ReactOS 0.4.15-dev-7968-g24a56f8
Functions | Variables
NtAccessCheckByTypeResultList.c File Reference
#include "precomp.h"
Include dependency graph for NtAccessCheckByTypeResultList.c:

Go to the source code of this file.

Functions

static HANDLE GetTokenProcess (_In_ BOOLEAN WantImpersonateLevel, _In_ BOOLEAN WantImpersonateType)
 
static VOID ParamValidationNoObjsList (VOID)
 
static VOID PrintAccessStatusAndGrantedAccess (_In_ PNTSTATUS AccessStatus, _In_ PACCESS_MASK GrantedAccess, _In_ ULONG ObjectTypeListLength)
 
static VOID GrantedAccessTests (VOID)
 
static VOID DenyAccessTests (VOID)
 
 START_TEST (NtAccessCheckByTypeResultList)
 

Variables

static GENERIC_MAPPING RegMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS}
 
static GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}}
 
static GUID ChildObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}}
 
static SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY}
 
static SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}
 

Function Documentation

◆ DenyAccessTests()

static VOID DenyAccessTests ( VOID  )
static

Definition at line 433 of file NtAccessCheckByTypeResultList.c.

434{
435 NTSTATUS Status;
436 NTSTATUS AccessStatus[6];
437 ACCESS_MASK GrantedAccess[6];
438 PPRIVILEGE_SET PrivilegeSet = NULL;
439 ULONG PrivilegeSetLength;
440 HANDLE Token = NULL;
441 PACL Dacl = NULL;
442 ULONG DaclSize;
443 ULONG i;
444 SECURITY_DESCRIPTOR Sd;
445 OBJECT_TYPE_LIST ObjTypeList[6];
446 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
447 GUID ChildObjectType2 = {0x34578901, 0x3456, 0x7896, {0x3, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00}};
448 GUID ChildObjectType3 = {0x45678901, 0x4567, 0x1122, {0x4, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x01}};
449 GUID ChildObjectType4 = {0x56788901, 0x1111, 0x2222, {0x5, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x02}};
450 GUID ChildObjectType5 = {0x67901234, 0x2222, 0x3333, {0x4, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x03}};
451
452 /* Allocate all the stuff we need */
453 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
454 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
455 if (PrivilegeSet == NULL)
456 {
457 skip("Failed to allocate PrivilegeSet, skipping tests\n");
458 return;
459 }
460
461 Status = RtlAllocateAndInitializeSid(&WorldAuthority,
462 1,
463 SECURITY_WORLD_RID,
464 0,
465 0,
466 0,
467 0,
468 0,
469 0,
470 0,
471 &EveryoneSid);
472 if (!NT_SUCCESS(Status))
473 {
474 skip("Failed to create Everyone SID, skipping tests\n");
475 goto Quit;
476 }
477
478 Status = RtlAllocateAndInitializeSid(&NtAuthority,
479 2,
480 SECURITY_BUILTIN_DOMAIN_RID,
481 DOMAIN_ALIAS_RID_ADMINS,
482 0,
483 0,
484 0,
485 0,
486 0,
487 0,
488 &AdminSid);
489 if (!NT_SUCCESS(Status))
490 {
491 skip("Failed to create Admins SID, skipping tests\n");
492 goto Quit;
493 }
494
495 Status = RtlAllocateAndInitializeSid(&NtAuthority,
496 2,
497 SECURITY_BUILTIN_DOMAIN_RID,
498 DOMAIN_ALIAS_RID_USERS,
499 0,
500 0,
501 0,
502 0,
503 0,
504 0,
505 &UsersSid);
506 if (!NT_SUCCESS(Status))
507 {
508 skip("Failed to create User SID, skipping tests\n");
509 goto Quit;
510 }
511
512 Token = GetTokenProcess(TRUE, TRUE);
513 if (Token == NULL)
514 {
515 skip("Failed to get token, skipping tests\n");
516 goto Quit;
517 }
518
519 Status = RtlCreateSecurityDescriptor(&Sd, SECURITY_DESCRIPTOR_REVISION);
520 if (!NT_SUCCESS(Status))
521 {
522 skip("Failed to create a security descriptor, skipping tests\n");
523 goto Quit;
524 }
525
526 DaclSize = sizeof(ACL) +
527 sizeof(ACCESS_DENIED_OBJECT_ACE) + RtlLengthSid(AdminSid) +
528 sizeof(ACCESS_DENIED_OBJECT_ACE) + RtlLengthSid(EveryoneSid) +
529 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(EveryoneSid);
530 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
531 HEAP_ZERO_MEMORY,
532 DaclSize);
533 if (Dacl == NULL)
534 {
535 skip("Failed to allocate memory for DACL, skipping tests\n");
536 goto Quit;
