#include <stdarg.h>#include <stdio.h>#include "ntstatus.h"#include "windef.h"#include "winbase.h"#include "winerror.h"#include "winternl.h"#include "aclapi.h"#include "winnt.h"#include "sddl.h"#include "ntsecapi.h"#include "lmcons.h"#include "wine/test.h"
Include dependency graph for security.c:
Go to the source code of this file.
Classes | |
| struct | NameToLUID |
| union | _MAX_SID |
| struct | well_known_sid_value |
Typedefs | |
| typedef union _MAX_SID | MAX_SID |
Macro Definition Documentation
◆ CHECK_ONE_OF_AND_FREE
| #define CHECK_ONE_OF_AND_FREE | ( | exp_str1, | |
| exp_str2 | |||
| ) |
Value:
ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
LocalFree(string);
◆ CHECK_RESULT_AND_FREE
| #define CHECK_RESULT_AND_FREE | ( | exp_str | ) |
◆ CHECK_SET_SECURITY
Value:
do{ \
BOOL res_; \
SetLastError( 0xdeadbeef ); \
err = GetLastError(); \
if (e == ERROR_SUCCESS) \
ok(res_, "SetKernelObjectSecurity failed with %d\n", err); \
else \
}while(0)
BOOL WINAPI SetKernelObjectSecurity(HANDLE Handle, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor)
Definition: security.c:1727
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
Definition at line 2895 of file security.c.
◆ EVENT_QUERY_STATE
| #define EVENT_QUERY_STATE 0x0001 |
Definition at line 53 of file security.c.
◆ expect_eq
| #define expect_eq | ( | expr, | |
| value, | |||
| type, | |||
| format | |||
| ) | { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); } |
Definition at line 68 of file security.c.
◆ GetCurrentProcessToken
Definition at line 40 of file security.c.
◆ GetCurrentThreadEffectiveToken
Definition at line 42 of file security.c.
◆ GetCurrentThreadToken
Definition at line 41 of file security.c.
◆ PROCESS_ALL_ACCESS_NT4
| #define PROCESS_ALL_ACCESS_NT4 (PROCESS_ALL_ACCESS & ~0xf000) |
Definition at line 49 of file security.c.
◆ PROCESS_ALL_ACCESS_VISTA
| #define PROCESS_ALL_ACCESS_VISTA (PROCESS_ALL_ACCESS | 0xf000) |
Definition at line 50 of file security.c.
◆ PROCESS_QUERY_LIMITED_INFORMATION
| #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000 |
Definition at line 45 of file security.c.
◆ SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
Definition at line 657 of file security.c.
◆ SE_AUDIT_PRIVILEGE
Definition at line 675 of file security.c.
◆ SE_BACKUP_PRIVILEGE
Definition at line 671 of file security.c.
◆ SE_CHANGE_NOTIFY_PRIVILEGE
Definition at line 677 of file security.c.
◆ SE_CREATE_GLOBAL_PRIVILEGE
| #define SE_CREATE_GLOBAL_PRIVILEGE 30L |
Definition at line 684 of file security.c.
◆ SE_CREATE_PAGEFILE_PRIVILEGE
Definition at line 669 of file security.c.
◆ SE_CREATE_PERMANENT_PRIVILEGE
Definition at line 670 of file security.c.
◆ SE_CREATE_TOKEN_PRIVILEGE
Definition at line 656 of file security.c.
◆ SE_DEBUG_PRIVILEGE
| #define SE_DEBUG_PRIVILEGE 20L |
Definition at line 674 of file security.c.
◆ SE_ENABLE_DELEGATION_PRIVILEGE
Definition at line 681 of file security.c.
◆ SE_IMPERSONATE_PRIVILEGE
Definition at line 683 of file security.c.
◆ SE_INC_BASE_PRIORITY_PRIVILEGE
Definition at line 668 of file security.c.
◆ SE_INCREASE_QUOTA_PRIVILEGE
Definition at line 659 of file security.c.
◆ SE_LOAD_DRIVER_PRIVILEGE
| #define SE_LOAD_DRIVER_PRIVILEGE 10L |
Definition at line 664 of file security.c.
◆ SE_LOCK_MEMORY_PRIVILEGE
Definition at line 658 of file security.c.
◆ SE_MACHINE_ACCOUNT_PRIVILEGE
Definition at line 660 of file security.c.
◆ SE_MANAGE_VOLUME_PRIVILEGE
Definition at line 682 of file security.c.
◆ SE_MAX_WELL_KNOWN_PRIVILEGE
| #define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_GLOBAL_PRIVILEGE |
Definition at line 685 of file security.c.
◆ SE_MIN_WELL_KNOWN_PRIVILEGE
Definition at line 655 of file security.c.
◆ SE_PROF_SINGLE_PROCESS_PRIVILEGE
Definition at line 667 of file security.c.
◆ SE_REMOTE_SHUTDOWN_PRIVILEGE
Definition at line 678 of file security.c.
◆ SE_RESTORE_PRIVILEGE
Definition at line 672 of file security.c.
◆ SE_SECURITY_PRIVILEGE
Definition at line 662 of file security.c.
◆ SE_SHUTDOWN_PRIVILEGE
Definition at line 673 of file security.c.
◆ SE_SYNC_AGENT_PRIVILEGE
Definition at line 680 of file security.c.
◆ SE_SYSTEM_ENVIRONMENT_PRIVILEGE
Definition at line 676 of file security.c.
◆ SE_SYSTEM_PROFILE_PRIVILEGE
Definition at line 665 of file security.c.
◆ SE_SYSTEMTIME_PRIVILEGE
Definition at line 666 of file security.c.
◆ SE_TAKE_OWNERSHIP_PRIVILEGE
Definition at line 663 of file security.c.
◆ SE_TCB_PRIVILEGE
Definition at line 661 of file security.c.
