegeSet,
643 &PrivilegeSetLength,
647
649 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
650 {
651 ok(AccessStatus[i] == STATUS_ACCESS_DENIED, "Expected STATUS_ACCESS_DENIED but got 0x%08lx\n", AccessStatus[i]);
652 ok(GrantedAccess[i] == READ_CONTROL, "Expected READ_CONTROL as given partial right but got 0x%08lx\n", GrantedAccess[i]);
653 }
654
655Quit:
656 if (Dacl)
657 {
658 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
659 }
660
661 if (Token)
662 {
663 NtClose(Token);
664 }
665
666 if (UsersSid)
667 {
668 RtlFreeSid(UsersSid);
669 }
670
671 if (AdminSid)
672 {
674 }
675
676 if (EveryoneSid)
677 {
678 RtlFreeSid(EveryoneSid);
679 }
680
681 if (PrivilegeSet)
682 {
683 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
684 }
685}
static SID_IDENTIFIER_AUTHORITY WorldAuthority
static VOID PrintAccessStatusAndGrantedAccess(_In_ PNTSTATUS AccessStatus, _In_ PACCESS_MASK GrantedAccess, _In_ ULONG ObjectTypeListLength)
static HANDLE GetTokenProcess(_In_ BOOLEAN WantImpersonateLevel, _In_ BOOLEAN WantImpersonateType)
static SID_IDENTIFIER_AUTHORITY NtAuthority
static GENERIC_MAPPING RegMapping
static GUID ChildObjectType
static GUID ObjectType
#define RTL_NUMBER_OF(x)
Definition: RtlRegistry.c:12
NTSTATUS NTAPI NtAccessCheckByTypeResultList(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on the object...
Definition: accesschk.c:2297
#define ok_hex(expression, result)
Definition: atltest.h:94
#define ok(value,...)
Definition: atltest.h:57
#define skip(...)
Definition: atltest.h:64
LONG NTSTATUS
Definition: precomp.h:26
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
Status
Definition: gdiplustypes.h:25
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
ObjectType
Definition: metafile.c:81
struct _ACCESS_ALLOWED_OBJECT_ACE ACCESS_ALLOWED_OBJECT_ACE
struct _ACL ACL
static PSID AdminSid
Definition: msgina.c:39
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1605
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1606
NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedObjectAce(_Inout_ PACL pAcl, _In_ ULONG dwAceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ GUID *ObjectTypeGuid, _In_opt_ GUID *InheritedObjectTypeGuid, _In_ PSID pSid)
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define KEY_READ
Definition: nt_native.h:1023
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3402
#define KEY_WRITE
Definition: nt_native.h:1031
#define READ_CONTROL
Definition: nt_native.h:58
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
#define STATUS_SUCCESS
Definition: shellext.h:65
$USHORT Level
Definition: setypes.h:857
GUID * ObjectType
Definition: setypes.h:859
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
uint32_t ULONG
Definition: typedefs.h:59
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define ACL_REVISION4
Definition: setypes.h:45
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
struct _ACCESS_DENIED_OBJECT_ACE ACCESS_DENIED_OBJECT_ACE
#define ACCESS_PROPERTY_SET_GUID
Definition: setypes.h:863
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define ACCESS_OBJECT_GUID
Definition: setypes.h:862
#define ACCESS_PROPERTY_GUID
Definition: setypes.h:864

Referenced by START_TEST().

◆ GetTokenProcess()

static HANDLE GetTokenProcess ( _In_ BOOLEAN  WantImpersonateLevel,
_In_ BOOLEAN  WantImpersonateType 
)
static

Definition at line 18 of file NtAccessCheckByTypeResultList.c.