537 }
538
539 Status = RtlCreateAcl(Dacl,
540 DaclSize,
541 ACL_REVISION4);
542 if (!NT_SUCCESS(Status))
543 {
544 skip("Failed to create DACL, skipping tests\n");
545 goto Quit;
546 }
547
548 /*
549 * Admins can't read the main object, whereas everyone else can't write
550 * into the child object.
551 */
552 Status = RtlAddAccessDeniedObjectAce(Dacl,
553 ACL_REVISION4,
554 0,
555 KEY_READ,
556 &ObjectType,
557 NULL,
558 AdminSid);
559 if (!NT_SUCCESS(Status))
560 {
561 skip("Failed to add deny object ACE for Admins SID, skipping tests\n");
562 goto Quit;
563 }
564
565 Status = RtlAddAccessDeniedObjectAce(Dacl,
566 ACL_REVISION4,
567 0,
568 KEY_WRITE,
569 &ChildObjectType,
570 NULL,
571 EveryoneSid);
572 if (!NT_SUCCESS(Status))
573 {
574 skip("Failed to add deny object ACE for Everyone SID, skipping tests\n");
575 goto Quit;
576 }
577
578 /* Setup the descriptor */
579 RtlSetGroupSecurityDescriptor(&Sd, UsersSid, FALSE);
580 RtlSetOwnerSecurityDescriptor(&Sd, AdminSid, FALSE);
581 RtlSetDaclSecurityDescriptor(&Sd, TRUE, Dacl, FALSE);
582
583 /* Setup the object type list */
584 ObjTypeList[0].Level = ACCESS_OBJECT_GUID;
585 ObjTypeList[0].Sbz = 0;
586 ObjTypeList[0].ObjectType = &ObjectType;
587
588 ObjTypeList[1].Level = ACCESS_PROPERTY_SET_GUID;
589 ObjTypeList[1].Sbz = 0;
590 ObjTypeList[1].ObjectType = &ChildObjectType;
591
592 ObjTypeList[2].Level = ACCESS_PROPERTY_GUID;
593 ObjTypeList[2].Sbz = 0;
594 ObjTypeList[2].ObjectType = &ChildObjectType2;
595
596 ObjTypeList[3].Level = ACCESS_PROPERTY_GUID;
597 ObjTypeList[3].Sbz = 0;
598 ObjTypeList[3].ObjectType = &ChildObjectType3;
599
600 ObjTypeList[4].Level = ACCESS_PROPERTY_SET_GUID;
601 ObjTypeList[4].Sbz = 0;
602 ObjTypeList[4].ObjectType = &ChildObjectType4;
603
604 ObjTypeList[5].Level = ACCESS_PROPERTY_GUID;
605 ObjTypeList[5].Sbz = 0;
606 ObjTypeList[5].ObjectType = &ChildObjectType5;
607
608 /*
609 * Admins shouldn't be able to read from the main object.
610 * NtAccessCheckByTypeResultList will return partial rights
611 * that have been granted to the caller even if the caller
612 * did not get all the rights he wanted.
613 */
614 Status = NtAccessCheckByTypeResultList(&Sd,
615 NULL,
616 Token,
617 KEY_READ,
618 ObjTypeList,
619 RTL_NUMBER_OF(ObjTypeList),
620 &RegMapping,
621 PrivilegeSet,
622 &PrivilegeSetLength,
623 GrantedAccess,
624 AccessStatus);
625 ok_hex(Status, STATUS_SUCCESS);
626
627 PrintAccessStatusAndGrantedAccess(AccessStatus, GrantedAccess, RTL_NUMBER_OF(ObjTypeList));
628 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
629 {
630 ok(AccessStatus[i] == STATUS_ACCESS_DENIED, "Expected STATUS_ACCESS_DENIED but got 0x%08lx\n", AccessStatus[i]);
631 ok(GrantedAccess[i] == READ_CONTROL, "Expected READ_CONTROL as given partial right but got 0x%08lx\n", GrantedAccess[i]);
632 }
633
634 /* Everyone else can't write into the child object */
635 Status = NtAccessCheckByTypeResultList(&Sd,
636 NULL,
637 Token,
638 KEY_WRITE,
639 ObjTypeList,
640 RTL_NUMBER_OF(ObjTypeList),
641 &RegMapping,
642 PrivilegeSet,
643 &PrivilegeSetLength,
644 GrantedAccess,
645 AccessStatus);
646 ok_hex(Status, STATUS_SUCCESS);
647
648 PrintAccessStatusAndGrantedAccess(AccessStatus, GrantedAccess, RTL_NUMBER_OF(ObjTypeList));
649 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
650 {
651 ok(AccessStatus[i] == STATUS_ACCESS_DENIED, "Expected STATUS_ACCESS_DENIED but got 0x%08lx\n", AccessStatus[i]);
652 ok(GrantedAccess[i] == READ_CONTROL, "Expected READ_CONTROL as given partial right but got 0x%08lx\n", GrantedAccess[i]);
653 }
654
655Quit:
656 if (Dacl)
657 {
658 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
659 }
660
661 if (Token)
662 {
663 NtClose(Token);
664 }
665
666 if (UsersSid)
667 {
668 RtlFreeSid(UsersSid);
669 }
670
671 if (AdminSid)
672 {
673 RtlFreeSid(AdminSid);
674 }
675
676 if (EveryoneSid)
677 {
678 RtlFreeSid(EveryoneSid);
679 }
680
681 if (PrivilegeSet)
682 {
683 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
684 }
