ReactOS 0.4.15-dev-7113-g9ea2222
security.c File Reference
#include <stdarg.h>
#include <stdio.h>
#include "ntstatus.h"
#include "windef.h"
#include "winbase.h"
#include "winerror.h"
#include "winternl.h"
#include "aclapi.h"
#include "winnt.h"
#include "sddl.h"
#include "ntsecapi.h"
#include "lmcons.h"
#include "wine/test.h"
Include dependency graph for security.c:

Go to the source code of this file.

Classes

struct  NameToLUID
 
union  _MAX_SID
 
struct  well_known_sid_value
 

Macros

#define WIN32_NO_STATUS
 
#define GetCurrentProcessToken()   ((HANDLE)~(ULONG_PTR)3)
 
#define GetCurrentThreadToken()   ((HANDLE)~(ULONG_PTR)4)
 
#define GetCurrentThreadEffectiveToken()   ((HANDLE)~(ULONG_PTR)5)
 
#define PROCESS_QUERY_LIMITED_INFORMATION   0x1000
 
#define PROCESS_ALL_ACCESS_NT4   (PROCESS_ALL_ACCESS & ~0xf000)
 
#define PROCESS_ALL_ACCESS_VISTA   (PROCESS_ALL_ACCESS | 0xf000)
 
#define EVENT_QUERY_STATE   0x0001
 
#define SEMAPHORE_QUERY_STATE   0x0001
 
#define THREAD_SET_LIMITED_INFORMATION   0x0400
 
#define THREAD_QUERY_LIMITED_INFORMATION   0x0800
 
#define THREAD_ALL_ACCESS_NT4   (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff)
 
#define THREAD_ALL_ACCESS_VISTA   (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff)
 
#define expect_eq(expr, value, type, format)   { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); }
 
#define SID_SLOTS   4
 
#define SE_MIN_WELL_KNOWN_PRIVILEGE   2L
 
#define SE_CREATE_TOKEN_PRIVILEGE   2L
 
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE   3L
 
#define SE_LOCK_MEMORY_PRIVILEGE   4L
 
#define SE_INCREASE_QUOTA_PRIVILEGE   5L
 
#define SE_MACHINE_ACCOUNT_PRIVILEGE   6L
 
#define SE_TCB_PRIVILEGE   7L
 
#define SE_SECURITY_PRIVILEGE   8L
 
#define SE_TAKE_OWNERSHIP_PRIVILEGE   9L
 
#define SE_LOAD_DRIVER_PRIVILEGE   10L
 
#define SE_SYSTEM_PROFILE_PRIVILEGE   11L
 
#define SE_SYSTEMTIME_PRIVILEGE   12L
 
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE   13L
 
#define SE_INC_BASE_PRIORITY_PRIVILEGE   14L
 
#define SE_CREATE_PAGEFILE_PRIVILEGE   15L
 
#define SE_CREATE_PERMANENT_PRIVILEGE   16L
 
#define SE_BACKUP_PRIVILEGE   17L
 
#define SE_RESTORE_PRIVILEGE   18L
 
#define SE_SHUTDOWN_PRIVILEGE   19L
 
#define SE_DEBUG_PRIVILEGE   20L
 
#define SE_AUDIT_PRIVILEGE   21L
 
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE   22L
 
#define SE_CHANGE_NOTIFY_PRIVILEGE   23L
 
#define SE_REMOTE_SHUTDOWN_PRIVILEGE   24L
 
#define SE_UNDOCK_PRIVILEGE   25L
 
#define SE_SYNC_AGENT_PRIVILEGE   26L
 
#define SE_ENABLE_DELEGATION_PRIVILEGE   27L
 
#define SE_MANAGE_VOLUME_PRIVILEGE   28L
 
#define SE_IMPERSONATE_PRIVILEGE   29L
 
#define SE_CREATE_GLOBAL_PRIVILEGE   30L
 
#define SE_MAX_WELL_KNOWN_PRIVILEGE   SE_CREATE_GLOBAL_PRIVILEGE
 
#define TEST_GRANTED_ACCESS(a, b)   test_granted_access(a,b,0,__LINE__)
 
#define TEST_GRANTED_ACCESS2(a, b, c)   test_granted_access(a,b,c,__LINE__)
 
#define CHECK_SET_SECURITY(o, i, e)
 
#define CHECK_RESULT_AND_FREE(exp_str)
 
#define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2)
 
#define WINE_TEST_PIPE   "\\\\.\\pipe\\WineTestPipe"
 

Typedefs

typedef union _MAX_SID MAX_SID
 

Functions

static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL
 
static VOID (WINAPI *pBuildTrusteeWithSidA)(PTRUSTEEA pTrustee
 
static LPSTR (WINAPI *pGetTrusteeNameA)(PTRUSTEEA pTrustee)
 
static DWORD (WINAPI *pGetNamedSecurityInfoA)(LPSTR
 
static PDWORD (WINAPI *pGetSidSubAuthority)(PSID
 
static PUCHAR (WINAPI *pGetSidSubAuthorityCount)(PSID)
 
static NTSTATUS (WINAPI *pLsaQueryInformationPolicy)(LSA_HANDLE
 
static DWORD *static void (WINAPI *pRtlInitAnsiString)(PANSI_STRING
 
static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID)
 
static const chardebugstr_sid (PSID sid)
 
static void init (void)
 
static SECURITY_DESCRIPTORtest_get_security_descriptor (HANDLE handle, int line)
 
static void test_owner_equal (HANDLE Handle, PSID expected, int line)
 
static void test_group_equal (HANDLE Handle, PSID expected, int line)
 
static void test_sid (void)
 
static void test_trustee (void)
 
static void test_allocateLuid (void)
 
static void test_lookupPrivilegeName (void)
 
static void test_lookupPrivilegeValue (void)
 
static void test_luid (void)
 
static void test_FileSecurity (void)
 
static void test_AccessCheck (void)
 
static void test_token_attr (void)
 
static void test_GetTokenInformation (void)
 
static void test_sid_str (PSID *sid)
 
static void test_CreateWellKnownSid (void)
 
static void test_LookupAccountSid (void)
 
static BOOL get_sid_info (PSID psid, LPSTR *user, LPSTR *dom)
 
static void check_wellknown_name (const char *name, WELL_KNOWN_SID_TYPE result)
 
static void test_LookupAccountName (void)
 
static void test_security_descriptor (void)
 
static void test_granted_access (HANDLE handle, ACCESS_MASK access, ACCESS_MASK alt, int line)
 
static void test_process_security (void)
 
static void test_process_security_child (void)
 
static void test_impersonation_level (void)
 
static void test_SetEntriesInAclW (void)
 
static void test_SetEntriesInAclA (void)
 
static void get_nt_pathW (const char *name, UNICODE_STRING *nameW)
 
static void test_inherited_dacl (PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask, BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
 
static void test_CreateDirectoryA (void)
 
static void test_GetNamedSecurityInfoA (void)
 
static void test_ConvertStringSecurityDescriptor (void)
 
static void test_ConvertSecurityDescriptorToString (void)
 
static void test_SetSecurityDescriptorControl (PSECURITY_DESCRIPTOR sec)
 
static void test_PrivateObjectSecurity (void)
 
static void test_acls (void)
 
static void test_GetSecurityInfo (void)
 
static void test_GetSidSubAuthority (void)
 
static void test_CheckTokenMembership (void)
 
static void test_EqualSid (void)
 
static void test_GetUserNameA (void)
 
static void test_GetUserNameW (void)
 
static void test_CreateRestrictedToken (void)
 
static void validate_default_security_descriptor (SECURITY_DESCRIPTOR *sd)
 
static void test_default_handle_security (HANDLE token, HANDLE handle, GENERIC_MAPPING *mapping)
 
static ACCESS_MASK get_obj_access (HANDLE obj)
 
static void test_mutex_security (HANDLE token)
 
static void test_event_security (HANDLE token)
 
static void test_semaphore_security (HANDLE token)
 
static void test_named_pipe_security (HANDLE token)
 
static void test_file_security (HANDLE token)
 
static void test_filemap_security (void)
 
static void test_thread_security (void)
 
static void test_process_access (void)
 
static BOOL validate_impersonation_token (HANDLE token, DWORD *token_type)
 
static void test_kernel_objects_security (void)
 
static void test_TokenIntegrityLevel (void)
 
static void test_default_dacl_owner_sid (void)
 
static void test_AdjustTokenPrivileges (void)
 
static void test_AddAce (void)
 
static void test_AddMandatoryAce (void)
 
static void test_system_security_access (void)
 
static void test_GetWindowsAccountDomainSid (void)
 
static void test_GetSidIdentifierAuthority (void)
 
static void test_pseudo_tokens (void)
 
static void test_maximum_allowed (void)
 
static void test_token_label (void)
 
static void test_token_security_descriptor (void)
 
static void test_child_token_sd (void)
 
static void test_child_token_sd_restricted (void)
 
static void test_child_token_sd_medium (void)
 
static void test_GetExplicitEntriesFromAclW (void)
 
static void test_BuildSecurityDescriptorW (void)
 
 START_TEST (security)
 

Variables

static DWORD
 
static PSID
 
static BOOL
 
static PSID pSid
 
static LPSTR pName
 
static POBJECTS_AND_NAME_A pObjName
 
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE ObjectType
 
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR ObjectTypeName
 
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR LPSTR InheritedObjectTypeName
 
static POBJECTS_AND_NAME_A SE_OBJECT_TYPE LPSTR LPSTR LPSTR Name
 
static POBJECTS_AND_SID pObjSid
 
static POBJECTS_AND_SID GUIDpObjectGuid
 
static POBJECTS_AND_SID GUID GUIDpInheritedObjectGuid
 
static PSECURITY_DESCRIPTOR
 
static LPDWORD
 
static PBOOL
 
static PSECURITY_DESCRIPTOR PULONG
 
static SECURITY_INFORMATION
 
static SE_OBJECT_TYPE
 
static PSID PSID PACL PACL PSECURITY_DESCRIPTOR *static PACL
 
static BOOLEAN
 
static PBOOLEAN
 
static DWORD *static LPSECURITY_ATTRIBUTES
 
static DWORD *static SECURITY_IMPERSONATION_LEVEL
 
static DWORD *static TOKEN_TYPE
 
static DWORD *static PHANDLE
 
static POLICY_INFORMATION_CLASS
 
static PLSA_OBJECT_ATTRIBUTES
 
static ACCESS_MASK
 
static PLSA_HANDLE
 
static OBJECT_INFORMATION_CLASS
 
static PVOID
 
static ULONG
 
static PEXPLICIT_ACCESSW
 
static PACL *static PEXPLICIT_ACCESSA
 
static PACL *static PACL *static SECURITY_DESCRIPTOR_CONTROL
 
static HANDLE
 
static PGENERIC_MAPPING
 
static PPRIVILEGE_SET
 
static NTSTATUS *static PSID_AND_ATTRIBUTES
 
static NTSTATUS *static PLUID_AND_ATTRIBUTES
 
static LPVOID
 
static ACL_INFORMATION_CLASS
 
static POBJECT_ATTRIBUTES
 
static PIO_STATUS_BLOCK
 
static PLARGE_INTEGER
 
static PUNICODE_STRING
 
static PWSTR CURDIR *static PCANSI_STRING
 
static DWORD *static PCSZ
 
static PEXPLICIT_ACCESSW *static HMODULE hmod
 
static int myARGC
 
static char ** myARGV
 
static char debugsid_str [SID_SLOTS][256]
 
static int debugsid_index = 0
 
static const struct well_known_sid_value well_known_sid_values []
 