21{
24 HANDLE DuplicatedToken;
27
30 &Token);
31 if (!NT_SUCCESS(Status))
32 {
33 trace("Failed to get current process token (Status 0x%08lx)\n", Status);
34 return NULL;
35 }
36
38 Sqos.ImpersonationLevel = WantImpersonateLevel ? SecurityImpersonation : SecurityAnonymous;
39 Sqos.ContextTrackingMode = 0;
40 Sqos.EffectiveOnly = FALSE;
41
43 NULL,
44 0,
45 NULL,
46 NULL);
47 ObjectAttributes.SecurityQualityOfService = &Sqos;
48
52 FALSE,
53 WantImpersonateType ? TokenImpersonation : TokenPrimary,
54 &DuplicatedToken);
55 if (!NT_SUCCESS(Status))
56 {
57 trace("Failed to duplicate token (Status 0x%08lx)\n", Status);
59 return NULL;
60 }
61
62 return DuplicatedToken;
63}
#define trace
Definition: atltest.h:70
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
@ SecurityImpersonation
Definition: lsa.idl:57
@ SecurityAnonymous
Definition: lsa.idl:55
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
@ TokenImpersonation
Definition: imports.h:274
@ TokenPrimary
Definition: imports.h:273
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
#define NtCurrentProcess()
Definition: nt_native.h:1657
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
Definition: lsa.idl:66
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtDuplicateToken(_In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle)
Duplicates a token.
Definition: tokenlif.c:1869
#define TOKEN_DUPLICATE
Definition: setypes.h:926
#define TOKEN_QUERY
Definition: setypes.h:928

Referenced by DenyAccessTests(), GrantedAccessTests(), and ParamValidationNoObjsList().

◆ GrantedAccessTests()

static VOID GrantedAccessTests ( VOID  )
static

Definition at line 148 of file NtAccessCheckByTypeResultList.c.