685}
WorldAuthority
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: NtAccessCheckByTypeResultList.c:13
PrintAccessStatusAndGrantedAccess
static VOID PrintAccessStatusAndGrantedAccess(_In_ PNTSTATUS AccessStatus, _In_ PACCESS_MASK GrantedAccess, _In_ ULONG ObjectTypeListLength)
Definition: NtAccessCheckByTypeResultList.c:131
GetTokenProcess
static HANDLE GetTokenProcess(_In_ BOOLEAN WantImpersonateLevel, _In_ BOOLEAN WantImpersonateType)
Definition: NtAccessCheckByTypeResultList.c:18
NtAuthority
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: NtAccessCheckByTypeResultList.c:14
RegMapping
static GENERIC_MAPPING RegMapping
Definition: NtAccessCheckByTypeResultList.c:10
ChildObjectType
static GUID ChildObjectType
Definition: NtAccessCheckByTypeResultList.c:12
ObjectType
static GUID ObjectType
Definition: NtAccessCheckByTypeResultList.c:11
RTL_NUMBER_OF
#define RTL_NUMBER_OF(x)
Definition: RtlRegistry.c:12
NtAccessCheckByTypeResultList
NTSTATUS NTAPI NtAccessCheckByTypeResultList(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on the object...
Definition: accesschk.c:2297
ok_hex
#define ok_hex(expression, result)
Definition: atltest.h:94
ok
#define ok(value,...)
Definition: atltest.h:57
skip
#define skip(...)
Definition: atltest.h:64
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
NULL
#define NULL
Definition: types.h:112
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
Status
Status
Definition: gdiplustypes.h:25
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
ObjectType
ObjectType
Definition: metafile.c:81
ACCESS_ALLOWED_OBJECT_ACE
struct _ACCESS_ALLOWED_OBJECT_ACE ACCESS_ALLOWED_OBJECT_ACE
ACL
struct _ACL ACL
AdminSid
static PSID AdminSid
Definition: msgina.c:39
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
RtlFreeSid
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)
DaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1594
RtlAddAccessDeniedObjectAce
NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedObjectAce(_Inout_ PACL pAcl, _In_ ULONG dwAceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ GUID *ObjectTypeGuid, _In_opt_ GUID *InheritedObjectTypeGuid, _In_ PSID pSid)
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
KEY_READ
#define KEY_READ
Definition: nt_native.h:1023
NtClose
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3402
KEY_WRITE
#define KEY_WRITE
Definition: nt_native.h:1031
READ_CONTROL
#define READ_CONTROL
Definition: nt_native.h:58
RtlAllocateAndInitializeSid
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
_ACCESS_DENIED_OBJECT_ACE
Definition: setypes.h:777
_ACL
Definition: ms-dtyp.idl:293
_OBJECT_TYPE_LIST
Definition: setypes.h:856
_OBJECT_TYPE_LIST::Sbz
$USHORT Sbz
Definition: setypes.h:858
_OBJECT_TYPE_LIST::Level
$USHORT Level
Definition: setypes.h:857
_OBJECT_TYPE_LIST::ObjectType
GUID * ObjectType
Definition: setypes.h:859
_PRIVILEGE_SET
Definition: setypes.h:85
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SID
Definition: ms-dtyp.idl:198
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
ULONG
uint32_t ULONG
Definition: typedefs.h:59
STATUS_ACCESS_DENIED
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
Privilege
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
DOMAIN_ALIAS_RID_USERS
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653
SECURITY_BUILTIN_DOMAIN_RID
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
SECURITY_WORLD_RID
#define SECURITY_WORLD_RID
Definition: setypes.h:541
ACL_REVISION4
#define ACL_REVISION4
Definition: setypes.h:45
SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
ACCESS_DENIED_OBJECT_ACE
struct _ACCESS_DENIED_OBJECT_ACE ACCESS_DENIED_OBJECT_ACE
ACCESS_PROPERTY_SET_GUID
#define ACCESS_PROPERTY_SET_GUID
Definition: setypes.h:863
DOMAIN_ALIAS_RID_ADMINS
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
ACCESS_OBJECT_GUID
#define ACCESS_OBJECT_GUID
Definition: setypes.h:862
ACCESS_PROPERTY_GUID
#define ACCESS_PROPERTY_GUID
Definition: setypes.h:864