◆ SE_UNDOCK_PRIVILEGE
Definition at line 679 of file security.c.
◆ SEMAPHORE_QUERY_STATE
| #define SEMAPHORE_QUERY_STATE 0x0001 |
Definition at line 57 of file security.c.
◆ SID_SLOTS
| #define SID_SLOTS 4 |
Definition at line 147 of file security.c.
◆ TEST_GRANTED_ACCESS
Definition at line 2869 of file security.c.
◆ TEST_GRANTED_ACCESS2
Definition at line 2870 of file security.c.
◆ THREAD_ALL_ACCESS_NT4
| #define THREAD_ALL_ACCESS_NT4 (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff) |
Definition at line 65 of file security.c.
◆ THREAD_ALL_ACCESS_VISTA
| #define THREAD_ALL_ACCESS_VISTA (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff) |
Definition at line 66 of file security.c.
◆ THREAD_QUERY_LIMITED_INFORMATION
| #define THREAD_QUERY_LIMITED_INFORMATION 0x0800 |
Definition at line 62 of file security.c.
◆ THREAD_SET_LIMITED_INFORMATION
| #define THREAD_SET_LIMITED_INFORMATION 0x0400 |
Definition at line 61 of file security.c.
◆ WIN32_NO_STATUS
| #define WIN32_NO_STATUS |
Definition at line 26 of file security.c.
◆ WINE_TEST_PIPE
| #define WINE_TEST_PIPE "\\\\.\\pipe\\WineTestPipe" |
Definition at line 5867 of file security.c.
Typedef Documentation
◆ MAX_SID
Function Documentation
◆ BOOL()
◆ check_wellknown_name()
|
static |
Definition at line 2490 of file security.c.
2491{
2496
2497 DWORD sid_size, domain_size;
2498 SID_NAME_USE sid_use;
2500 PSID psid;
2502
2503 sid_size = 0;
2504 domain_size = 0;
2510
2512 {
2515 }
2516
2517 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2520 {
2523 }
2524
2525 ret2 = get_sid_info(wk_sid, &wk_account, &wk_domain);
2527 {
2530 }
2531
2533
2536
2539
2543
2544cleanup:
2545 FreeSid(domainsid);
2548}
BOOL WINAPI LookupAccountNameA(LPCSTR SystemName, LPCSTR AccountName, PSID Sid, LPDWORD SidLength, LPSTR ReferencedDomainName, LPDWORD hReferencedDomainNameLength, PSID_NAME_USE SidNameUse)
Definition: security.c:1811
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676
enum _SID_NAME_USE SID_NAME_USE
Definition: ms-dtyp.idl:194
Definition: ms-dtyp.idl:198
Definition: cookie.c:42
Referenced by test_LookupAccountName().
◆ debugstr_sid()
Definition at line 150 of file security.c.
151{
152 LPSTR sidstr;
156
160 {
163 LocalFree(sidstr);
164 }
165 else
166 {
168 LocalFree(sidstr);
169 }
170 /* Restore the last error in case ConvertSidToStringSidA() modified it */
171 SetLastError(le);
173}
BOOL WINAPI ConvertSidToStringSidA(PSID Sid, LPSTR *StringSid)
Definition: security.c:3436
◆ DWORD()
◆ get_nt_pathW()
|
static |
Definition at line 3548 of file security.c.
3549{
3554
3556
3559
3562
3563 pRtlFreeUnicodeString(&strW);
3564}
Definition: env_spec_w32.h:375
Definition: env_spec_w32.h:368
Referenced by test_CreateDirectoryA().
◆ get_obj_access()
|
static |
Definition at line 5690 of file security.c.
5691{
5694
5695 if (!pNtQueryObject) return 0;
5696
5699
5701}
Definition: winternl.h:1249
Definition: notification.c:61
Definition: usrmarshal.c:1272
Referenced by test_event_security(), test_file_security(), test_filemap_security(), test_maximum_allowed(), test_mutex_security(), test_named_pipe_security(), test_process_access(), test_semaphore_security(), and test_thread_security().
◆ get_sid_info()
Definition at line 2473 of file security.c.
2474{
2478 SID_NAME_USE use;
2479
2481 *dom = domain;
2482
2486 SetLastError(0xdeadbeef);
2488}
BOOL WINAPI LookupAccountSidA(LPCSTR lpSystemName, PSID lpSid, LPSTR lpName, LPDWORD cchName, LPSTR lpReferencedDomainName, LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse)
Definition: misc.c:405
Referenced by check_wellknown_name(), and test_LookupAccountName().
◆ init()
Definition at line 175 of file security.c.
176{
178
188
195 pConvertStringSecurityDescriptorToSecurityDescriptorA =
197 pConvertStringSecurityDescriptorToSecurityDescriptorW =
199 pConvertSecurityDescriptorToStringSecurityDescriptorA =
223
225}
HMODULE WINAPI DECLSPEC_HOTPATCH GetModuleHandleA(LPCSTR lpModuleName)
Definition: loader.c:812
Definition: nsiface.idl:2307
int winetest_get_mainargs(char ***pargv)
Referenced by START_TEST().
◆ LPSTR()
◆ NTSTATUS()
◆ PDWORD()
◆ PSID_IDENTIFIER_AUTHORITY()
|
static |
◆ PUCHAR()
◆ START_TEST()
| START_TEST | ( | security | ) |
Definition at line 8135 of file security.c.