149{
153 PPRIVILEGE_SET PrivilegeSet = NULL;
154 ULONG PrivilegeSetLength;
155 HANDLE Token = NULL;
156 PACL Dacl = NULL;
158 ULONG i;
160 OBJECT_TYPE_LIST ObjTypeList[6];
161 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
162 GUID ChildObjectType2 = {0x34578901, 0x3456, 0x7896, {0x3, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00}};
163 GUID ChildObjectType3 = {0x45678901, 0x4567, 0x1122, {0x4, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x01}};
164 GUID ChildObjectType4 = {0x56788901, 0x1111, 0x2222, {0x5, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x02}};
165 GUID ChildObjectType5 = {0x67901234, 0x2222, 0x3333, {0x4, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x03}};
166
167 /* Allocate all the stuff we need */
168 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
169 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
170 if (PrivilegeSet == NULL)
171 {
172 skip("Failed to allocate PrivilegeSet, skipping tests\n");
173 return;
174 }
175
177 1,
179 0,
180 0,
181 0,
182 0,
183 0,
184 0,
185 0,
186 &EveryoneSid);
187 if (!NT_SUCCESS(Status))
188 {
189 skip("Failed to create Everyone SID, skipping tests\n");
190 goto Quit;
191 }
192
194 2,
197 0,
198 0,
199 0,
200 0,
201 0,
202 0,
203 &AdminSid);
204 if (!NT_SUCCESS(Status))
205 {
206 skip("Failed to create Admins SID, skipping tests\n");
207 goto Quit;
208 }
209
211 2,
214 0,
215 0,
216 0,
217 0,
218 0,
219 0,
220 &UsersSid);
221 if (!NT_SUCCESS(Status))
222 {
223 skip("Failed to create User SID, skipping tests\n");
224 goto Quit;
225 }
226
228 if (Token == NULL)
229 {
230 skip("Failed to get token, skipping tests\n");
231 goto Quit;
232 }
233
235 if (!NT_SUCCESS(Status))
236 {
237 skip("Failed to create a security descriptor, skipping tests\n");
238 goto Quit;
239 }
240
241 DaclSize = sizeof(ACL) +
243 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(EveryoneSid) +
244 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(EveryoneSid);
245 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
247 DaclSize);
248 if (Dacl == NULL)
249 {
250 skip("Failed to allocate memory for DACL, skipping tests\n");
251 goto Quit;
252 }
253
255 DaclSize,
257 if (!NT_SUCCESS(Status))
258 {
259 skip("Failed to create DACL, skipping tests\n");
260 goto Quit;
261 }
262
263 /*
264 * Admins have full access over the key object, everyone else can only read from
265 * it and can only query the value from the child sub-object.
266 */
269 0,
271 &ObjectType,
272 NULL,
273 AdminSid);
274 if (!NT_SUCCESS(Status))
275 {
276 skip("Failed to add allowed object ACE for Admins SID, skipping tests\n");
277 goto Quit;
278 }
279
282 0,
283 KEY_READ,
284 &ObjectType,
285 NULL,
286 EveryoneSid);
287 if (!NT_SUCCESS(Status))
288 {
289 skip("Failed to add allowed object ACE for Everyone SID, skipping tests\n");
290 goto Quit;
291 }
292
295 0,
298 NULL,
299 EveryoneSid);
300 if (!NT_SUCCESS(Status))
301 {
302 skip("Failed to add allowed object ACE for Everyone SID, skipping tests\n");
303 goto Quit;
304 }
305
306 /* Setup the descriptor */
307 RtlSetGroupSecurityDescriptor(&Sd, UsersSid, FALSE);
310
311 /* Setup the object type list */
312 ObjTypeList[0].Level = ACCESS_OBJECT_GUID;
313 ObjTypeList[0].Sbz = 0;
314 ObjTypeList[0].ObjectType = &ObjectType;
315
316 ObjTypeList[1].Level = ACCESS_PROPERTY_SET_GUID;
317 ObjTypeList[1].Sbz = 0;
318 ObjTypeList[1].ObjectType = &ChildObjectType;
319
320 ObjTypeList[2].Level = ACCESS_PROPERTY_GUID;
321 ObjTypeList[2].Sbz = 0;
322 ObjTypeList[2].ObjectType = &ChildObjectType2;
323
324 ObjTypeList[3].Level = ACCESS_PROPERTY_GUID;
325 ObjTypeList[3].Sbz = 0;
326 ObjTypeList[3].ObjectType = &ChildObjectType3;
327
328 ObjTypeList[4].Level = ACCESS_PROPERTY_SET_GUID;
329 ObjTypeList[4].Sbz = 0;
330 ObjTypeList[4].ObjectType = &ChildObjectType4;
331
332 ObjTypeList[5].Level = ACCESS_PROPERTY_GUID;
333 ObjTypeList[5].Sbz = 0;
334 ObjTypeList[5].ObjectType = &ChildObjectType5;
335
336 /* Admins should be granted every access */
338 NULL,
339 Token,
341 ObjTypeList,
342 RTL_NUMBER_OF(ObjTypeList),
343 &RegMapping,
344 PrivilegeSet,
345 &PrivilegeSetLength,
349
351 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
352 {
353 ok(AccessStatus[i] == STATUS_SUCCESS, "Expected STATUS_SUCCESS but got 0x%08lx\n", AccessStatus[i]);
354 ok(GrantedAccess[i] == KEY_ALL_ACCESS, "Expected KEY_ALL_ACCESS but got 0x%08lx\n", GrantedAccess[i]);
355 }
356
357 /* Everyone else can only read */
359 NULL,
360 Token,
361 KEY_READ,
362 ObjTypeList,
363 RTL_NUMBER_OF(ObjTypeList),
364 &RegMapping,
365 PrivilegeSet,
366 &PrivilegeSetLength,
370
372 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
373 {
374 ok(AccessStatus[i] == STATUS_SUCCESS, "Expected STATUS_SUCCESS but got 0x%08lx\n", AccessStatus[i]);
375 ok(GrantedAccess[i] == KEY_READ, "Expected KEY_READ but got 0x%08lx\n", GrantedAccess[i]);
376 }
377
378 /* Everyone else can only query a registry value from the child object */
380 NULL,
381 Token,
383 ObjTypeList,
384 RTL_NUMBER_OF(ObjTypeList),
385 &RegMapping,
386 PrivilegeSet,
387 &PrivilegeSetLength,
391
393 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
394 {
395 ok(AccessStatus[i] == STATUS_SUCCESS, "Expected STATUS_SUCCESS but got 0x%08lx\n", AccessStatus[i]);
396 ok(GrantedAccess[i] == KEY_QUERY_VALUE, "Expected KEY_QUERY_VALUE but got 0x%08lx\n", GrantedAccess[i]);
397 }
398
399Quit:
400 if (Dacl)
401 {
402 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
403 }
404
405 if (Token)
406 {
407 NtClose(Token);
408 }
409
410 if (UsersSid)
411 {
412 RtlFreeSid(UsersSid);
413 }
414
415 if (AdminSid)
416 {
418 }
419
420 if (EveryoneSid)
421 {
422 RtlFreeSid(EveryoneSid);
423 }
424
425 if (PrivilegeSet)
426 {
427 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
428 }
429}
NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedObjectAce(_Inout_ PACL pAcl, _In_ ULONG dwAceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ GUID *ObjectTypeGuid, _In_opt_ GUID *InheritedObjectTypeGuid, _In_ PSID pSid)
#define KEY_ALL_ACCESS
Definition: nt_native.h:1041
#define KEY_QUERY_VALUE
Definition: nt_native.h:1016
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83