Macro Definition Documentation

◆ CHECK_ONE_OF_AND_FREE

#define CHECK_ONE_OF_AND_FREE (   exp_str1,
  exp_str2 
)
Value:
ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
LocalFree(string);
int strcmp(const char *String1, const char *String2)
Definition: utclib.c:469
ACPI_SIZE strlen(const char *String)
Definition: utclib.c:269
#define ok(value,...)
Definition: atltest.h:57
GLenum GLsizei len
Definition: glext.h:6722
int WINAPI lstrlenA(LPCSTR lpString)
Definition: lstring.c:145

◆ CHECK_RESULT_AND_FREE

#define CHECK_RESULT_AND_FREE (   exp_str)
Value:
ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
LocalFree(string);

◆ CHECK_SET_SECURITY

#define CHECK_SET_SECURITY (   o,
  i,
  e 
)
Value:
do{ \
BOOL res_; \
SetLastError( 0xdeadbeef ); \
if (e == ERROR_SUCCESS) \
ok(res_, "SetKernelObjectSecurity failed with %d\n", err); \
else \
ok(!res_ && err == e, "SetKernelObjectSecurity should have failed " \
"with %s, instead of %d\n", #e, err); \
}while(0)
#define ERROR_SUCCESS
Definition: deptool.c:10
BOOL WINAPI SetKernelObjectSecurity(HANDLE Handle, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR SecurityDescriptor)
Definition: security.c:1928
unsigned int BOOL
Definition: ntddk_ex.h:94
unsigned long DWORD
Definition: ntddk_ex.h:95
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
#define e
Definition: ke_i.h:82
#define err(...)
DWORD WINAPI GetLastError(void)
Definition: except.c:1042
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191

Definition at line 2895 of file security.c.

◆ EVENT_QUERY_STATE

#define EVENT_QUERY_STATE   0x0001

Definition at line 53 of file security.c.

◆ expect_eq

#define expect_eq (   expr,
  value,
  type,
  format 
)    { type ret_ = expr; ok((value) == ret_, #expr " expected " format " got " format "\n", (value), (ret_)); }

Definition at line 68 of file security.c.

◆ GetCurrentProcessToken

#define GetCurrentProcessToken ( )    ((HANDLE)~(ULONG_PTR)3)

Definition at line 40 of file security.c.

◆ GetCurrentThreadEffectiveToken

#define GetCurrentThreadEffectiveToken ( )    ((HANDLE)~(ULONG_PTR)5)

Definition at line 42 of file security.c.

◆ GetCurrentThreadToken

#define GetCurrentThreadToken ( )    ((HANDLE)~(ULONG_PTR)4)

Definition at line 41 of file security.c.

◆ PROCESS_ALL_ACCESS_NT4

#define PROCESS_ALL_ACCESS_NT4   (PROCESS_ALL_ACCESS & ~0xf000)

Definition at line 49 of file security.c.

◆ PROCESS_ALL_ACCESS_VISTA

#define PROCESS_ALL_ACCESS_VISTA   (PROCESS_ALL_ACCESS | 0xf000)

Definition at line 50 of file security.c.

◆ PROCESS_QUERY_LIMITED_INFORMATION

#define PROCESS_QUERY_LIMITED_INFORMATION   0x1000

Definition at line 45 of file security.c.

◆ SE_ASSIGNPRIMARYTOKEN_PRIVILEGE

#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE   3L

Definition at line 657 of file security.c.

◆ SE_AUDIT_PRIVILEGE

#define SE_AUDIT_PRIVILEGE   21L

Definition at line 675 of file security.c.

◆ SE_BACKUP_PRIVILEGE

#define SE_BACKUP_PRIVILEGE   17L

Definition at line 671 of file security.c.

◆ SE_CHANGE_NOTIFY_PRIVILEGE

#define SE_CHANGE_NOTIFY_PRIVILEGE   23L

Definition at line 677 of file security.c.

◆ SE_CREATE_GLOBAL_PRIVILEGE

#define SE_CREATE_GLOBAL_PRIVILEGE   30L

Definition at line 684 of file security.c.

◆ SE_CREATE_PAGEFILE_PRIVILEGE

#define SE_CREATE_PAGEFILE_PRIVILEGE   15L

Definition at line 669 of file security.c.

◆ SE_CREATE_PERMANENT_PRIVILEGE

#define SE_CREATE_PERMANENT_PRIVILEGE   16L

Definition at line 670 of file security.c.

◆ SE_CREATE_TOKEN_PRIVILEGE

#define SE_CREATE_TOKEN_PRIVILEGE   2L

Definition at line 656 of file security.c.

◆ SE_DEBUG_PRIVILEGE

#define SE_DEBUG_PRIVILEGE   20L

Definition at line 674 of file security.c.

◆ SE_ENABLE_DELEGATION_PRIVILEGE

#define SE_ENABLE_DELEGATION_PRIVILEGE   27L

Definition at line 681 of file security.c.

◆ SE_IMPERSONATE_PRIVILEGE

#define SE_IMPERSONATE_PRIVILEGE   29L

Definition at line 683 of file security.c.

◆ SE_INC_BASE_PRIORITY_PRIVILEGE

#define SE_INC_BASE_PRIORITY_PRIVILEGE   14L

Definition at line 668 of file security.c.

◆ SE_INCREASE_QUOTA_PRIVILEGE

#define SE_INCREASE_QUOTA_PRIVILEGE   5L

Definition at line 659 of file security.c.

◆ SE_LOAD_DRIVER_PRIVILEGE

#define SE_LOAD_DRIVER_PRIVILEGE   10L

Definition at line 664 of file security.c.

◆ SE_LOCK_MEMORY_PRIVILEGE

#define SE_LOCK_MEMORY_PRIVILEGE   4L

Definition at line 658 of file security.c.

◆ SE_MACHINE_ACCOUNT_PRIVILEGE

#define SE_MACHINE_ACCOUNT_PRIVILEGE   6L

Definition at line 660 of file security.c.

◆ SE_MANAGE_VOLUME_PRIVILEGE

#define SE_MANAGE_VOLUME_PRIVILEGE   28L

Definition at line 682 of file security.c.

◆ SE_MAX_WELL_KNOWN_PRIVILEGE

#define SE_MAX_WELL_KNOWN_PRIVILEGE   SE_CREATE_GLOBAL_PRIVILEGE

Definition at line 685 of file security.c.

◆ SE_MIN_WELL_KNOWN_PRIVILEGE

#define SE_MIN_WELL_KNOWN_PRIVILEGE   2L

Definition at line 655 of file security.c.

◆ SE_PROF_SINGLE_PROCESS_PRIVILEGE

#define SE_PROF_SINGLE_PROCESS_PRIVILEGE   13L

Definition at line 667 of file security.c.

◆ SE_REMOTE_SHUTDOWN_PRIVILEGE

#define SE_REMOTE_SHUTDOWN_PRIVILEGE   24L

Definition at line 678 of file security.c.

◆ SE_RESTORE_PRIVILEGE

#define SE_RESTORE_PRIVILEGE   18L

Definition at line 672 of file security.c.

◆ SE_SECURITY_PRIVILEGE

#define SE_SECURITY_PRIVILEGE   8L

Definition at line 662 of file security.c.

◆ SE_SHUTDOWN_PRIVILEGE

#define SE_SHUTDOWN_PRIVILEGE   19L

Definition at line 673 of file security.c.

◆ SE_SYNC_AGENT_PRIVILEGE

#define SE_SYNC_AGENT_PRIVILEGE   26L

Definition at line 680 of file security.c.

◆ SE_SYSTEM_ENVIRONMENT_PRIVILEGE

#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE   22L

Definition at line 676 of file security.c.

◆ SE_SYSTEM_PROFILE_PRIVILEGE

#define SE_SYSTEM_PROFILE_PRIVILEGE   11L

Definition at line 665 of file security.c.

◆ SE_SYSTEMTIME_PRIVILEGE

#define SE_SYSTEMTIME_PRIVILEGE   12L

Definition at line 666 of file security.c.

◆ SE_TAKE_OWNERSHIP_PRIVILEGE

#define SE_TAKE_OWNERSHIP_PRIVILEGE   9L

Definition at line 663 of file security.c.

◆ SE_TCB_PRIVILEGE

#define SE_TCB_PRIVILEGE   7L

Definition at line 661 of file security.c.

◆ SE_UNDOCK_PRIVILEGE

#define SE_UNDOCK_PRIVILEGE   25L

Definition at line 679 of file security.c.

◆ SEMAPHORE_QUERY_STATE

#define SEMAPHORE_QUERY_STATE   0x0001

Definition at line 57 of file security.c.

◆ SID_SLOTS

#define SID_SLOTS   4

Definition at line 147 of file security.c.

◆ TEST_GRANTED_ACCESS

#define TEST_GRANTED_ACCESS (   a,
  b 
)    test_granted_access(a,b,0,__LINE__)

Definition at line 2869 of file security.c.

◆ TEST_GRANTED_ACCESS2

#define TEST_GRANTED_ACCESS2 (   a,
  b,
  c 
)    test_granted_access(a,b,c,__LINE__)

Definition at line 2870 of file security.c.

◆ THREAD_ALL_ACCESS_NT4

#define THREAD_ALL_ACCESS_NT4   (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3ff)

Definition at line 65 of file security.c.

◆ THREAD_ALL_ACCESS_VISTA

#define THREAD_ALL_ACCESS_VISTA   (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xffff)

Definition at line 66 of file security.c.

◆ THREAD_QUERY_LIMITED_INFORMATION

#define THREAD_QUERY_LIMITED_INFORMATION   0x0800

Definition at line 62 of file security.c.

◆ THREAD_SET_LIMITED_INFORMATION

#define THREAD_SET_LIMITED_INFORMATION   0x0400

Definition at line 61 of file security.c.

◆ WIN32_NO_STATUS

#define WIN32_NO_STATUS

Definition at line 26 of file security.c.

◆ WINE_TEST_PIPE

#define WINE_TEST_PIPE   "\\\\.\\pipe\\WineTestPipe"

Definition at line 5867 of file security.c.