8136{
8137 init();
8139
8141 {
8143 test_child_token_sd();
8145 test_child_token_sd_restricted();
8147 test_child_token_sd_medium();
8148 else
8149 test_process_security_child();
8150 return;
8151 }
8152 test_kernel_objects_security();
8153 test_sid();
8154 test_trustee();
8155 test_luid();
8156 test_CreateWellKnownSid();
8157 test_FileSecurity();
8158 test_AccessCheck();
8159 test_token_attr();
8160 test_GetTokenInformation();
8161 test_LookupAccountSid();
8162 test_LookupAccountName();
8163 test_security_descriptor();
8164 test_process_security();
8165 test_impersonation_level();
8166 test_SetEntriesInAclW();
8167 test_SetEntriesInAclA();
8168 test_CreateDirectoryA();
8169 test_GetNamedSecurityInfoA();
8172 test_PrivateObjectSecurity();
8173 test_acls();
8174 test_GetWindowsAccountDomainSid();
8175 test_GetSecurityInfo();
8176 test_GetSidSubAuthority();
8177 test_CheckTokenMembership();
8178 test_EqualSid();
8179 test_GetUserNameA();
8180 test_GetUserNameW();
8181 test_CreateRestrictedToken();
8182 test_TokenIntegrityLevel();
8183 test_default_dacl_owner_sid();
8184 test_AdjustTokenPrivileges();
8185 test_AddAce();
8186 test_AddMandatoryAce();
8187 test_system_security_access();
8188 test_GetSidIdentifierAuthority();
8189 test_pseudo_tokens();
8190 test_maximum_allowed();
8191 test_token_label();
8192 test_GetExplicitEntriesFromAclW();
8193 test_BuildSecurityDescriptorW();
8194
8195 /* Must be the last test, modifies process token */
8196 test_token_security_descriptor();
8197}
static void test_GetSidIdentifierAuthority(void)
Definition: security.c:7100
static void test_GetExplicitEntriesFromAclW(void)
Definition: security.c:7958
static void test_kernel_objects_security(void)
Definition: security.c:6440
static void test_GetWindowsAccountDomainSid(void)
Definition: security.c:7020
static void test_ConvertStringSecurityDescriptor(void)
Definition: security.c:4380
static void test_token_security_descriptor(void)
Definition: security.c:7298
static void test_ConvertSecurityDescriptorToString(void)
Definition: security.c:4527
static void test_child_token_sd_restricted(void)
Definition: security.c:7848
static void test_BuildSecurityDescriptorW(void)
Definition: security.c:8097
◆ test_AccessCheck()
Definition at line 1228 of file security.c.
1229{
1236 ACCESS_MASK Access;
1239 HANDLE ProcessToken;
1241 DWORD PrivSetLen;
1242 PRIVILEGE_SET *PrivSet;
1244 HMODULE NtDllModule;
1247 NTSTATUS ntret, ntAccessStatus;
1248
1250 if (!NtDllModule)
1251 {
1253 return;
1254 }
1256 if (!pRtlAdjustPrivilege)
1257 {
1259 return;
1260 }
1261
1265 {
1268 return;
1269 }
1271
1272 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
1274
1278
1280 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
1282
1284
1287
1290
1293 PrivSet->PrivilegeCount = 16;
1294
1297
1299
1302
1303 /* SD without owner/group */
1304 SetLastError(0xdeadbeef);
1305 Access = AccessStatus = 0x1abe11ed;
1307 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1312 "Access and/or AccessStatus were changed!\n");
1313
1314 /* Set owner and group */
1319
1320 /* Generic access mask */
1321 SetLastError(0xdeadbeef);
1322 Access = AccessStatus = 0x1abe11ed;
1324 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1329 "Access and/or AccessStatus were changed!\n");
1330
1331 /* Generic access mask - no privilegeset buffer */
1332 SetLastError(0xdeadbeef);
1333 Access = AccessStatus = 0x1abe11ed;
1340 "Access and/or AccessStatus were changed!\n");
1341
1342 /* Generic access mask - no returnlength */
1343 SetLastError(0xdeadbeef);
1344 Access = AccessStatus = 0x1abe11ed;
1351 "Access and/or AccessStatus were changed!\n");
1352
1353 /* Generic access mask - no privilegeset buffer, no returnlength */
1354 SetLastError(0xdeadbeef);
1355 Access = AccessStatus = 0x1abe11ed;
1362 "Access and/or AccessStatus were changed!\n");
1363
1364 /* sd with no dacl present */
1365 Access = AccessStatus = 0x1abe11ed;
1369 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1372 "AccessCheck failed to grant access with error %d\n",
1373 GetLastError());
1374
1375 /* sd with no dacl present - no privilegeset buffer */
1376 SetLastError(0xdeadbeef);
1377 Access = AccessStatus = 0x1abe11ed;
1384 "Access and/or AccessStatus were changed!\n");
1385
1386 if(pNtAccessCheck)
1387 {
1388 /* Generic access mask - no privilegeset buffer */
1389 SetLastError(0xdeadbeef);
1390 Access = ntAccessStatus = 0x1abe11ed;
1392 NULL, &PrivSetLen, &Access, &ntAccessStatus);
1395 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1398 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1399 "Access and/or AccessStatus were changed!\n");
1400
1401 /* Generic access mask - no returnlength */
1402 SetLastError(0xdeadbeef);
1403 Access = ntAccessStatus = 0x1abe11ed;
1405 PrivSet, NULL, &Access, &ntAccessStatus);
1408 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1411 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1412 "Access and/or AccessStatus were changed!\n");
1413
1414 /* Generic access mask - no privilegeset buffer, no returnlength */
1415 SetLastError(0xdeadbeef);
1416 Access = ntAccessStatus = 0x1abe11ed;
1421 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1424 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1425 "Access and/or AccessStatus were changed!\n");
1426 }
1427 else
1429
1430 /* sd with NULL dacl */
1431 Access = AccessStatus = 0x1abe11ed;