Referenced by START_TEST().

◆ GetTokenProcess()

static HANDLE GetTokenProcess ( _In_ BOOLEAN  WantImpersonateLevel,
_In_ BOOLEAN  WantImpersonateType 
)
static

Definition at line 18 of file NtAccessCheckByTypeResultList.c.

21{
22 NTSTATUS Status;
23 HANDLE Token;
24 HANDLE DuplicatedToken;
25 OBJECT_ATTRIBUTES ObjectAttributes;
26 SECURITY_QUALITY_OF_SERVICE Sqos;
27
28 Status = NtOpenProcessToken(NtCurrentProcess(),
29 TOKEN_QUERY | TOKEN_DUPLICATE,
30 &Token);
31 if (!NT_SUCCESS(Status))
32 {
33 trace("Failed to get current process token (Status 0x%08lx)\n", Status);
34 return NULL;
35 }
36
37 Sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
38 Sqos.ImpersonationLevel = WantImpersonateLevel ? SecurityImpersonation : SecurityAnonymous;
39 Sqos.ContextTrackingMode = 0;
40 Sqos.EffectiveOnly = FALSE;
41
42 InitializeObjectAttributes(&ObjectAttributes,
43 NULL,
44 0,
45 NULL,
46 NULL);
47 ObjectAttributes.SecurityQualityOfService = &Sqos;
48
49 Status = NtDuplicateToken(Token,
50 TOKEN_QUERY | TOKEN_DUPLICATE,
51 &ObjectAttributes,
52 FALSE,
53 WantImpersonateType ? TokenImpersonation : TokenPrimary,
54 &DuplicatedToken);
55 if (!NT_SUCCESS(Status))
56 {
57 trace("Failed to duplicate token (Status 0x%08lx)\n", Status);
58 NtClose(Token);
59 return NULL;
60 }
61
62 return DuplicatedToken;
63}
trace
#define trace
Definition: atltest.h:70
ObjectAttributes
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
SecurityImpersonation
@ SecurityImpersonation
Definition: lsa.idl:57
SecurityAnonymous
@ SecurityAnonymous
Definition: lsa.idl:55
SECURITY_QUALITY_OF_SERVICE
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
TokenImpersonation
@ TokenImpersonation
Definition: imports.h:274
TokenPrimary
@ TokenPrimary
Definition: imports.h:273
InitializeObjectAttributes
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657
NtOpenProcessToken
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
_OBJECT_ATTRIBUTES
Definition: umtypes.h:182
_SECURITY_QUALITY_OF_SERVICE
Definition: lsa.idl:63
_SECURITY_QUALITY_OF_SERVICE::ContextTrackingMode
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
Definition: lsa.idl:66
_SECURITY_QUALITY_OF_SERVICE::EffectiveOnly
BOOLEAN EffectiveOnly
Definition: lsa.idl:67
_SECURITY_QUALITY_OF_SERVICE::Length
DWORD Length
Definition: lsa.idl:64
_SECURITY_QUALITY_OF_SERVICE::ImpersonationLevel
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
NtDuplicateToken
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtDuplicateToken(_In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle)
Duplicates a token.
Definition: tokenlif.c:1869
TOKEN_DUPLICATE
#define TOKEN_DUPLICATE
Definition: setypes.h:926
TOKEN_QUERY
#define TOKEN_QUERY
Definition: setypes.h:928