Typedef Documentation

◆ MAX_SID

typedef union _MAX_SID MAX_SID

Function Documentation

◆ BOOL()

static BOOL ( WINAPI pAddAccessAllowedAceEx)
static

◆ check_wellknown_name()

static void check_wellknown_name ( const char name,
WELL_KNOWN_SID_TYPE  result 
)
static

Definition at line 2490 of file security.c.

2491{
2493 PSID domainsid = NULL;
2494 char wk_sid[SECURITY_MAX_SID_SIZE];
2495 DWORD cb;
2496
2497 DWORD sid_size, domain_size;
2498 SID_NAME_USE sid_use;
2499 LPSTR domain, account, sid_domain, wk_domain, wk_account;
2500 PSID psid;
2501 BOOL ret ,ret2;
2502
2503 sid_size = 0;
2504 domain_size = 0;
2505 ret = LookupAccountNameA(NULL, name, NULL, &sid_size, NULL, &domain_size, &sid_use);
2506 ok(!ret, " %s Should have failed to lookup account name\n", name);
2507 psid = HeapAlloc(GetProcessHeap(),0,sid_size);
2508 domain = HeapAlloc(GetProcessHeap(),0,domain_size);
2509 ret = LookupAccountNameA(NULL, name, psid, &sid_size, domain, &domain_size, &sid_use);
2510
2511 if (!result)
2512 {
2513 ok(!ret, " %s Should have failed to lookup account name\n",name);
2514 goto cleanup;
2515 }
2516
2517 AllocateAndInitializeSid(&ident, 6, SECURITY_NT_NON_UNIQUE, 12, 23, 34, 45, 56, 0, 0, &domainsid);
2518 cb = sizeof(wk_sid);
2519 if (!pCreateWellKnownSid(result, domainsid, wk_sid, &cb))
2520 {
2521 win_skip("SID %i is not available on the system\n",result);
2522 goto cleanup;
2523 }
2524
2525 ret2 = get_sid_info(wk_sid, &wk_account, &wk_domain);
2526 if (!ret2 && GetLastError() == ERROR_NONE_MAPPED)
2527 {
2528 win_skip("CreateWellKnownSid() succeeded but the account '%s' is not present (W2K)\n", name);
2529 goto cleanup;
2530 }
2531
2532 get_sid_info(psid, &account, &sid_domain);
2533
2534 ok(ret, "Failed to lookup account name %s\n",name);
2535 ok(sid_size != 0, "sid_size was zero\n");
2536
2537 ok(EqualSid(psid,wk_sid),"%s Sid %s fails to match well known sid %s!\n",
2538 name, debugstr_sid(psid), debugstr_sid(wk_sid));
2539
2540 ok(!lstrcmpA(account, wk_account), "Expected %s , got %s\n", account, wk_account);
2541 ok(!lstrcmpA(domain, wk_domain), "Expected %s, got %s\n", wk_domain, domain);
2542 ok(sid_use == SidTypeWellKnownGroup , "Expected Use (5), got %d\n", sid_use);
2543
2544cleanup:
2545 FreeSid(domainsid);
2546 HeapFree(GetProcessHeap(),0,psid);
2548}
void account(int argc, const char *argv[])
Definition: cmds.c:1690
#define NULL
Definition: types.h:112
BOOL WINAPI LookupAccountNameA(LPCSTR SystemName, LPCSTR AccountName, PSID Sid, LPDWORD SidLength, LPSTR ReferencedDomainName, LPDWORD hReferencedDomainNameLength, PSID_NAME_USE SidNameUse)
Definition: security.c:2012
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:674
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:698
BOOL WINAPI EqualSid(PSID pSid1, PSID pSid2)
Definition: security.c:829
static const char * debugstr_sid(PSID sid)
Definition: security.c:174
#define GetProcessHeap()
Definition: compat.h:736
#define HeapAlloc
Definition: compat.h:733
#define HeapFree(x, y, z)
Definition: compat.h:735
static void cleanup(void)
Definition: main.c:1335
GLuint64EXT * result
Definition: glext.h:11304
enum _SID_NAME_USE SID_NAME_USE
@ SidTypeWellKnownGroup
Definition: lsa.idl:122
int WINAPI lstrcmpA(LPCSTR lpString1, LPCSTR lpString2)
Definition: lstring.c:18
static BOOL get_sid_info(PSID psid, LPSTR *user, LPSTR *dom)
Definition: security.c:2473
static HMODULE MODULEINFO DWORD cb
Definition: module.c:33
#define win_skip
Definition: test.h:160
Definition: cookie.c:42
Definition: name.c:39
int ret
_In_ ULONG _In_ ULONG_PTR ident
Definition: winddi.h:3994
#define ERROR_NONE_MAPPED
Definition: winerror.h:814
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554
#define SECURITY_MAX_SID_SIZE
Definition: setypes.h:486
#define SECURITY_NT_NON_UNIQUE
Definition: setypes.h:577
char * LPSTR
Definition: xmlstorage.h:182

Referenced by test_LookupAccountName().

◆ debugstr_sid()

static const char * debugstr_sid ( PSID  sid)
static

Definition at line 150 of file security.c.

151{
152 LPSTR sidstr;
153 DWORD le = GetLastError();
156
157 if (!ConvertSidToStringSidA(sid, &sidstr))
158 sprintf(res, "ConvertSidToStringSidA failed le=%u", GetLastError());
159 else if (strlen(sidstr) > sizeof(*debugsid_str) - 1)
160 {
161 memcpy(res, sidstr, sizeof(*debugsid_str) - 4);
162 strcpy(res + sizeof(*debugsid_str) - 4, "...");
163 LocalFree(sidstr);
164 }
165 else
166 {
167 strcpy(res, sidstr);
168 LocalFree(sidstr);
169 }
170 /* Restore the last error in case ConvertSidToStringSidA() modified it */
171 SetLastError(le);
172 return res;
173}
char * strcpy(char *DstString, const char *SrcString)
Definition: utclib.c:388
FT_UInt sid
Definition: cffcmap.c:139
BOOL WINAPI ConvertSidToStringSidA(PSID Sid, LPSTR *StringSid)
Definition: security.c:3637
#define SetLastError(x)
Definition: compat.h:752
GLuint res
Definition: glext.h:9613
HLOCAL NTAPI LocalFree(HLOCAL hMem)
Definition: heapmem.c:1594
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
#define sprintf(buf, format,...)
Definition: sprintf.c:55
#define SID_SLOTS
Definition: security.c:147
static int debugsid_index
Definition: security.c:149
static char debugsid_str[SID_SLOTS][256]
Definition: security.c:148

◆ DWORD()

static DWORD ( WINAPI pGetNamedSecurityInfoA)
static

◆ get_nt_pathW()

static void get_nt_pathW ( const char name,
UNICODE_STRING nameW 
)
static

Definition at line 3548 of file security.c.

3549{
3553 BOOLEAN ret;
3554
3555 pRtlInitAnsiString(&str, name);
3556
3557 status = pRtlAnsiStringToUnicodeString(&strW, &str, TRUE);
3558 ok(!status, "RtlAnsiStringToUnicodeString failed with %08x\n", status);
3559
3560 ret = pRtlDosPathNameToNtPathName_U(strW.Buffer, nameW, NULL, NULL);
3561 ok(ret, "RtlDosPathNameToNtPathName_U failed\n");
3562
3563 pRtlFreeUnicodeString(&strW);
3564}
unsigned char BOOLEAN
LONG NTSTATUS
Definition: precomp.h:26
static const WCHAR nameW[]
Definition: main.c:46
#define TRUE
Definition: types.h:120
WCHAR strW[12]
Definition: clipboard.c:2029
const WCHAR * str
Definition: ps.c:97

Referenced by test_CreateDirectoryA().

◆ get_obj_access()

static ACCESS_MASK get_obj_access ( HANDLE  obj)
static

Definition at line 5690 of file security.c.

5691{
5694
5695 if (!pNtQueryObject) return 0;
5696
5697 status = pNtQueryObject(obj, ObjectBasicInformation, &info, sizeof(info), NULL);
5698 ok(!status, "NtQueryObject error %#x\n", status);
5699
5700 return info.GrantedAccess;
5701}
@ ObjectBasicInformation
Definition: DriverTester.h:54

Referenced by test_event_security(), test_file_security(), test_filemap_security(), test_maximum_allowed(), test_mutex_security(), test_named_pipe_security(), test_process_access(), test_semaphore_security(), and test_thread_security().

◆ get_sid_info()

static BOOL get_sid_info ( PSID  psid,
LPSTR user,
LPSTR dom 
)
static

Definition at line 2473 of file security.c.

2474{
2475 static CHAR account[UNLEN + 1];
2476 static CHAR domain[UNLEN + 1];
2477 DWORD size, dom_size;
2478 SID_NAME_USE use;
2479
2480 *user = account;
2481 *dom = domain;
2482
2483 size = dom_size = UNLEN + 1;
2484 account[0] = '\0';
2485 domain[0] = '\0';
2486 SetLastError(0xdeadbeef);
2487 return LookupAccountSidA(NULL, psid, account, &size, domain, &dom_size, &use);
2488}
void user(int argc, const char *argv[])
Definition: cmds.c:1350
BOOL WINAPI LookupAccountSidA(LPCSTR lpSystemName, PSID lpSid, LPSTR lpName, LPDWORD cchName, LPSTR lpReferencedDomainName, LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse)
Definition: misc.c:405
GLsizeiptr size
Definition: glext.h:5919
#define UNLEN
Definition: sspi.c:28
char CHAR
Definition: xmlstorage.h:175

Referenced by check_wellknown_name(), and test_LookupAccountName().

◆ init()

static void init ( void  )
static

Definition at line 175 of file security.c.