1435 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1438 "AccessCheck failed to grant access with error %d\n",
1439 GetLastError());
1441 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1444 "AccessCheck failed to grant access with error %d\n",
1445 GetLastError());
1446
1447 /* sd with blank dacl */
1451 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1457
1460
1463
1464 /* sd with dacl */
1465 Access = AccessStatus = 0x1abe11ed;
1467 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1470 "AccessCheck failed to grant access with error %d\n",
1471 GetLastError());
1472
1474 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1477 "AccessCheck failed to grant any access with error %d\n",
1478 GetLastError());
1480
1481 /* Null PrivSet with null PrivSetLen pointer */
1482 SetLastError(0xdeadbeef);
1483 Access = AccessStatus = 0x1abe11ed;
1490 "Access and/or AccessStatus were changed!\n");
1491
1492 /* Null PrivSet with zero PrivSetLen */
1493 SetLastError(0xdeadbeef);
1494 Access = AccessStatus = 0x1abe11ed;
1495 PrivSetLen = 0;
1497 0, &PrivSetLen, &Access, &AccessStatus);
1503 "Access and/or AccessStatus were changed!\n");
1504
1505 /* Null PrivSet with insufficient PrivSetLen */
1506 SetLastError(0xdeadbeef);
1507 Access = AccessStatus = 0x1abe11ed;
1508 PrivSetLen = 1;
1510 0, &PrivSetLen, &Access, &AccessStatus);
1516 "Access and/or AccessStatus were changed!\n");
1517
1518 /* Null PrivSet with insufficient PrivSetLen */
1519 SetLastError(0xdeadbeef);
1520 Access = AccessStatus = 0x1abe11ed;
1523 0, &PrivSetLen, &Access, &AccessStatus);
1529 "Access and/or AccessStatus were changed!\n");
1530
1531 /* Null PrivSet with minimal sufficient PrivSetLen */
1532 SetLastError(0xdeadbeef);
1533 Access = AccessStatus = 0x1abe11ed;
1536 0, &PrivSetLen, &Access, &AccessStatus);
1542 "Access and/or AccessStatus were changed!\n");
1543
1544 /* Valid PrivSet with zero PrivSetLen */
1545 SetLastError(0xdeadbeef);
1546 Access = AccessStatus = 0x1abe11ed;
1547 PrivSetLen = 0;
1549 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1555 "Access and/or AccessStatus were changed!\n");
1556
1557 /* Valid PrivSet with insufficient PrivSetLen */
1558 SetLastError(0xdeadbeef);
1559 Access = AccessStatus = 0x1abe11ed;
1560 PrivSetLen = 1;
1562 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1564todo_wine
1567todo_wine
1570 "Access and/or AccessStatus were changed!\n");
1571
1572 /* Valid PrivSet with insufficient PrivSetLen */
1573 SetLastError(0xdeadbeef);
1574 Access = AccessStatus = 0x1abe11ed;
1577 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1579todo_wine
1582todo_wine
1584todo_wine
1586 "Access and/or AccessStatus were changed!\n");
1587
1588 /* Valid PrivSet with minimal sufficient PrivSetLen */
1589 SetLastError(0xdeadbeef);
1590 Access = AccessStatus = 0x1abe11ed;
1592 memset(PrivSet, 0xcc, PrivSetLen);
1594 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1597todo_wine
1602 PrivSet->PrivilegeCount);
1603
1604 /* Valid PrivSet with sufficient PrivSetLen */
1605 SetLastError(0xdeadbeef);
1606 Access = AccessStatus = 0x1abe11ed;
1608 memset(PrivSet, 0xcc, PrivSetLen);
1610 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1613todo_wine
1618 PrivSet->PrivilegeCount);
1619
1621
1622 /* Null PrivSet with valid PrivSetLen */
1623 SetLastError(0xdeadbeef);
1624 Access = AccessStatus = 0x1abe11ed;
1626 0, &PrivSetLen, &Access, &AccessStatus);
1631 "Access and/or AccessStatus were changed!\n");
1632
1633 /* Access denied by SD */
1634 SetLastError(0xdeadbeef);
1635 Access = AccessStatus = 0x1abe11ed;
1637 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1643
1644 SetLastError(0xdeadbeef);
1645 PrivSet->PrivilegeCount = 16;
1647 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1649 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %d\n",
1650 GetLastError());
1651
1656 {
1657 /* Valid PrivSet with zero PrivSetLen */
1658 SetLastError(0xdeadbeef);
1659 Access = AccessStatus = 0x1abe11ed;
1660 PrivSetLen = 0;
1662 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1668 "Access and/or AccessStatus were changed!\n");
1669
1670 /* Valid PrivSet with insufficient PrivSetLen */
1671 SetLastError(0xdeadbeef);
1672 Access = AccessStatus = 0x1abe11ed;
1675 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1677 todo_wine
1680 todo_wine
1682 todo_wine
1684 "Access and/or AccessStatus were changed!\n");
1685
1686 /* Valid PrivSet with minimal sufficient PrivSetLen */
1687 SetLastError(0xdeadbeef);
1688 Access = AccessStatus = 0x1abe11ed;
1690 memset(PrivSet, 0xcc, PrivSetLen);
1692 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1694 "AccessCheck should have succeeded, error %d\n",
1695 GetLastError());
1697 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1698 Access);
1700 PrivSet->PrivilegeCount);
1701
1702 /* Valid PrivSet with large PrivSetLen */
1703 SetLastError(0xdeadbeef);
1704 Access = AccessStatus = 0x1abe11ed;
1706 memset(PrivSet, 0xcc, PrivSetLen);
1708 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1710 "AccessCheck should have succeeded, error %d\n",
1711 GetLastError());
1713 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1714 Access);
1716 PrivSet->PrivilegeCount);
1717 }
1718 else
1720 ret);
1723
1724 /* test INHERIT_ONLY_ACE */
1727
1728 /* NT doesn't have AddAccessAllowedAceEx. Skipping this call/test doesn't influence
1729 * the next ones.