Referenced by START_TEST().

◆ ParamValidationNoObjsList()

static VOID ParamValidationNoObjsList ( VOID  )
static

Definition at line 67 of file NtAccessCheckByTypeResultList.c.

68{
72 PPRIVILEGE_SET PrivilegeSet = NULL;
73 ULONG PrivilegeSetLength;
76
77 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
78 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
79 if (PrivilegeSet == NULL)
80 {
81 skip("Failed to allocate PrivilegeSet, skipping tests\n");
82 goto Quit;
83 }
84
86 if (Token == NULL)
87 {
88 skip("Failed to get token, skipping tests\n");
89 goto Quit;
90 }
91
93 if (!NT_SUCCESS(Status))
94 {
95 skip("Failed to create a security descriptor, skipping tests\n");
96 goto Quit;
97 }
98
102
103 /* The function expects an object type list */
105 NULL,
106 Token,
108 NULL,
109 0,
110 &RegMapping,
111 PrivilegeSet,
112 &PrivilegeSetLength,
114 &AccessStatus);
116
117Quit:
118 if (Token)
119 {
120 NtClose(Token);
121 }
122
123 if (PrivilegeSet)
124 {
125 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
126 }
127}
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135

Referenced by START_TEST().

◆ PrintAccessStatusAndGrantedAccess()

static VOID PrintAccessStatusAndGrantedAccess ( _In_ PNTSTATUS  AccessStatus,
_In_ PACCESS_MASK  GrantedAccess,
_In_ ULONG  ObjectTypeListLength 
)
static

Definition at line 131 of file NtAccessCheckByTypeResultList.c.

135{
136 ULONG i;
137
138 trace("===== OBJECT ACCESS & STATUS LIST =====\n");
139 for (i = 0; i < ObjectTypeListLength; i++)
140 {
141 trace("OBJ #%lu, access status 0x%08lx, granted access 0x%08lx\n", i, AccessStatus[i], GrantedAccess[i]);
142 }
143 trace("\n");
144}

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ START_TEST()

Definition at line 687 of file NtAccessCheckByTypeResultList.c.

688{
692}
static VOID DenyAccessTests(VOID)
static VOID ParamValidationNoObjsList(VOID)
static VOID GrantedAccessTests(VOID)

Variable Documentation

◆ ChildObjectType

GUID ChildObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}}
static

Definition at line 12 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ NtAuthority

Definition at line 14 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ ObjectType

GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}}
static

Definition at line 11 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ RegMapping

◆ WorldAuthority