176{
178
179 hntdll = GetModuleHandleA("ntdll.dll");
180 pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
181 pNtAccessCheck = (void *)GetProcAddress( hntdll, "NtAccessCheck" );
182 pNtSetSecurityObject = (void *)GetProcAddress(hntdll, "NtSetSecurityObject");
183 pNtCreateFile = (void *)GetProcAddress(hntdll, "NtCreateFile");
184 pRtlDosPathNameToNtPathName_U = (void *)GetProcAddress(hntdll, "RtlDosPathNameToNtPathName_U");
185 pRtlAnsiStringToUnicodeString = (void *)GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
186 pRtlInitAnsiString = (void *)GetProcAddress(hntdll, "RtlInitAnsiString");
187 pRtlFreeUnicodeString = (void *)GetProcAddress(hntdll, "RtlFreeUnicodeString");
188
189 hmod = GetModuleHandleA("advapi32.dll");
190 pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
191 pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
192 pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
193 pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
194 pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
195 pConvertStringSecurityDescriptorToSecurityDescriptorA =
196 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
197 pConvertStringSecurityDescriptorToSecurityDescriptorW =
198 (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorW" );
199 pConvertSecurityDescriptorToStringSecurityDescriptorA =
200 (void *)GetProcAddress(hmod, "ConvertSecurityDescriptorToStringSecurityDescriptorA" );
201 pGetFileSecurityA = (void *)GetProcAddress(hmod, "GetFileSecurityA" );
202 pSetFileSecurityA = (void *)GetProcAddress(hmod, "SetFileSecurityA" );
203 pCreateWellKnownSid = (void *)GetProcAddress( hmod, "CreateWellKnownSid" );
204 pGetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "GetNamedSecurityInfoA");
205 pSetNamedSecurityInfoA = (void *)GetProcAddress(hmod, "SetNamedSecurityInfoA");
206 pGetSidSubAuthority = (void *)GetProcAddress(hmod, "GetSidSubAuthority");
207 pGetSidSubAuthorityCount = (void *)GetProcAddress(hmod, "GetSidSubAuthorityCount");
208 pIsValidSid = (void *)GetProcAddress(hmod, "IsValidSid");
209 pMakeSelfRelativeSD = (void *)GetProcAddress(hmod, "MakeSelfRelativeSD");
210 pSetEntriesInAclW = (void *)GetProcAddress(hmod, "SetEntriesInAclW");
211 pSetEntriesInAclA = (void *)GetProcAddress(hmod, "SetEntriesInAclA");
212 pSetSecurityDescriptorControl = (void *)GetProcAddress(hmod, "SetSecurityDescriptorControl");
213 pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
214 pSetSecurityInfo = (void *)GetProcAddress(hmod, "SetSecurityInfo");
215 pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
216 pConvertStringSidToSidA = (void *)GetProcAddress(hmod, "ConvertStringSidToSidA");
217 pGetAclInformation = (void *)GetProcAddress(hmod, "GetAclInformation");
218 pGetAce = (void *)GetProcAddress(hmod, "GetAce");
219 pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
220 pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
221 pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
222 pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
223
225}
#define GetProcAddress(x, y)
Definition: compat.h:753
HMODULE WINAPI DECLSPEC_HOTPATCH GetModuleHandleA(LPCSTR lpModuleName)
Definition: loader.c:812
static int myARGC
Definition: security.c:144
static PEXPLICIT_ACCESSW *static HMODULE hmod
Definition: security.c:143
static char ** myARGV
Definition: security.c:145
static HINSTANCE hntdll
Definition: process.c:66
int winetest_get_mainargs(char ***pargv)

Referenced by START_TEST().

◆ LPSTR()

static LPSTR ( WINAPI pGetTrusteeNameA)
static

◆ NTSTATUS()

static NTSTATUS ( WINAPI pLsaQueryInformationPolicy)
static

◆ PDWORD()

static PDWORD ( WINAPI pGetSidSubAuthority)
static

◆ PSID_IDENTIFIER_AUTHORITY()

static PSID_IDENTIFIER_AUTHORITY ( WINAPI pGetSidIdentifierAuthority)
static

◆ PUCHAR()

static PUCHAR ( WINAPI pGetSidSubAuthorityCount)
static

◆ START_TEST()

START_TEST ( security  )

Definition at line 8135 of file security.c.

8136{
8137 init();
8138 if (!hmod) return;
8139
8140 if (myARGC >= 3)
8141 {
8142 if (!strcmp(myARGV[2], "test_token_sd"))
8144 else if (!strcmp(myARGV[2], "test_token_sd_restricted"))
8146 else if (!strcmp(myARGV[2], "test_token_sd_medium"))
8148 else
8150 return;
8151 }
8153 test_sid();
8154 test_trustee();
8155 test_luid();
8173 test_acls();
8178 test_EqualSid();
8185 test_AddAce();
8194
8195 /* Must be the last test, modifies process token */
8197}
static void test_CreateWellKnownSid(void)
Definition: security.c:2089
static void test_GetSidIdentifierAuthority(void)
Definition: security.c:7100
static void test_AddMandatoryAce(void)
Definition: security.c:6657
static void test_token_attr(void)
Definition: security.c:1782
static void test_default_dacl_owner_sid(void)
Definition: security.c:6518
static void test_GetExplicitEntriesFromAclW(void)
Definition: security.c:7958
static void init(void)
Definition: security.c:175
static void test_luid(void)
Definition: security.c:863
static void test_kernel_objects_security(void)
Definition: security.c:6440
static void test_GetTokenInformation(void)
Definition: security.c:1997
static void test_CheckTokenMembership(void)
Definition: security.c:5122
static void test_AdjustTokenPrivileges(void)
Definition: security.c:6576
static void test_AccessCheck(void)
Definition: security.c:1228
static void test_AddAce(void)
Definition: security.c:6612
static void test_system_security_access(void)
Definition: security.c:6919
static void test_process_security_child(void)
Definition: security.c:3110
static void test_EqualSid(void)
Definition: security.c:5188
static void test_LookupAccountName(void)
Definition: security.c:2550
static void test_process_security(void)
Definition: security.c:2909
static void test_LookupAccountSid(void)
Definition: security.c:2165
static void test_GetWindowsAccountDomainSid(void)
Definition: security.c:7020
static void test_child_token_sd(void)
Definition: security.c:7768
static void test_FileSecurity(void)
Definition: security.c:870
static void test_ConvertStringSecurityDescriptor(void)
Definition: security.c:4380
static void test_CreateDirectoryA(void)
Definition: security.c:3619
static void test_maximum_allowed(void)
Definition: security.c:7179
static void test_GetNamedSecurityInfoA(void)
Definition: security.c:3988
static void test_GetUserNameW(void)
Definition: security.c:5327
static void test_GetSecurityInfo(void)
Definition: security.c:4875
static void test_GetUserNameA(void)
Definition: security.c:5254
static void test_impersonation_level(void)
Definition: security.c:3174
static void test_PrivateObjectSecurity(void)
Definition: security.c:4729
static void test_child_token_sd_medium(void)
Definition: security.c:7903
static void test_GetSidSubAuthority(void)
Definition: security.c:5094
static void test_TokenIntegrityLevel(void)
Definition: security.c:6473
static void test_SetEntriesInAclW(void)
Definition: security.c:3285
static void test_token_security_descriptor(void)
Definition: security.c:7298
static void test_token_label(void)
Definition: security.c:7217
static void test_pseudo_tokens(void)
Definition: security.c:7128
static void test_CreateRestrictedToken(void)
Definition: security.c:5397
static void test_SetEntriesInAclA(void)
Definition: security.c:3416
static void test_trustee(void)
Definition: security.c:505
static void test_ConvertSecurityDescriptorToString(void)
Definition: security.c:4527
static void test_security_descriptor(void)
Definition: security.c:2782
static void test_child_token_sd_restricted(void)
Definition: security.c:7848
static void test_acls(void)
Definition: security.c:4822
static void test_BuildSecurityDescriptorW(void)
Definition: security.c:8097
static void test_sid(void)
Definition: security.c:291

◆ test_AccessCheck()

static void test_AccessCheck ( void  )
static

Definition at line 1228 of file security.c.