1730 */
1731 if (pAddAccessAllowedAceEx)
1732 {
1735 }
1736 else
1738
1740 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1746
1748
1751
1752 SetLastError(0xdeadbeef);
1754 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1758
1760
1761 SetLastError(0xdeadbeef);
1763 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1767
1768 CloseHandle(ProcessToken);
1769
1770 if (EveryoneSid)
1771 FreeSid(EveryoneSid);
1774 if (UsersSid)
1775 FreeSid(UsersSid);
1779}
Definition: tokenizer.hpp:28
BOOL WINAPI OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
Definition: security.c:296
BOOL WINAPI DuplicateToken(IN HANDLE ExistingTokenHandle, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PHANDLE DuplicateTokenHandle)
Definition: security.c:3662
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
Definition: security.c:1041
BOOL WINAPI AccessCheck(IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN HANDLE ClientToken, IN DWORD DesiredAccess, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, IN OUT LPDWORD PrivilegeSetLength, OUT LPDWORD GrantedAccess, OUT LPBOOL AccessStatus)
Definition: security.c:1652
BOOL WINAPI AddAccessDeniedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
Definition: security.c:1092
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
BOOL WINAPI SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner, BOOL bOwnerDefaulted)
Definition: sec.c:312
BOOL WINAPI SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup, BOOL bGroupDefaulted)
Definition: sec.c:288
Definition: ms-dtyp.idl:293
Definition: nt_native.h:564
Definition: setypes.h:85
Definition: ms-dtyp.idl:301
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
struct _PRIVILEGE_SET PRIVILEGE_SET
Referenced by START_TEST().
◆ test_acls()
Definition at line 4822 of file security.c.
4823{
4827
4828 SetLastError(0xdeadbeef);
4831 {
4833 return;
4834 }
4835
4836 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "InitializeAcl with too small a buffer should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", GetLastError());
4837
4838 SetLastError(0xdeadbeef);
4840 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl with too large a buffer should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4841
4842 SetLastError(0xdeadbeef);
4844 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(ACL_REVISION1) should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4845
4848
4851
4854
4857
4858 SetLastError(0xdeadbeef);
4861 {
4863
4866 }
4867 else
4869
4870 SetLastError(0xdeadbeef);
4872 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(-1) failed with error %d\n", GetLastError());
4873}
Referenced by START_TEST().
◆ test_AddAce()
Definition at line 6612 of file security.c.
6613{
6614 static SID const sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
6615
6616 char acl_buf[1024], ace_buf[256];
6620
6625
6628
6644
6647 /* next test succeededs but corrupts ACL */
6651 SetLastError(0xdeadbeef);
6655}
BOOL WINAPI AddAce(PACL pAcl, DWORD dwAceRevision, DWORD dwStartingAceIndex, LPVOID pAceList, DWORD nAceListLength)
Definition: security.c:1143
struct _SID SID
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define MAXDWORD
Definition: ms-dtyp.idl:215
Referenced by START_TEST().
◆ test_AddMandatoryAce()
Definition at line 6657 of file security.c.
6658{
6660 {SECURITY_MANDATORY_LOW_RID}};
6662 {SECURITY_MANDATORY_MEDIUM_RID}};
6667 ACL_SIZE_INFORMATION acl_size_info;
6668 SYSTEM_MANDATORY_LABEL_ACE *ace;
6669 char buffer_acl[256];
6674 SID *everyone;
6675 ACL *sacl;
6676
6677 if (!pAddMandatoryAce)
6678 {
6680 return;
6681 }
6682
6685
6689
6692
6696
6700
6701 sacl = (void *)0xdeadbeef;
6702 present = TRUE;
6707
6710
6714
6715 SetLastError(0xdeadbeef);
6720
6723
6724 index = 0;
6725 found = FALSE;
6727 {
6731 "Expected mask SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, got %x\n", ace->Mask);
6733 found = TRUE;
6734 }
6736
6739
6742
6746
6750
6751 sacl = (void *)0xdeadbeef;
6752 present = FALSE;
6753 defaulted = TRUE;
6761 ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
6762
6765 ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6769
6771
6772 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6774
6777
6781
6785
6786 sacl = (void *)0xdeadbeef;
6787 present = FALSE;
6788 defaulted = TRUE;
6795
6796 index = 0;
6797 found = found2 = FALSE;
6799 {
6801 {
6803 {
6804 found = TRUE;
6807 "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as mask, got %#x\n", ace->Mask);
6808 }
6810 {
6811 found2 = TRUE;
6814 "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as mask, got %#x\n", ace->Mask);
6815 }
6816 }
6817 }
6820
6822
6825
6828
6832
6836
6837 sacl = (void *)0xdeadbeef;
6838 present = FALSE;
6839 defaulted = TRUE;
6846
6848
6851
6852 ret = pAddMandatoryAce(acl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6854
6857
6860
6864
6868
6869 sacl = (void *)0xdeadbeef;
6870 present = FALSE;
6871 defaulted = TRUE;
6878
6880
6883
6884 ret = AllocateAndInitializeSid(&sia_world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (void **)&everyone);
6886
6889
6892
6895
6899
6903
6904 sacl = (void *)0xdeadbeef;
6905 present = FALSE;
6906 defaulted = TRUE;
6913
6914 FreeSid(everyone);
6917}
BOOL WINAPI GetKernelObjectSecurity(HANDLE Handle, SECURITY_INFORMATION RequestedInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD nLength, LPDWORD lpnLengthNeeded)
Definition: security.c:989
BOOL WINAPI GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, LPBOOL lpbSaclPresent, PACL *pSacl, LPBOOL lpbSaclDefaulted)
Definition: sec.c:146
BOOL WINAPI SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted)
Definition: sec.c:351
Definition: winnt_old.h:1146
Definition: compat.h:191
Definition: ms-dtyp.idl:278
Definition: rpc_generic.c:61
HANDLE WINAPI DECLSPEC_HOTPATCH CreateEventA(IN LPSECURITY_ATTRIBUTES lpEventAttributes OPTIONAL, IN BOOL bManualReset, IN BOOL bInitialState, IN LPCSTR lpName OPTIONAL)
Definition: synch.c:637
#define SECURITY_MANDATORY_LABEL_AUTHORITY
Definition: setypes.h:682
#define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
Definition: setypes.h:806
#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
Definition: setypes.h:804
Referenced by START_TEST().