Referenced by DenyAccessTests(), GrantedAccessTests(), and ParamValidationNoObjsList().

◆ GrantedAccessTests()

static VOID GrantedAccessTests ( VOID  )
static

Definition at line 148 of file NtAccessCheckByTypeResultList.c.

149{
150 NTSTATUS Status;
151 NTSTATUS AccessStatus[6];
152 ACCESS_MASK GrantedAccess[6];
153 PPRIVILEGE_SET PrivilegeSet = NULL;
154 ULONG PrivilegeSetLength;
155 HANDLE Token = NULL;
156 PACL Dacl = NULL;
157 ULONG DaclSize;
158 ULONG i;
159 SECURITY_DESCRIPTOR Sd;
160 OBJECT_TYPE_LIST ObjTypeList[6];
161 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
162 GUID ChildObjectType2 = {0x34578901, 0x3456, 0x7896, {0x3, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00}};
163 GUID ChildObjectType3 = {0x45678901, 0x4567, 0x1122, {0x4, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x01}};
164 GUID ChildObjectType4 = {0x56788901, 0x1111, 0x2222, {0x5, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x02}};
165 GUID ChildObjectType5 = {0x67901234, 0x2222, 0x3333, {0x4, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x03}};
166
167 /* Allocate all the stuff we need */
168 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
169 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
170 if (PrivilegeSet == NULL)
171 {
172 skip("Failed to allocate PrivilegeSet, skipping tests\n");
173 return;
174 }
175
176 Status = RtlAllocateAndInitializeSid(&WorldAuthority,
177 1,
178 SECURITY_WORLD_RID,
179 0,
180 0,
181 0,
182 0,
183 0,
184 0,
185 0,
186 &EveryoneSid);
187 if (!NT_SUCCESS(Status))
188 {
189 skip("Failed to create Everyone SID, skipping tests\n");
190 goto Quit;
191 }
192
193 Status = RtlAllocateAndInitializeSid(&NtAuthority,
194 2,
195 SECURITY_BUILTIN_DOMAIN_RID,
196 DOMAIN_ALIAS_RID_ADMINS,
197 0,
198 0,
199 0,
200 0,
201 0,
202 0,
203 &AdminSid);
204 if (!NT_SUCCESS(Status))
205 {
206 skip("Failed to create Admins SID, skipping tests\n");
207 goto Quit;
208 }
209
210 Status = RtlAllocateAndInitializeSid(&NtAuthority,
211 2,
212 SECURITY_BUILTIN_DOMAIN_RID,
213 DOMAIN_ALIAS_RID_USERS,
214 0,
215 0,
216 0,
217 0,
218 0,
219 0,
220 &UsersSid);
221 if (!NT_SUCCESS(Status))
222 {
223 skip("Failed to create User SID, skipping tests\n");
224 goto Quit;
225 }
226
227 Token = GetTokenProcess(TRUE, TRUE);
228 if (Token == NULL)
229 {
230 skip("Failed to get token, skipping tests\n");
231 goto Quit;
232 }
233
234 Status = RtlCreateSecurityDescriptor(&Sd, SECURITY_DESCRIPTOR_REVISION);
235 if (!NT_SUCCESS(Status))
236 {
237 skip("Failed to create a security descriptor, skipping tests\n");
238 goto Quit;
239 }
240
241 DaclSize = sizeof(ACL) +
242 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(AdminSid) +
243 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(EveryoneSid) +