1229{
1230 PSID EveryoneSid = NULL, AdminSid = NULL, UsersSid = NULL;
1231 PACL Acl = NULL;
1236 ACCESS_MASK Access;
1238 HANDLE Token;
1239 HANDLE ProcessToken;
1240 BOOL ret;
1241 DWORD PrivSetLen;
1242 PRIVILEGE_SET *PrivSet;
1243 BOOL res;
1244 HMODULE NtDllModule;
1246 DWORD err;
1247 NTSTATUS ntret, ntAccessStatus;
1248
1249 NtDllModule = GetModuleHandleA("ntdll.dll");
1250 if (!NtDllModule)
1251 {
1252 skip("not running on NT, skipping test\n");
1253 return;
1254 }
1255 pRtlAdjustPrivilege = (void *)GetProcAddress(NtDllModule, "RtlAdjustPrivilege");
1256 if (!pRtlAdjustPrivilege)
1257 {
1258 win_skip("missing RtlAdjustPrivilege, skipping test\n");
1259 return;
1260 }
1261
1262 Acl = HeapAlloc(GetProcessHeap(), 0, 256);
1263 res = InitializeAcl(Acl, 256, ACL_REVISION);
1265 {
1266 skip("ACLs not implemented - skipping tests\n");
1267 HeapFree(GetProcessHeap(), 0, Acl);
1268 return;
1269 }
1270 ok(res, "InitializeAcl failed with error %d\n", GetLastError());
1271
1272 res = AllocateAndInitializeSid( &SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &EveryoneSid);
1273 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1274
1276 DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
1277 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1278
1280 DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
1281 ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
1282
1284
1286 ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
1287
1289 ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1290
1291 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1292 PrivSet = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, PrivSetLen);
1293 PrivSet->PrivilegeCount = 16;
1294
1296 ok(res, "OpenProcessToken failed with error %d\n", GetLastError());
1297
1298 pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, FALSE, TRUE, &Enabled);
1299
1300 res = DuplicateToken(ProcessToken, SecurityImpersonation, &Token);
1301 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1302
1303 /* SD without owner/group */
1304 SetLastError(0xdeadbeef);
1305 Access = AccessStatus = 0x1abe11ed;
1307 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1308 err = GetLastError();
1309 ok(!ret && err == ERROR_INVALID_SECURITY_DESCR, "AccessCheck should have "
1310 "failed with ERROR_INVALID_SECURITY_DESCR, instead of %d\n", err);
1311 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1312 "Access and/or AccessStatus were changed!\n");
1313
1314 /* Set owner and group */
1316 ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
1318 ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
1319
1320 /* Generic access mask */
1321 SetLastError(0xdeadbeef);
1322 Access = AccessStatus = 0x1abe11ed;
1324 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1325 err = GetLastError();
1326 ok(!ret && err == ERROR_GENERIC_NOT_MAPPED, "AccessCheck should have failed "
1327 "with ERROR_GENERIC_NOT_MAPPED, instead of %d\n", err);
1328 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1329 "Access and/or AccessStatus were changed!\n");
1330
1331 /* Generic access mask - no privilegeset buffer */
1332 SetLastError(0xdeadbeef);
1333 Access = AccessStatus = 0x1abe11ed;
1335 NULL, &PrivSetLen, &Access, &AccessStatus);
1336 err = GetLastError();
1337 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1338 "with ERROR_NOACCESS, instead of %d\n", err);
1339 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1340 "Access and/or AccessStatus were changed!\n");
1341
1342 /* Generic access mask - no returnlength */
1343 SetLastError(0xdeadbeef);
1344 Access = AccessStatus = 0x1abe11ed;
1346 PrivSet, NULL, &Access, &AccessStatus);
1347 err = GetLastError();
1348 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1349 "with ERROR_NOACCESS, instead of %d\n", err);
1350 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1351 "Access and/or AccessStatus were changed!\n");
1352
1353 /* Generic access mask - no privilegeset buffer, no returnlength */
1354 SetLastError(0xdeadbeef);
1355 Access = AccessStatus = 0x1abe11ed;
1357 NULL, NULL, &Access, &AccessStatus);
1358 err = GetLastError();
1359 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1360 "with ERROR_NOACCESS, instead of %d\n", err);
1361 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1362 "Access and/or AccessStatus were changed!\n");
1363
1364 /* sd with no dacl present */
1365 Access = AccessStatus = 0x1abe11ed;
1367 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1369 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1370 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1371 ok(AccessStatus && (Access == KEY_READ),
1372 "AccessCheck failed to grant access with error %d\n",
1373 GetLastError());
1374
1375 /* sd with no dacl present - no privilegeset buffer */
1376 SetLastError(0xdeadbeef);
1377 Access = AccessStatus = 0x1abe11ed;
1379 NULL, &PrivSetLen, &Access, &AccessStatus);
1380 err = GetLastError();
1381 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have failed "
1382 "with ERROR_NOACCESS, instead of %d\n", err);
1383 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1384 "Access and/or AccessStatus were changed!\n");
1385
1386 if(pNtAccessCheck)
1387 {
1388 /* Generic access mask - no privilegeset buffer */
1389 SetLastError(0xdeadbeef);
1390 Access = ntAccessStatus = 0x1abe11ed;
1391 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1392 NULL, &PrivSetLen, &Access, &ntAccessStatus);
1393 err = GetLastError();
1394 ok(ntret == STATUS_ACCESS_VIOLATION,
1395 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1396 ok(err == 0xdeadbeef,
1397 "NtAccessCheck shouldn't set last error, got %d\n", err);
1398 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1399 "Access and/or AccessStatus were changed!\n");
1400
1401 /* Generic access mask - no returnlength */
1402 SetLastError(0xdeadbeef);
1403 Access = ntAccessStatus = 0x1abe11ed;
1404 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1405 PrivSet, NULL, &Access, &ntAccessStatus);
1406 err = GetLastError();
1407 ok(ntret == STATUS_ACCESS_VIOLATION,
1408 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1409 ok(err == 0xdeadbeef,
1410 "NtAccessCheck shouldn't set last error, got %d\n", err);
1411 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1412 "Access and/or AccessStatus were changed!\n");
1413
1414 /* Generic access mask - no privilegeset buffer, no returnlength */
1415 SetLastError(0xdeadbeef);
1416 Access = ntAccessStatus = 0x1abe11ed;
1417 ntret = pNtAccessCheck(SecurityDescriptor, Token, GENERIC_READ, &Mapping,
1418 NULL, NULL, &Access, &ntAccessStatus);
1419 err = GetLastError();
1420 ok(ntret == STATUS_ACCESS_VIOLATION,
1421 "NtAccessCheck should have failed with STATUS_ACCESS_VIOLATION, got %x\n", ntret);
1422 ok(err == 0xdeadbeef,
1423 "NtAccessCheck shouldn't set last error, got %d\n", err);
1424 ok(Access == 0x1abe11ed && ntAccessStatus == 0x1abe11ed,
1425 "Access and/or AccessStatus were changed!\n");
1426 }
1427 else
1428 win_skip("NtAccessCheck unavailable. Skipping.\n");
1429
1430 /* sd with NULL dacl */
1431 Access = AccessStatus = 0x1abe11ed;
1433 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1435 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1436 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1437 ok(AccessStatus && (Access == KEY_READ),
1438 "AccessCheck failed to grant access with error %d\n",
1439 GetLastError());
1441 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1442 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1443 ok(AccessStatus && (Access == KEY_ALL_ACCESS),
1444 "AccessCheck failed to grant access with error %d\n",
1445 GetLastError());
1446
1447 /* sd with blank dacl */
1449 ok(ret, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
1451 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1452 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1453 err = GetLastError();
1454 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1455 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1456 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1457
1458 res = AddAccessAllowedAce(Acl, ACL_REVISION, KEY_READ, EveryoneSid);
1459 ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
1460
1462 ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
1463
1464 /* sd with dacl */
1465 Access = AccessStatus = 0x1abe11ed;
1467 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1468 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1469 ok(AccessStatus && (Access == KEY_READ),
1470 "AccessCheck failed to grant access with error %d\n",
1471 GetLastError());
1472
1474 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1475 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1477 "AccessCheck failed to grant any access with error %d\n",
1478 GetLastError());
1479 trace("AccessCheck with MAXIMUM_ALLOWED got Access 0x%08x\n", Access);
1480
1481 /* Null PrivSet with null PrivSetLen pointer */
1482 SetLastError(0xdeadbeef);
1483 Access = AccessStatus = 0x1abe11ed;
1485 NULL, NULL, &Access, &AccessStatus);
1486 err = GetLastError();
1487 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1488 "failed with ERROR_NOACCESS, instead of %d\n", err);
1489 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1490 "Access and/or AccessStatus were changed!\n");
1491
1492 /* Null PrivSet with zero PrivSetLen */
1493 SetLastError(0xdeadbeef);
1494 Access = AccessStatus = 0x1abe11ed;
1495 PrivSetLen = 0;
1497 0, &PrivSetLen, &Access, &AccessStatus);
1498 err = GetLastError();
1499 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1500 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1501 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1502 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1503 "Access and/or AccessStatus were changed!\n");
1504
1505 /* Null PrivSet with insufficient PrivSetLen */
1506 SetLastError(0xdeadbeef);
1507 Access = AccessStatus = 0x1abe11ed;
1508 PrivSetLen = 1;
1510 0, &PrivSetLen, &Access, &AccessStatus);
1511 err = GetLastError();
1512 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1513 "failed with ERROR_NOACCESS, instead of %d\n", err);
1514 ok(PrivSetLen == 1, "PrivSetLen returns %d\n", PrivSetLen);
1515 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1516 "Access and/or AccessStatus were changed!\n");
1517
1518 /* Null PrivSet with insufficient PrivSetLen */
1519 SetLastError(0xdeadbeef);
1520 Access = AccessStatus = 0x1abe11ed;
1521 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1523 0, &PrivSetLen, &Access, &AccessStatus);
1524 err = GetLastError();
1525 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1526 "failed with ERROR_NOACCESS, instead of %d\n", err);
1527 ok(PrivSetLen == sizeof(PRIVILEGE_SET) - 1, "PrivSetLen returns %d\n", PrivSetLen);
1528 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1529 "Access and/or AccessStatus were changed!\n");
1530
1531 /* Null PrivSet with minimal sufficient PrivSetLen */
1532 SetLastError(0xdeadbeef);
1533 Access = AccessStatus = 0x1abe11ed;
1534 PrivSetLen = sizeof(PRIVILEGE_SET);
1536 0, &PrivSetLen, &Access, &AccessStatus);
1537 err = GetLastError();
1538 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1539 "failed with ERROR_NOACCESS, instead of %d\n", err);
1540 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1541 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1542 "Access and/or AccessStatus were changed!\n");
1543
1544 /* Valid PrivSet with zero PrivSetLen */
1545 SetLastError(0xdeadbeef);
1546 Access = AccessStatus = 0x1abe11ed;
1547 PrivSetLen = 0;
1549 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1550 err = GetLastError();
1551 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1552 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1553 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1554 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1555 "Access and/or AccessStatus were changed!\n");
1556
1557 /* Valid PrivSet with insufficient PrivSetLen */
1558 SetLastError(0xdeadbeef);
1559 Access = AccessStatus = 0x1abe11ed;
1560 PrivSetLen = 1;
1562 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1563 err = GetLastError();
1565 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1566 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1568 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1569 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1570 "Access and/or AccessStatus were changed!\n");
1571
1572 /* Valid PrivSet with insufficient PrivSetLen */
1573 SetLastError(0xdeadbeef);
1574 Access = AccessStatus = 0x1abe11ed;
1575 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1577 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1578 err = GetLastError();
1580 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1581 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1583 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1585 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1586 "Access and/or AccessStatus were changed!\n");
1587
1588 /* Valid PrivSet with minimal sufficient PrivSetLen */
1589 SetLastError(0xdeadbeef);
1590 Access = AccessStatus = 0x1abe11ed;
1591 PrivSetLen = sizeof(PRIVILEGE_SET);
1592 memset(PrivSet, 0xcc, PrivSetLen);
1594 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1595 err = GetLastError();
1596 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1598 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1599 ok(AccessStatus && (Access == KEY_READ),
1600 "AccessCheck failed to grant access with error %d\n", GetLastError());
1601 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1602 PrivSet->PrivilegeCount);
1603
1604 /* Valid PrivSet with sufficient PrivSetLen */
1605 SetLastError(0xdeadbeef);
1606 Access = AccessStatus = 0x1abe11ed;
1607 PrivSetLen = sizeof(PRIVILEGE_SET) + 1;
1608 memset(PrivSet, 0xcc, PrivSetLen);
1610 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1611 err = GetLastError();
1612 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1614 ok(PrivSetLen == sizeof(PRIVILEGE_SET) + 1, "PrivSetLen returns %d\n", PrivSetLen);
1615 ok(AccessStatus && (Access == KEY_READ),
1616 "AccessCheck failed to grant access with error %d\n", GetLastError());
1617 ok(PrivSet->PrivilegeCount == 0, "PrivilegeCount returns %d, expects 0\n",
1618 PrivSet->PrivilegeCount);
1619
1620 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1621
1622 /* Null PrivSet with valid PrivSetLen */
1623 SetLastError(0xdeadbeef);
1624 Access = AccessStatus = 0x1abe11ed;
1626 0, &PrivSetLen, &Access, &AccessStatus);
1627 err = GetLastError();
1628 ok(!ret && err == ERROR_NOACCESS, "AccessCheck should have "
1629 "failed with ERROR_NOACCESS, instead of %d\n", err);
1630 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1631 "Access and/or AccessStatus were changed!\n");
1632
1633 /* Access denied by SD */
1634 SetLastError(0xdeadbeef);
1635 Access = AccessStatus = 0x1abe11ed;
1637 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1638 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1639 err = GetLastError();
1640 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1641 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1642 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1643
1644 SetLastError(0xdeadbeef);
1645 PrivSet->PrivilegeCount = 16;
1647 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1649 "AccessCheck should have failed with ERROR_PRIVILEGE_NOT_HELD, instead of %d\n",
1650 GetLastError());
1651
1653 ok(ret, "ImpersonateLoggedOnUser failed with error %d\n", GetLastError());
1654 ret = pRtlAdjustPrivilege(SE_SECURITY_PRIVILEGE, TRUE, TRUE, &Enabled);
1655 if (!ret)
1656 {
1657 /* Valid PrivSet with zero PrivSetLen */
1658 SetLastError(0xdeadbeef);
1659 Access = AccessStatus = 0x1abe11ed;
1660 PrivSetLen = 0;
1662 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1663 err = GetLastError();
1664 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1665 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1666 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1667 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1668 "Access and/or AccessStatus were changed!\n");
1669
1670 /* Valid PrivSet with insufficient PrivSetLen */
1671 SetLastError(0xdeadbeef);
1672 Access = AccessStatus = 0x1abe11ed;
1673 PrivSetLen = sizeof(PRIVILEGE_SET) - 1;
1675 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1676 err = GetLastError();
1677 todo_wine
1678 ok(!ret && err == ERROR_INSUFFICIENT_BUFFER, "AccessCheck should have "
1679 "failed with ERROR_INSUFFICIENT_BUFFER, instead of %d\n", err);
1680 todo_wine
1681 ok(PrivSetLen == sizeof(PRIVILEGE_SET), "PrivSetLen returns %d\n", PrivSetLen);
1682 todo_wine
1683 ok(Access == 0x1abe11ed && AccessStatus == 0x1abe11ed,
1684 "Access and/or AccessStatus were changed!\n");
1685
1686 /* Valid PrivSet with minimal sufficient PrivSetLen */
1687 SetLastError(0xdeadbeef);
1688 Access = AccessStatus = 0x1abe11ed;
1689 PrivSetLen = sizeof(PRIVILEGE_SET);
1690 memset(PrivSet, 0xcc, PrivSetLen);
1692 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1693 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1694 "AccessCheck should have succeeded, error %d\n",
1695 GetLastError());
1696 ok(Access == ACCESS_SYSTEM_SECURITY,
1697 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1698 Access);
1699 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1700 PrivSet->PrivilegeCount);
1701
1702 /* Valid PrivSet with large PrivSetLen */
1703 SetLastError(0xdeadbeef);
1704 Access = AccessStatus = 0x1abe11ed;
1705 PrivSetLen = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
1706 memset(PrivSet, 0xcc, PrivSetLen);
1708 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1709 ok(ret && AccessStatus && GetLastError() == 0xdeadbeef,
1710 "AccessCheck should have succeeded, error %d\n",
1711 GetLastError());
1712 ok(Access == ACCESS_SYSTEM_SECURITY,
1713 "Access should be equal to ACCESS_SYSTEM_SECURITY instead of 0x%08x\n",
1714 Access);
1715 ok(PrivSet->PrivilegeCount == 1, "PrivilegeCount returns %d, expects 1\n",
1716 PrivSet->PrivilegeCount);
1717 }
1718 else
1719 trace("Couldn't get SE_SECURITY_PRIVILEGE (0x%08x), skipping ACCESS_SYSTEM_SECURITY test\n",
1720 ret);
1721 ret = RevertToSelf();
1722 ok(ret, "RevertToSelf failed with error %d\n", GetLastError());
1723
1724 /* test INHERIT_ONLY_ACE */
1725 ret = InitializeAcl(Acl, 256, ACL_REVISION);
1726 ok(ret, "InitializeAcl failed with error %d\n", GetLastError());
1727
1728 /* NT doesn't have AddAccessAllowedAceEx. Skipping this call/test doesn't influence
1729 * the next ones.
1730 */
1731 if (pAddAccessAllowedAceEx)
1732 {
1733 ret = pAddAccessAllowedAceEx(Acl, ACL_REVISION, INHERIT_ONLY_ACE, KEY_READ, EveryoneSid);
1734 ok(ret, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
1735 }
1736 else
1737 win_skip("AddAccessAllowedAceEx is not available\n");
1738
1740 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1741 ok(ret, "AccessCheck failed with error %d\n", GetLastError());
1742 err = GetLastError();
1743 ok(!AccessStatus && err == ERROR_ACCESS_DENIED, "AccessCheck should have failed "
1744 "with ERROR_ACCESS_DENIED, instead of %d\n", err);
1745 ok(!Access, "Should have failed to grant any access, got 0x%08x\n", Access);
1746
1748
1749 res = DuplicateToken(ProcessToken, SecurityAnonymous, &Token);
1750 ok(res, "DuplicateToken failed with error %d\n", GetLastError());
1751
1752 SetLastError(0xdeadbeef);
1754 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1755 err = GetLastError();
1756 ok(!ret && err == ERROR_BAD_IMPERSONATION_LEVEL, "AccessCheck should have failed "
1757 "with ERROR_BAD_IMPERSONATION_LEVEL, instead of %d\n", err);
1758
1760
1761 SetLastError(0xdeadbeef);
1763 PrivSet, &PrivSetLen, &Access, &AccessStatus);
1764 err = GetLastError();
1765 ok(!ret && err == ERROR_NO_IMPERSONATION_TOKEN, "AccessCheck should have failed "
1766 "with ERROR_NO_IMPERSONATION_TOKEN, instead of %d\n", err);
1767
1768 CloseHandle(ProcessToken);
1769
1770 if (EveryoneSid)
1771 FreeSid(EveryoneSid);
1772 if (AdminSid)
1774 if (UsersSid)
1775 FreeSid(UsersSid);
1776 HeapFree(GetProcessHeap(), 0, Acl);
1778 HeapFree(GetProcessHeap(), 0, PrivSet);
1779}
#define trace
Definition: atltest.h:70
#define skip(...)
Definition: atltest.h:64
#define ERROR_INSUFFICIENT_BUFFER
Definition: dderror.h:10
#define FALSE
Definition: types.h:117
BOOL WINAPI ImpersonateLoggedOnUser(HANDLE hToken)
Definition: misc.c:152
BOOL WINAPI OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
Definition: security.c:294
BOOL WINAPI DuplicateToken(IN HANDLE ExistingTokenHandle, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PHANDLE DuplicateTokenHandle)
Definition: security.c:3919
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1006
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:929
BOOL WINAPI AddAccessAllowedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
Definition: security.c:1039
BOOL WINAPI AccessCheck(IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN HANDLE ClientToken, IN DWORD DesiredAccess, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, IN OUT LPDWORD PrivilegeSetLength, OUT LPDWORD GrantedAccess, OUT LPBOOL AccessStatus)
Definition: security.c:1650
BOOL WINAPI AddAccessDeniedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
Definition: security.c:1090
#define CloseHandle
Definition: compat.h:739
#define ERROR_CALL_NOT_IMPLEMENTED
Definition: compat.h:102
#define GetCurrentProcess()
Definition: compat.h:759
#define GENERIC_READ
Definition: compat.h:135
#define ERROR_ACCESS_DENIED
Definition: compat.h:97
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
static PVOID Mapping[EMS_PHYSICAL_PAGES]
Definition: emsdrv.c:41
@ SecurityImpersonation
Definition: lsa.idl:57
@ SecurityAnonymous
Definition: lsa.idl:55
#define SE_SECURITY_PRIVILEGE
Definition: security.c:662
#define todo_wine
Definition: custom.c:79
@ Enabled
Definition: mountmgr.h:159
static PSID AdminSid
Definition: msgina.c:39
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
#define KEY_ALL_ACCESS
Definition: nt_native.h:1041
#define KEY_READ
Definition: nt_native.h:1023
#define KEY_QUERY_VALUE
Definition: nt_native.h:1016
#define KEY_EXECUTE
Definition: nt_native.h:1037
#define KEY_WRITE
Definition: nt_native.h:1031
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
#define KEY_SET_VALUE
Definition: nt_native.h:1017
#define STATUS_ACCESS_VIOLATION
Definition: ntstatus.h:242
#define memset(x, y, z)
Definition: compat.h:39
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
BOOL WINAPI SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner, BOOL bOwnerDefaulted)
Definition: sec.c:312
BOOL WINAPI SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup, BOOL bGroupDefaulted)
Definition: sec.c:288
$ULONG PrivilegeCount
Definition: setypes.h:86
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
BOOL WINAPI RevertToSelf(void)
Definition: security.c:1608
#define ERROR_INVALID_SECURITY_DESCR
Definition: winerror.h:820
#define ERROR_NO_IMPERSONATION_TOKEN
Definition: winerror.h:791
#define ERROR_BAD_IMPERSONATION_LEVEL
Definition: winerror.h:827
#define ERROR_GENERIC_NOT_MAPPED
Definition: winerror.h:841
#define ERROR_NOACCESS
Definition: winerror.h:578
#define ERROR_PRIVILEGE_NOT_HELD
Definition: winerror.h:796
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define TOKEN_DUPLICATE
Definition: setypes.h:926
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define TOKEN_QUERY
Definition: setypes.h:928
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define SECURITY_DESCRIPTOR_MIN_LENGTH
Definition: setypes.h:815
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
struct _PRIVILEGE_SET PRIVILEGE_SET