◆ test_AdjustTokenPrivileges()
Definition at line 6576 of file security.c.
6577{
6581 LUID luid;
6583
6585 return;
6586
6588 {
6590 return;
6591 }
6592
6593 tp.PrivilegeCount = 1;
6594 tp.Privileges[0].Luid = luid;
6596
6597 len = 0xdeadbeef;
6601
6602 /* revert */
6603 tp.PrivilegeCount = 1;
6604 tp.Privileges[0].Luid = luid;
6605 tp.Privileges[0].Attributes = 0;
6608
6610}
BOOL WINAPI LookupPrivilegeValueA(LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid)
Definition: misc.c:732
BOOL WINAPI AdjustTokenPrivileges(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength)
Definition: security.c:376
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat token
Definition: glfuncs.h:210
Definition: devicetopology.idl:137
Definition: setypes.h:1018
Referenced by START_TEST().
◆ test_allocateLuid()
Definition at line 688 of file security.c.
689{
691 LUID luid1, luid2;
693
695 if (!pAllocateLocallyUniqueId) return;
696
697 ret = pAllocateLocallyUniqueId(&luid1);
699 return;
700
703 ret = pAllocateLocallyUniqueId(&luid2);
707 "AllocateLocallyUniqueId returned a well-known LUID\n");
709 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
712 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %d\n",
713 GetLastError());
714}
Referenced by test_luid().
◆ test_BuildSecurityDescriptorW()
Definition at line 8097 of file security.c.
8098{
8099 SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
8100 ULONG new_sd_size;
8101 DWORD buf_size;
8105
8107
8112
8113 new_sd = NULL;
8114 new_sd_size = 0;
8115 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd);
8118 ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
8119 LocalFree(new_sd);
8120
8121 new_sd = (void *)0xdeadbeef;
8122 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd);
8123 ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret);
8125
8126 new_sd = NULL;
8127 new_sd_size = 0;
8128 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd);
8131 ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
8132 LocalFree(new_sd);
8133}
DWORD WINAPI BuildSecurityDescriptorW(IN PTRUSTEE_W pOwner OPTIONAL, IN PTRUSTEE_W pGroup OPTIONAL, IN ULONG cCountOfAccessEntries, IN PEXPLICIT_ACCESS_W pListOfAccessEntries OPTIONAL, IN ULONG cCountOfAuditEntries, IN PEXPLICIT_ACCESS_W pListOfAuditEntries OPTIONAL, IN PSECURITY_DESCRIPTOR pOldSD OPTIONAL, OUT PULONG pSizeNewSD, OUT PSECURITY_DESCRIPTOR *pNewSD)
Definition: sec.c:436
BOOL WINAPI MakeSelfRelativeSD(PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, LPDWORD lpdwBufferLength)
Definition: sec.c:214
Referenced by START_TEST().
◆ test_CheckTokenMembership()
Definition at line 5122 of file security.c.
5123{
5124 PTOKEN_GROUPS token_groups;
5127 BOOL is_member;
5130
5131 if (!pCheckTokenMembership)
5132 {
5134 return;
5135 }
5138
5141
5142 /* groups */
5145 "GetTokenInformation(TokenGroups) %s with error %d\n",
5150
5152 {
5154 break;
5155 }
5156
5158 {
5162 return;
5163 }
5164
5165 is_member = FALSE;
5169
5170 is_member = FALSE;
5174
5175 is_member = TRUE;
5176 SetLastError(0xdeadbeef);
5179 "CheckTokenMembership with process token %s with error %d\n",
5182
5185 CloseHandle(process_token);
5186}
BOOL WINAPI GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
Definition: security.c:413
Definition: setypes.h:1009
Referenced by START_TEST().
◆ test_child_token_sd()
Definition at line 7768 of file security.c.
7769{
7771 {SECURITY_MANDATORY_LOW_RID}};
7772 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7774 ACCESS_ALLOWED_ACE *acc_ace;
7778 PSID psid;
7779 ACL *acl;
7780
7783
7786
7790
7794
7795 acl = NULL;
7796 present = FALSE;
7797 defaulted = TRUE;
7803
7806 {
7809 "ACE inherited from the parent\n");
7810 }
7811
7812 LocalFree(psid);
7814
7815 if (!pAddMandatoryAce)
7816 {
7818 return;
7819 }
7820
7824
7828
7829 acl = NULL;
7830 present = FALSE;
7831 defaulted = TRUE;
7843 "Low integrity level should not have been inherited\n");
7844
7846}
BOOL WINAPI GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, LPBOOL lpbDaclPresent, PACL *pDacl, LPBOOL lpbDaclDefaulted)
Definition: sec.c:45
Referenced by START_TEST().
◆ test_child_token_sd_medium()
Definition at line 7903 of file security.c.
7904{
7906 {SECURITY_MANDATORY_MEDIUM_RID}};
7907 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7909 TOKEN_MANDATORY_LABEL *tml;
7910 BYTE buffer_integrity[64];
7914 ACL *acl;
7915
7916 if (!pAddMandatoryAce)
7917 {
7919 return;
7920 }
7921
7924
7928
7932
7933 acl = NULL;
7934 present = FALSE;
7935 defaulted = TRUE;
7947 "Expected medium integrity level\n");
7948
7950 ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
7952 tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
7954
7956}
Definition: setypes.h:1056
Referenced by START_TEST().