244 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(EveryoneSid);
245 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
246 HEAP_ZERO_MEMORY,
247 DaclSize);
248 if (Dacl == NULL)
249 {
250 skip("Failed to allocate memory for DACL, skipping tests\n");
251 goto Quit;
252 }
253
254 Status = RtlCreateAcl(Dacl,
255 DaclSize,
256 ACL_REVISION4);
257 if (!NT_SUCCESS(Status))
258 {
259 skip("Failed to create DACL, skipping tests\n");
260 goto Quit;
261 }
262
263 /*
264 * Admins have full access over the key object, everyone else can only read from
265 * it and can only query the value from the child sub-object.
266 */
267 Status = RtlAddAccessAllowedObjectAce(Dacl,
268 ACL_REVISION4,
269 0,
270 KEY_ALL_ACCESS,
271 &ObjectType,
272 NULL,
273 AdminSid);
274 if (!NT_SUCCESS(Status))
275 {
276 skip("Failed to add allowed object ACE for Admins SID, skipping tests\n");
277 goto Quit;
278 }
279
280 Status = RtlAddAccessAllowedObjectAce(Dacl,
281 ACL_REVISION4,
282 0,
283 KEY_READ,
284 &ObjectType,
285 NULL,
286 EveryoneSid);
287 if (!NT_SUCCESS(Status))
288 {
289 skip("Failed to add allowed object ACE for Everyone SID, skipping tests\n");
290 goto Quit;
291 }
292
293 Status = RtlAddAccessAllowedObjectAce(Dacl,
294 ACL_REVISION4,
295 0,
296 KEY_QUERY_VALUE,
297 &ChildObjectType,
298 NULL,
299 EveryoneSid);
300 if (!NT_SUCCESS(Status))
301 {
302 skip("Failed to add allowed object ACE for Everyone SID, skipping tests\n");
303 goto Quit;
304 }
305
306 /* Setup the descriptor */
307 RtlSetGroupSecurityDescriptor(&Sd, UsersSid, FALSE);
308 RtlSetOwnerSecurityDescriptor(&Sd, AdminSid, FALSE);
309 RtlSetDaclSecurityDescriptor(&Sd, TRUE, Dacl, FALSE);
310
311 /* Setup the object type list */
312 ObjTypeList[0].Level = ACCESS_OBJECT_GUID;
313 ObjTypeList[0].Sbz = 0;
314 ObjTypeList[0].ObjectType = &ObjectType;
315
316 ObjTypeList[1].Level = ACCESS_PROPERTY_SET_GUID;
317 ObjTypeList[1].Sbz = 0;
318 ObjTypeList[1].ObjectType = &ChildObjectType;
319
320 ObjTypeList[2].Level = ACCESS_PROPERTY_GUID;
321 ObjTypeList[2].Sbz = 0;
322 ObjTypeList[2].ObjectType = &ChildObjectType2;
323
324 ObjTypeList[3].Level = ACCESS_PROPERTY_GUID;
325 ObjTypeList[3].Sbz = 0;
326 ObjTypeList[3].ObjectType = &ChildObjectType3;
327
328 ObjTypeList[4].Level = ACCESS_PROPERTY_SET_GUID;
329 ObjTypeList[4].Sbz = 0;
330 ObjTypeList[4].ObjectType = &ChildObjectType4;
331
332 ObjTypeList[5].Level = ACCESS_PROPERTY_GUID;
333 ObjTypeList[5].Sbz = 0;
334 ObjTypeList[5].ObjectType = &ChildObjectType5;
335
336 /* Admins should be granted every access */
337 Status = NtAccessCheckByTypeResultList(&Sd,
338 NULL,
339 Token,
340 MAXIMUM_ALLOWED,
341 ObjTypeList,
342 RTL_NUMBER_OF(ObjTypeList),
343 &RegMapping,
344 PrivilegeSet,
345 &PrivilegeSetLength,
346 GrantedAccess,
347 AccessStatus);