Referenced by START_TEST().

◆ test_acls()

static void test_acls ( void  )
static

Definition at line 4822 of file security.c.

4823{
4824 char buffer[256];
4825 PACL pAcl = (PACL)buffer;
4826 BOOL ret;
4827
4828 SetLastError(0xdeadbeef);
4829 ret = InitializeAcl(pAcl, sizeof(ACL) - 1, ACL_REVISION);
4831 {
4832 win_skip("InitializeAcl is not implemented\n");
4833 return;
4834 }
4835
4836 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "InitializeAcl with too small a buffer should have failed with ERROR_INSUFFICIENT_BUFFER instead of %d\n", GetLastError());
4837
4838 SetLastError(0xdeadbeef);
4839 ret = InitializeAcl(pAcl, 0xffffffff, ACL_REVISION);
4840 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl with too large a buffer should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4841
4842 SetLastError(0xdeadbeef);
4843 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION1);
4844 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(ACL_REVISION1) should have failed with ERROR_INVALID_PARAMETER instead of %d\n", GetLastError());
4845
4846 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION2);
4847 ok(ret, "InitializeAcl(ACL_REVISION2) failed with error %d\n", GetLastError());
4848
4849 ret = IsValidAcl(pAcl);
4850 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4851
4852 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION3);
4853 ok(ret, "InitializeAcl(ACL_REVISION3) failed with error %d\n", GetLastError());
4854
4855 ret = IsValidAcl(pAcl);
4856 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4857
4858 SetLastError(0xdeadbeef);
4859 ret = InitializeAcl(pAcl, sizeof(buffer), ACL_REVISION4);
4861 {
4862 ok(ret, "InitializeAcl(ACL_REVISION4) failed with error %d\n", GetLastError());
4863
4864 ret = IsValidAcl(pAcl);
4865 ok(ret, "IsValidAcl failed with error %d\n", GetLastError());
4866 }
4867 else
4868 win_skip("ACL_REVISION4 is not implemented on NT4\n");
4869
4870 SetLastError(0xdeadbeef);
4871 ret = InitializeAcl(pAcl, sizeof(buffer), -1);
4872 ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER, "InitializeAcl(-1) failed with error %d\n", GetLastError());
4873}
BOOL WINAPI IsValidAcl(PACL pAcl)
Definition: security.c:1209
#define ERROR_INVALID_PARAMETER
Definition: compat.h:101
GLuint buffer
Definition: glext.h:5915
struct _ACL * PACL
Definition: security.c:105
#define ACL_REVISION4
Definition: setypes.h:45
#define ACL_REVISION1
Definition: setypes.h:42
#define ACL_REVISION3
Definition: setypes.h:44
#define ACL_REVISION2
Definition: setypes.h:43

Referenced by START_TEST().