◆ test_child_token_sd_restricted()
Definition at line 7848 of file security.c.
7849{
7851 {SECURITY_MANDATORY_HIGH_RID}};
7852 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7854 TOKEN_MANDATORY_LABEL *tml;
7855 BYTE buffer_integrity[64];
7859 ACL *acl;
7860
7861 if (!pAddMandatoryAce)
7862 {
7864 return;
7865 }
7866
7869
7873
7877
7878 acl = NULL;
7879 present = FALSE;
7880 defaulted = TRUE;
7892 "Expected high integrity level\n");
7893
7895 ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
7897 tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
7899
7901}
Referenced by START_TEST().
◆ test_ConvertSecurityDescriptorToString()
Definition at line 4527 of file security.c.
4528{
4530 SECURITY_INFORMATION sec_info = OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION;
4533 PSID psid, psid2;
4534 PACL pacl;
4535 char sid_buf[256];
4536 char acl_buf[8192];
4538
4539 if (!pConvertSecurityDescriptorToStringSecurityDescriptorA)
4540 {
4542 return;
4543 }
4544 if (!pCreateWellKnownSid)
4545 {
4547 return;
4548 }
4549
4550/* It seems Windows XP adds an extra character to the length of the string for each ACE in an ACL. We
4551 * don't replicate this feature so we only test len >= strlen+1. */
4552#define CHECK_RESULT_AND_FREE(exp_str) \
4553 ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
4554 ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
4555 LocalFree(string);
4556
4557#define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2) \
4558 ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
4559 ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
4560 LocalFree(string);
4561
4563 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4565
4566 size = 4096;
4569 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4571
4573 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4575
4579 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4581
4582 pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid);
4584 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4586
4587 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, GROUP_SECURITY_INFORMATION, &string, &len), "Conversion failed\n");
4589
4590 pacl = (PACL)acl_buf;
4593 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4595
4597 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4599
4600 pConvertStringSidToSidA("S-1-5-6", &psid2);
4602 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4604
4606 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4607 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)");
4608
4609 pAddAccessDeniedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE, 0xffffffff, psid);
4610 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4611 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)");
4612
4613
4614 pacl = (PACL)acl_buf;
4617 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4619
4620 /* fails in win2k */
4622 pAddAuditAccessAceEx(pacl, ACL_REVISION, VALID_INHERIT_FLAGS, KEY_READ|KEY_WRITE, psid2, TRUE, TRUE);
4623 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4624 {
4625 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)", /* XP */
4626 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)" /* Vista */);
4627 }
4628
4629 /* fails in win2k */
4630 pAddAuditAccessAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, FILE_GENERIC_READ|FILE_GENERIC_WRITE, psid2, TRUE, FALSE);
4631 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4632 {
4633 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", /* XP */
4634 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)" /* Vista */);
4635 }
4636
4637 LocalFree(psid2);
4638 LocalFree(psid);
4639}
#define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2)
#define CHECK_RESULT_AND_FREE(exp_str)
Referenced by START_TEST().
◆ test_ConvertStringSecurityDescriptor()
Definition at line 4380 of file security.c.
4381{
4383 PSECURITY_DESCRIPTOR pSD;
4387 ACL *acl;
4388 static const struct
4389 {
4390 const char *sidstring;
4391 DWORD revision;
4394 DWORD altGLE;
4395 } cssd[] =
4396 {
4398 /* test ACE string type */
4402 /* test ACE string with spaces */
4406 { "D:(D ;;GA;;;WD)", SDDL_REVISION_1, FALSE, RPC_S_INVALID_STRING_UUID, ERROR_INVALID_ACL }, /* Vista+ */
4414 /* test ACE string access rights */
4423 /* test ACE string access right error case */
4425 /* test behaviour with empty strings */
4427 /* test ACE string SID */
4429 { "D:(D;;GA;;;Nonexistent account)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL, ERROR_INVALID_SID } /* W2K */
4430 };
4431
4432 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4433 {
4435 return;
4436 }
4437
4439 {
4441
4442 SetLastError(0xdeadbeef);
4443 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4446 ok(ret == cssd[i].ret, "(%02u) Expected %s (%d)\n", i, cssd[i].ret ? "success" : "failure", GLE);
4452 LocalFree(pSD);
4453 }
4454
4455 /* test behaviour with NULL parameters */
4456 SetLastError(0xdeadbeef);
4457 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4459 todo_wine
4461 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4462 GetLastError());
4463
4464 SetLastError(0xdeadbeef);
4465 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4468 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4469 GetLastError());
4470
4471 SetLastError(0xdeadbeef);
4472 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4475 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4476 GetLastError());
4477
4478 SetLastError(0xdeadbeef);
4479 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4482 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4483 GetLastError());
4484
4485 /* test behaviour with empty strings */
4486 SetLastError(0xdeadbeef);
4487 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4489 ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
4490 LocalFree(pSD);
4491
4492 SetLastError(0xdeadbeef);
4493 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4494 "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
4498
4499 /* empty DACL */
4500 size = 0;
4501 SetLastError(0xdeadbeef);
4502 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("D:", SDDL_REVISION_1, &pSD, &size);
4511 LocalFree(pSD);
4512
4513 /* empty SACL */
4514 size = 0;
4515 SetLastError(0xdeadbeef);
4516 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("S:", SDDL_REVISION_1, &pSD, &size);
4524 LocalFree(pSD);
4525}
Definition: setypes.h:832
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
Referenced by START_TEST().
◆ test_CreateDirectoryA()
Definition at line 3619 of file security.c.