348 ok_hex(Status, STATUS_SUCCESS);
349
350 PrintAccessStatusAndGrantedAccess(AccessStatus, GrantedAccess, RTL_NUMBER_OF(ObjTypeList));
351 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
352 {
353 ok(AccessStatus[i] == STATUS_SUCCESS, "Expected STATUS_SUCCESS but got 0x%08lx\n", AccessStatus[i]);
354 ok(GrantedAccess[i] == KEY_ALL_ACCESS, "Expected KEY_ALL_ACCESS but got 0x%08lx\n", GrantedAccess[i]);
355 }
356
357 /* Everyone else can only read */
358 Status = NtAccessCheckByTypeResultList(&Sd,
359 NULL,
360 Token,
361 KEY_READ,
362 ObjTypeList,
363 RTL_NUMBER_OF(ObjTypeList),
364 &RegMapping,
365 PrivilegeSet,
366 &PrivilegeSetLength,
367 GrantedAccess,
368 AccessStatus);
369 ok_hex(Status, STATUS_SUCCESS);
370
371 PrintAccessStatusAndGrantedAccess(AccessStatus, GrantedAccess, RTL_NUMBER_OF(ObjTypeList));
372 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
373 {
374 ok(AccessStatus[i] == STATUS_SUCCESS, "Expected STATUS_SUCCESS but got 0x%08lx\n", AccessStatus[i]);
375 ok(GrantedAccess[i] == KEY_READ, "Expected KEY_READ but got 0x%08lx\n", GrantedAccess[i]);
376 }
377
378 /* Everyone else can only query a registry value from the child object */
379 Status = NtAccessCheckByTypeResultList(&Sd,
380 NULL,
381 Token,
382 KEY_QUERY_VALUE,
383 ObjTypeList,
384 RTL_NUMBER_OF(ObjTypeList),
385 &RegMapping,
386 PrivilegeSet,
387 &PrivilegeSetLength,
388 GrantedAccess,
389 AccessStatus);
390 ok_hex(Status, STATUS_SUCCESS);
391
392 PrintAccessStatusAndGrantedAccess(AccessStatus, GrantedAccess, RTL_NUMBER_OF(ObjTypeList));
393 for (i = 0; i < RTL_NUMBER_OF(ObjTypeList); i++)
394 {
395 ok(AccessStatus[i] == STATUS_SUCCESS, "Expected STATUS_SUCCESS but got 0x%08lx\n", AccessStatus[i]);
396 ok(GrantedAccess[i] == KEY_QUERY_VALUE, "Expected KEY_QUERY_VALUE but got 0x%08lx\n", GrantedAccess[i]);
397 }
398
399Quit:
400 if (Dacl)
401 {
402 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
403 }
404
405 if (Token)
406 {
407 NtClose(Token);
408 }
409
410 if (UsersSid)
411 {
412 RtlFreeSid(UsersSid);
413 }
414
415 if (AdminSid)
416 {
417 RtlFreeSid(AdminSid);
418 }
419
420 if (EveryoneSid)
421 {
422 RtlFreeSid(EveryoneSid);
423 }
424
425 if (PrivilegeSet)
426 {
427 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
428 }
429}
RtlAddAccessAllowedObjectAce
NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedObjectAce(_Inout_ PACL pAcl, _In_ ULONG dwAceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ GUID *ObjectTypeGuid, _In_opt_ GUID *InheritedObjectTypeGuid, _In_ PSID pSid)
KEY_ALL_ACCESS
#define KEY_ALL_ACCESS
Definition: nt_native.h:1041
KEY_QUERY_VALUE
#define KEY_QUERY_VALUE
Definition: nt_native.h:1016
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
_ACCESS_ALLOWED_OBJECT_ACE
Definition: ms-dtyp.idl:221