◆ test_AddAce()

static void test_AddAce ( void  )
static

Definition at line 6612 of file security.c.

6613{
6615
6616 char acl_buf[1024], ace_buf[256];
6617 ACCESS_ALLOWED_ACE *ace = (ACCESS_ALLOWED_ACE*)ace_buf;
6618 PACL acl = (PACL)acl_buf;
6619 BOOL ret;
6620
6621 memset(ace, 0, sizeof(ace_buf));
6623 ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD)+sizeof(SID);
6624 memcpy(&ace->SidStart, &sidWorld, sizeof(sidWorld));
6625
6626 ret = InitializeAcl(acl, sizeof(acl_buf), ACL_REVISION2);
6627 ok(ret, "InitializeAcl failed: %d\n", GetLastError());
6628
6629 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6630 ok(ret, "AddAce failed: %d\n", GetLastError());
6631 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6632 ok(ret, "AddAce failed: %d\n", GetLastError());
6633 ret = AddAce(acl, ACL_REVISION3, MAXDWORD, ace, ace->Header.AceSize);
6634 ok(ret, "AddAce failed: %d\n", GetLastError());
6635 ok(acl->AclRevision == ACL_REVISION3, "acl->AclRevision = %d\n", acl->AclRevision);
6636 ret = AddAce(acl, ACL_REVISION4, MAXDWORD, ace, ace->Header.AceSize);
6637 ok(ret, "AddAce failed: %d\n", GetLastError());
6638 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6639 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6640 ok(ret, "AddAce failed: %d\n", GetLastError());
6641 ok(acl->AclRevision == ACL_REVISION4, "acl->AclRevision = %d\n", acl->AclRevision);
6642 ret = AddAce(acl, ACL_REVISION2, MAXDWORD, ace, ace->Header.AceSize);
6643 ok(ret, "AddAce failed: %d\n", GetLastError());
6644
6645 ret = AddAce(acl, MIN_ACL_REVISION-1, MAXDWORD, ace, ace->Header.AceSize);
6646 ok(ret, "AddAce failed: %d\n", GetLastError());
6647 /* next test succeededs but corrupts ACL */
6648 ret = AddAce(acl, MAX_ACL_REVISION+1, MAXDWORD, ace, ace->Header.AceSize);
6649 ok(ret, "AddAce failed: %d\n", GetLastError());
6650 ok(acl->AclRevision == MAX_ACL_REVISION+1, "acl->AclRevision = %d\n", acl->AclRevision);
6651 SetLastError(0xdeadbeef);
6652 ret = AddAce(acl, ACL_REVISION1, MAXDWORD, ace, ace->Header.AceSize);
6653 ok(!ret, "AddAce succeeded\n");
6654 ok(GetLastError() == ERROR_INVALID_PARAMETER, "GetLastError() = %d\n", GetLastError());
6655}
BOOL WINAPI AddAce(PACL pAcl, DWORD dwAceRevision, DWORD dwStartingAceIndex, LPVOID pAceList, DWORD nAceListLength)
Definition: security.c:1141
static const SID sidWorld
Definition: security.c:126
struct _SID SID
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define MAXDWORD
ACE_HEADER Header
Definition: ms-dtyp.idl:216
USHORT AceSize
Definition: ms-dtyp.idl:212
UCHAR AceType
Definition: ms-dtyp.idl:210
UCHAR AclRevision
Definition: ms-dtyp.idl:294
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:717
#define MIN_ACL_REVISION
Definition: setypes.h:46
#define MAX_ACL_REVISION
Definition: setypes.h:47
#define SID_REVISION
Definition: setypes.h:481

Referenced by START_TEST().

◆ test_AddMandatoryAce()

static void test_AddMandatoryAce ( void  )
static

Definition at line 6657 of file security.c.

6658{
6659 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6661 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
6664 char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
6665 SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
6666 BOOL defaulted, present, ret, found, found2;
6667 ACL_SIZE_INFORMATION acl_size_info;
6669 char buffer_acl[256];
6670 ACL *acl = (ACL *)&buffer_acl;
6672 DWORD index, size;
6673 HANDLE handle;
6674 SID *everyone;
6675 ACL *sacl;
6676
6677 if (!pAddMandatoryAce)
6678 {
6679 win_skip("AddMandatoryAce not supported, skipping test\n");
6680 return;
6681 }
6682
6684 ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
6685
6686 sa.nLength = sizeof(sa);
6687 sa.lpSecurityDescriptor = sd;
6688 sa.bInheritHandle = FALSE;
6689
6690 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6691 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6692
6695 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6696
6697 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6699 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6700
6701 sacl = (void *)0xdeadbeef;
6702 present = TRUE;
6703 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6704 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6705 ok(!present, "SACL is present\n");
6706 ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
6707
6708 HeapFree(GetProcessHeap(), 0, sd2);
6710
6711 memset(buffer_acl, 0, sizeof(buffer_acl));
6712 ret = InitializeAcl(acl, 256, ACL_REVISION);
6713 ok(ret, "InitializeAcl failed with %u\n", GetLastError());
6714
6715 SetLastError(0xdeadbeef);
6716 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, 0x1234, &low_level);
6717 ok(!ret, "AddMandatoryAce succeeded\n");
6719 "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
6720
6721 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
6722 ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
6723
6724 index = 0;
6725 found = FALSE;
6726 while (pGetAce(acl, index++, (void **)&ace))
6727 {
6728 if (ace->Header.AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
6729 ok(ace->Header.AceFlags == 0, "Expected flags 0, got %x\n", ace->Header.AceFlags);
6731 "Expected mask SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, got %x\n", ace->Mask);
6732 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6733 found = TRUE;
6734 }
6735 ok(found, "Could not find mandatory label ace\n");
6736
6738 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6739
6740 handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
6741 ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
6742
6745 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6746
6747 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6749 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6750
6751 sacl = (void *)0xdeadbeef;
6752 present = FALSE;
6753 defaulted = TRUE;
6754 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6755 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6756 ok(present, "SACL not present\n");
6757 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6758 ok(!defaulted, "SACL defaulted\n");
6759 ret = pGetAclInformation(sacl, &acl_size_info, sizeof(acl_size_info), AclSizeInformation);
6760 ok(ret, "GetAclInformation failed with error %u\n", GetLastError());
6761 ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
6762
6763 ret = pGetAce(sacl, 0, (void **)&ace);
6764 ok(ret, "GetAce failed with error %u\n", GetLastError());
6765 ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
6766 ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
6767 ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
6768 ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
6769
6770 HeapFree(GetProcessHeap(), 0, sd2);
6771
6772 ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6773 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6774
6776 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6777
6780 "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
6781
6782 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6784 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6785
6786 sacl = (void *)0xdeadbeef;
6787 present = FALSE;
6788 defaulted = TRUE;
6789 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6790 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6791 ok(present, "SACL not present\n");
6792 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6793 ok(sacl->AceCount == 2, "Expected 2 ACEs, got %d\n", sacl->AceCount);
6794 ok(!defaulted, "SACL defaulted\n");
6795
6796 index = 0;
6797 found = found2 = FALSE;
6798 while (pGetAce(sacl, index++, (void **)&ace))
6799 {
6800 if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
6801 {
6802 if (EqualSid(&ace->SidStart, &low_level))
6803 {
6804 found = TRUE;
6805 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6807 "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as mask, got %#x\n", ace->Mask);
6808 }
6809 if (EqualSid(&ace->SidStart, &medium_level))
6810 {
6811 found2 = TRUE;
6812 ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
6814 "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as mask, got %#x\n", ace->Mask);
6815 }
6816 }
6817 }
6818 ok(found, "Could not find low mandatory label\n");
6819 ok(found2, "Could not find medium mandatory label\n");
6820
6821 HeapFree(GetProcessHeap(), 0, sd2);
6822
6824 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6825
6827 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6828
6831 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6832
6833 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6835 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6836
6837 sacl = (void *)0xdeadbeef;
6838 present = FALSE;
6839 defaulted = TRUE;
6840 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6841 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6842 ok(present, "SACL not present\n");
6843 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6844 ok(!defaulted, "SACL defaulted\n");
6845 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6846
6847 HeapFree(GetProcessHeap(), 0, sd2);
6848
6849 ret = InitializeAcl(acl, 256, ACL_REVISION);
6850 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6851
6852 ret = pAddMandatoryAce(acl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
6853 ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
6854
6856 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6857
6859 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6860
6863 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6864
6865 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6867 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6868
6869 sacl = (void *)0xdeadbeef;
6870 present = FALSE;
6871 defaulted = TRUE;
6872 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6873 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6874 ok(present, "SACL not present\n");
6875 ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
6876 ok(sacl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sacl->AclRevision);
6877 ok(!defaulted, "SACL defaulted\n");
6878
6879 HeapFree(GetProcessHeap(), 0, sd2);
6880
6881 ret = InitializeAcl(acl, 256, ACL_REVISION);
6882 ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
6883
6884 ret = AllocateAndInitializeSid(&sia_world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (void **)&everyone);
6885 ok(ret, "AllocateAndInitializeSid failed with error %u\n", GetLastError());
6886
6887 ret = AddAccessAllowedAce(acl, ACL_REVISION, KEY_READ, everyone);
6888 ok(ret, "AddAccessAllowedAce failed with error %u\n", GetLastError());
6889
6891 ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6892
6894 ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
6895
6898 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
6899
6900 sd2 = HeapAlloc(GetProcessHeap(), 0, size);
6902 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
6903
6904 sacl = (void *)0xdeadbeef;
6905 present = FALSE;
6906 defaulted = TRUE;
6907 ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
6908 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
6909 ok(present, "SACL not present\n");
6910 ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
6911 ok(!defaulted, "SACL defaulted\n");
6912 ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
6913
6914 FreeSid(everyone);
6915 HeapFree(GetProcessHeap(), 0, sd2);
6917}
static struct sockaddr_in sa
Definition: adnsresfilter.c:69
#define index(s, c)
Definition: various.h:29
BOOL WINAPI GetKernelObjectSecurity(HANDLE Handle, SECURITY_INFORMATION RequestedInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD nLength, LPDWORD lpnLengthNeeded)
Definition: security.c:987
GLuint index
Definition: glext.h:6031
static const WCHAR sd[]
Definition: suminfo.c:286
BOOL WINAPI GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, LPBOOL lpbSaclPresent, PACL *pSacl, LPBOOL lpbSaclDefaulted)
Definition: sec.c:146
BOOL WINAPI SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted)
Definition: sec.c:351
USHORT AceCount
Definition: ms-dtyp.idl:297
HANDLE WINAPI DECLSPEC_HOTPATCH CreateEventA(IN LPSECURITY_ATTRIBUTES lpEventAttributes OPTIONAL, IN BOOL bManualReset, IN BOOL bInitialState, IN LPCSTR lpName OPTIONAL)
Definition: synch.c:637
@ AclSizeInformation
Definition: winnt_old.h:1117
#define LABEL_SECURITY_INFORMATION
Definition: setypes.h:127
#define SECURITY_MANDATORY_LABEL_AUTHORITY
Definition: setypes.h:682
#define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
Definition: setypes.h:810
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE
Definition: setypes.h:741
#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
Definition: setypes.h:808
#define SECURITY_MANDATORY_MEDIUM_RID
Definition: setypes.h:685
#define SECURITY_MANDATORY_LOW_RID
Definition: setypes.h:684

Referenced by START_TEST().