3620{
3626 ACL_SIZE_INFORMATION acl_size;
3627 UNICODE_STRING tmpfileW;
3638 PACL pDacl;
3639
3640 if (!pGetSecurityInfo || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3641 {
3643 return;
3644 }
3645
3647 {
3650 }
3651 if (!bret)
3652 {
3654 return;
3655 }
3664
3666 sa.lpSecurityDescriptor = pSD;
3669 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3674 GENERIC_ALL, user_sid);
3677 GENERIC_ALL, admin_sid);
3681
3687
3688 SetLastError(0xdeadbeef);
3693 {
3695 goto done;
3696 }
3700 LocalFree(pSD);
3701
3702 /* Test inheritance of ACLs in CreateFile without security descriptor */
3705
3709
3716 LocalFree(pSD);
3717 CloseHandle(hTemp);
3718
3719 /* Test inheritance of ACLs in CreateFile with security descriptor -
3720 * When a security descriptor is set, then inheritance doesn't take effect */
3721 pSD = &sd;
3728
3731
3733 sa.lpSecurityDescriptor = pSD;
3739
3747 acl_size.AceCount);
3748 LocalFree(pSD);
3749
3757 acl_size.AceCount);
3758 LocalFree(pSD);
3759 CloseHandle(hTemp);
3760
3761 /* Test inheritance of ACLs in NtCreateFile without security descriptor */
3765
3767 attr.RootDirectory = 0;
3768 attr.ObjectName = &tmpfileW;
3772
3776 pRtlFreeUnicodeString(&tmpfileW);
3777
3784 LocalFree(pSD);
3785 CloseHandle(hTemp);
3786
3787 /* Test inheritance of ACLs in NtCreateFile with security descriptor -
3788 * When a security descriptor is set, then inheritance doesn't take effect */
3789 pSD = &sd;
3796
3800
3802 attr.RootDirectory = 0;
3803 attr.ObjectName = &tmpfileW;
3805 attr.SecurityDescriptor = pSD;
3807
3811 pRtlFreeUnicodeString(&tmpfileW);
3813
3821 acl_size.AceCount);
3822 LocalFree(pSD);
3823
3830 todo_wine
3832 acl_size.AceCount);
3833 LocalFree(pSD);
3834 CloseHandle(hTemp);
3835
3836 /* Test inheritance of ACLs in CreateDirectory without security descriptor */
3841
3846 test_inherited_dacl(pDacl, admin_sid, user_sid,
3849 LocalFree(pSD);
3852
3853 /* Test inheritance of ACLs in CreateDirectory with security descriptor */
3854 pSD = &sd;
3861
3864
3866 sa.lpSecurityDescriptor = pSD;
3871
3878 todo_wine
3880 acl_size.AceCount);
3881 LocalFree(pSD);
3882
3883 SetLastError(0xdeadbeef);
3888
3889 pSD = &sd;
3902
3905
3906 /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) without security descriptor */
3910
3912 attr.RootDirectory = 0;
3913 attr.ObjectName = &tmpfileW;
3917
3921 RtlFreeUnicodeString(&tmpfileW);
3922
3927 test_inherited_dacl(pDacl, admin_sid, user_sid,
3930 LocalFree(pSD);
3931 CloseHandle(hTemp);
3932
3933 /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) with security descriptor */
3934 pSD = &sd;
3941
3945
3947 attr.RootDirectory = 0;
3948 attr.ObjectName = &tmpfileW;
3950 attr.SecurityDescriptor = pSD;
3952
3956 RtlFreeUnicodeString(&tmpfileW);
3958
3965 todo_wine
3967 acl_size.AceCount);
3968 LocalFree(pSD);
3969
3976 todo_wine
3978 acl_size.AceCount);
3979 LocalFree(pSD);
3980 CloseHandle(hTemp);
3981
3982done:
3986}
BOOL WINAPI OpenThreadToken(HANDLE ThreadHandle, DWORD DesiredAccess, BOOL OpenAsSelf, HANDLE *TokenHandle)
Definition: security.c:338
BOOL WINAPI CreateDirectoryA(IN LPCSTR lpPathName, IN LPSECURITY_ATTRIBUTES lpSecurityAttributes)
Definition: dir.c:37
DWORD WINAPI GetTempPathA(IN DWORD nBufferLength, OUT LPSTR lpBuffer)
Definition: path.c:2054
static void test_inherited_dacl(PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask, BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
Definition: security.c:3566
static void get_nt_pathW(const char *name, UNICODE_STRING *nameW)
Definition: security.c:3548
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
Definition: env_spec_w32.h:870
Definition: umtypes.h:182
Definition: setypes.h:1005
Definition: cookie.c:202
Referenced by START_TEST().
◆ test_CreateRestrictedToken()
Definition at line 5397 of file security.c.
5398{
5399 TOKEN_PRIMARY_GROUP *primary_group, *primary_group2;
5401 PTOKEN_GROUPS token_groups, groups2;
5402 SID_AND_ATTRIBUTES sattr;
5404 TOKEN_PRIVILEGES *privs;
5405 PRIVILEGE_SET privset;
5407 BOOL is_member;
5411
5412 if (!pCreateRestrictedToken)
5413 {
5415 return;
5416 }
5417
5420
5421 ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
5424
5425 /* groups */
5432
5434 {
5436 break;
5437 }
5438
5440 {
5444 return;
5445 }
5446
5447 is_member = FALSE;
5451
5452 privset.PrivilegeCount = 1;
5456
5457 is_member = FALSE;
5461
5462 /* disable a SID and a privilege in new token */
5464 sattr.Attributes = 0;
5465 r_token = NULL;
5466 ret = pCreateRestrictedToken(token, 0, 1, &sattr, 1, &privset.Privilege[0], 0, NULL, &r_token);
5468
5470 {
5471 /* check if a SID is enabled */
5472 is_member = TRUE;
5476
5483
5485 {
5487 break;
5488 }
5489
5491 "got wrong attributes\n");
5493 "got wrong attributes\n");
5494
5496
5501
5506
5507 is_member = TRUE;
5511
5513 ok(!