Referenced by START_TEST().

◆ ParamValidationNoObjsList()

static VOID ParamValidationNoObjsList ( VOID  )
static

Definition at line 67 of file NtAccessCheckByTypeResultList.c.

68{
69 NTSTATUS Status;
70 NTSTATUS AccessStatus;
71 ACCESS_MASK GrantedAccess;
72 PPRIVILEGE_SET PrivilegeSet = NULL;
73 ULONG PrivilegeSetLength;
74 HANDLE Token = NULL;
75 SECURITY_DESCRIPTOR Sd;
76
77 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
78 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
79 if (PrivilegeSet == NULL)
80 {
81 skip("Failed to allocate PrivilegeSet, skipping tests\n");
82 goto Quit;
83 }
84
85 Token = GetTokenProcess(TRUE, TRUE);
86 if (Token == NULL)
87 {
88 skip("Failed to get token, skipping tests\n");
89 goto Quit;
90 }
91
92 Status = RtlCreateSecurityDescriptor(&Sd, SECURITY_DESCRIPTOR_REVISION);
93 if (!NT_SUCCESS(Status))
94 {
95 skip("Failed to create a security descriptor, skipping tests\n");
96 goto Quit;
97 }
98
99 RtlSetGroupSecurityDescriptor(&Sd, NULL, FALSE);
100 RtlSetOwnerSecurityDescriptor(&Sd, NULL, FALSE);
101 RtlSetDaclSecurityDescriptor(&Sd, FALSE, NULL, FALSE);
102
103 /* The function expects an object type list */
104 Status = NtAccessCheckByTypeResultList(&Sd,
105 NULL,
106 Token,
107 MAXIMUM_ALLOWED,
108 NULL,
109 0,
110 &RegMapping,
111 PrivilegeSet,
112 &PrivilegeSetLength,
113 &GrantedAccess,
114 &AccessStatus);
115 ok_hex(Status, STATUS_INVALID_PARAMETER);
116
117Quit:
118 if (Token)
119 {
120 NtClose(Token);
121 }
122
123 if (PrivilegeSet)
124 {
125 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
126 }
127}
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135

Referenced by START_TEST().

◆ PrintAccessStatusAndGrantedAccess()

static VOID PrintAccessStatusAndGrantedAccess ( _In_ PNTSTATUS  AccessStatus,
_In_ PACCESS_MASK  GrantedAccess,
_In_ ULONG  ObjectTypeListLength 
)
static

Definition at line 131 of file NtAccessCheckByTypeResultList.c.

135{
136 ULONG i;
137
138 trace("===== OBJECT ACCESS & STATUS LIST =====\n");
139 for (i = 0; i < ObjectTypeListLength; i++)
140 {
141 trace("OBJ #%lu, access status 0x%08lx, granted access 0x%08lx\n", i, AccessStatus[i], GrantedAccess[i]);
142 }
143 trace("\n");
144}

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ START_TEST()

START_TEST ( NtAccessCheckByTypeResultList  )

Definition at line 687 of file NtAccessCheckByTypeResultList.c.

688{
689 ParamValidationNoObjsList();
690 GrantedAccessTests();
691 DenyAccessTests();
692}
DenyAccessTests
static VOID DenyAccessTests(VOID)
Definition: NtAccessCheckByTypeResultList.c:433
ParamValidationNoObjsList
static VOID ParamValidationNoObjsList(VOID)
Definition: NtAccessCheckByTypeResultList.c:67
GrantedAccessTests
static VOID GrantedAccessTests(VOID)
Definition: NtAccessCheckByTypeResultList.c:148

Variable Documentation

◆ ChildObjectType

GUID ChildObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}}
static

Definition at line 12 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ NtAuthority

SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}
static

Definition at line 14 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ ObjectType

GUID ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}}
static

Definition at line 11 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().

◆ RegMapping

GENERIC_MAPPING RegMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS}
static

Definition at line 10 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), GrantedAccessTests(), and ParamValidationNoObjsList().

◆ WorldAuthority

SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY}
static

Definition at line 13 of file NtAccessCheckByTypeResultList.c.

Referenced by DenyAccessTests(), and GrantedAccessTests().