◆ test_AdjustTokenPrivileges()

static void test_AdjustTokenPrivileges ( void  )
static

Definition at line 6576 of file security.c.

6577{
6579 HANDLE token;
6580 DWORD len;
6581 LUID luid;
6582 BOOL ret;
6583
6585 return;
6586
6588 {
6590 return;
6591 }
6592
6593 tp.PrivilegeCount = 1;
6594 tp.Privileges[0].Luid = luid;
6595 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
6596
6597 len = 0xdeadbeef;
6599 ok(ret, "got %d\n", ret);
6600 ok(len == 0xdeadbeef, "got length %d\n", len);
6601
6602 /* revert */
6603 tp.PrivilegeCount = 1;
6604 tp.Privileges[0].Luid = luid;
6605 tp.Privileges[0].Attributes = 0;
6607 ok(ret, "got %d\n", ret);
6608
6610}
#define SE_BACKUP_NAME
BOOL WINAPI LookupPrivilegeValueA(LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid)
Definition: misc.c:732
BOOL WINAPI AdjustTokenPrivileges(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength)
Definition: security.c:374
_In_ uint64_t _In_ uint64_t _In_ uint64_t _In_opt_ traverse_ptr * tp
Definition: btrfs.c:2996
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat token
Definition: glfuncs.h:210
#define TOKEN_ADJUST_PRIVILEGES
Definition: setypes.h:930
#define SE_PRIVILEGE_ENABLED
Definition: setypes.h:63

Referenced by START_TEST().

◆ test_allocateLuid()

static void test_allocateLuid ( void  )
static

Definition at line 688 of file security.c.

689{
690 BOOL (WINAPI *pAllocateLocallyUniqueId)(PLUID);
691 LUID luid1, luid2;
692 BOOL ret;
693
694 pAllocateLocallyUniqueId = (void*)GetProcAddress(hmod, "AllocateLocallyUniqueId");
695 if (!pAllocateLocallyUniqueId) return;
696
697 ret = pAllocateLocallyUniqueId(&luid1);
699 return;
700
701 ok(ret,
702 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
703 ret = pAllocateLocallyUniqueId(&luid2);
704 ok( ret,
705 "AllocateLocallyUniqueId failed: %d\n", GetLastError());
706 ok(luid1.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || luid1.HighPart != 0,
707 "AllocateLocallyUniqueId returned a well-known LUID\n");
708 ok(luid1.LowPart != luid2.LowPart || luid1.HighPart != luid2.HighPart,
709 "AllocateLocallyUniqueId returned non-unique LUIDs\n");
710 ret = pAllocateLocallyUniqueId(NULL);
712 "AllocateLocallyUniqueId(NULL) didn't return ERROR_NOACCESS: %d\n",
713 GetLastError());
714}
struct _LUID * PLUID
#define SE_MAX_WELL_KNOWN_PRIVILEGE
Definition: security.c:685
#define BOOL
Definition: nt_native.h:43
LONG HighPart
DWORD LowPart
#define WINAPI
Definition: msvc.h:6

Referenced by test_luid().

◆ test_BuildSecurityDescriptorW()

static void test_BuildSecurityDescriptorW ( void  )
static

Definition at line 8097 of file security.c.

8098{
8099 SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
8100 ULONG new_sd_size;
8101 DWORD buf_size;
8102 char buf[1024];
8103 BOOL success;
8104 DWORD ret;
8105
8107
8108 buf_size = sizeof(buf);
8109 rel_sd = (SECURITY_DESCRIPTOR *)buf;
8110 success = MakeSelfRelativeSD(&old_sd, rel_sd, &buf_size);
8111 ok(success, "MakeSelfRelativeSD failed with %u\n", GetLastError());
8112
8113 new_sd = NULL;
8114 new_sd_size = 0;
8115 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd);
8116 ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
8117 ok(new_sd != NULL, "expected new_sd != NULL\n");
8118 ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
8119 LocalFree(new_sd);
8120
8121 new_sd = (void *)0xdeadbeef;
8122 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd);
8123 ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret);
8124 ok(new_sd == (void *)0xdeadbeef, "expected new_sd == 0xdeadbeef, got %p\n", new_sd);
8125
8126 new_sd = NULL;
8127 new_sd_size = 0;
8128 ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd);
8129 ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
8130 ok(new_sd != NULL, "expected new_sd != NULL\n");
8131 ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
8132 LocalFree(new_sd);
8133}
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
DWORD WINAPI BuildSecurityDescriptorW(IN PTRUSTEE_W pOwner OPTIONAL, IN PTRUSTEE_W pGroup OPTIONAL, IN ULONG cCountOfAccessEntries, IN PEXPLICIT_ACCESS_W pListOfAccessEntries OPTIONAL, IN ULONG cCountOfAuditEntries, IN PEXPLICIT_ACCESS_W pListOfAuditEntries OPTIONAL, IN PSECURITY_DESCRIPTOR pOldSD OPTIONAL, OUT PULONG pSizeNewSD, OUT PSECURITY_DESCRIPTOR *pNewSD)
Definition: sec.c:436
BOOL WINAPI MakeSelfRelativeSD(PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, LPDWORD lpdwBufferLength)
Definition: sec.c:214
uint32_t ULONG
Definition: typedefs.h:59
#define success(from, fromstr, to, tostr)

Referenced by START_TEST().

◆ test_CheckTokenMembership()

static void test_CheckTokenMembership ( void  )
static

Definition at line 5122 of file security.c.

5123{
5124 PTOKEN_GROUPS token_groups;
5125 DWORD size;
5126 HANDLE process_token, token;
5127 BOOL is_member;
5128 BOOL ret;
5129 DWORD i;
5130
5131 if (!pCheckTokenMembership)
5132 {
5133 win_skip("CheckTokenMembership is not available\n");
5134 return;
5135 }
5137 ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
5138
5139 ret = DuplicateToken(process_token, SecurityImpersonation, &token);
5140 ok(ret, "DuplicateToken failed with error %d\n", GetLastError());
5141
5142 /* groups */
5145 "GetTokenInformation(TokenGroups) %s with error %d\n",
5146 ret ? "succeeded" : "failed", GetLastError());
5147 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
5148 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
5149 ok(ret, "GetTokenInformation(TokenGroups) failed with error %d\n", GetLastError());
5150
5151 for (i = 0; i < token_groups->GroupCount; i++)
5152 {
5153 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
5154 break;
5155 }
5156
5157 if (i == token_groups->GroupCount)
5158 {
5159 HeapFree(GetProcessHeap(), 0, token_groups);
5161 skip("user not a member of any group\n");
5162 return;
5163 }
5164
5165 is_member = FALSE;
5166 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
5167 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
5168 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
5169
5170 is_member = FALSE;
5171 ret = pCheckTokenMembership(NULL, token_groups->Groups[i].Sid, &is_member);
5172 ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
5173 ok(is_member, "CheckTokenMembership should have detected sid as member\n");
5174
5175 is_member = TRUE;
5176 SetLastError(0xdeadbeef);
5177 ret = pCheckTokenMembership(process_token, token_groups->Groups[i].Sid, &is_member);
5179 "CheckTokenMembership with process token %s with error %d\n",
5180 ret ? "succeeded" : "failed", GetLastError());
5181 ok(!is_member, "CheckTokenMembership should have cleared is_member\n");
5182
5183 HeapFree(GetProcessHeap(), 0, token_groups);
5185 CloseHandle(process_token);
5186}
BOOL WINAPI GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
Definition: security.c:411
#define SE_GROUP_ENABLED
Definition: setypes.h:92
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1018
$ULONG GroupCount
Definition: setypes.h:1014
@ TokenGroups
Definition: setypes.h:967

Referenced by START_TEST().

◆ test_child_token_sd()

static void test_child_token_sd ( void  )
static

Definition at line 7768 of file security.c.

7769{
7770 static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
7772 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7773 BOOL ret, present, defaulted;
7774 ACCESS_ALLOWED_ACE *acc_ace;
7776 DWORD size, i;
7777 HANDLE token;
7778 PSID psid;
7779 ACL *acl;
7780
7781 ret = pConvertStringSidToSidA("S-1-5-6", &psid);
7782 ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
7783
7785 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
7786
7789 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7790
7793 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7794
7795 acl = NULL;
7796 present = FALSE;
7797 defaulted = TRUE;
7798 ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
7799 ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
7800 ok(present, "DACL not present\n");
7801 ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
7802 ok(!defaulted, "DACL defaulted\n");
7803
7804 ok(acl->AceCount, "Expected at least one ACE\n");
7805 for (i = 0; i < acl->AceCount; i++)
7806 {
7807 ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
7808 ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
7809 "ACE inherited from the parent\n");
7810 }
7811
7812 LocalFree(psid);
7813 HeapFree(GetProcessHeap(), 0, sd);
7814
7815 if (!pAddMandatoryAce)
7816 {
7817 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7818 return;
7819 }
7820
7823 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7824
7827 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7828
7829 acl = NULL;
7830 present = FALSE;
7831 defaulted = TRUE;
7832 ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
7833 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7834 ok(present, "SACL not present\n");
7835 ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
7836 ok(!defaulted, "SACL defaulted\n");
7837 ok(acl->AceCount == 1, "Expected exactly one ACE\n");
7838 ret = pGetAce(acl, 0, (void **)&ace_label);
7839 ok(ret, "GetAce failed with error %u\n", GetLastError());
7841 "Unexpected ACE type %#x\n", ace_label->Header.AceType);
7842 ok(!EqualSid(&ace_label->SidStart, &low_level),
7843 "Low integrity level should not have been inherited\n");
7844
7845 HeapFree(GetProcessHeap(), 0, sd);
7846}
BOOL WINAPI GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, LPBOOL lpbDaclPresent, PACL *pDacl, LPBOOL lpbDaclDefaulted)
Definition: sec.c:45
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125

Referenced by START_TEST().

◆ test_child_token_sd_medium()

static void test_child_token_sd_medium ( void  )
static

Definition at line 7903 of file security.c.

7904{
7905 static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
7907 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7908 BOOL ret, present, defaulted;
7910 BYTE buffer_integrity[64];
7912 HANDLE token;
7913 DWORD size;
7914 ACL *acl;
7915
7916 if (!pAddMandatoryAce)
7917 {
7918 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7919 return;
7920 }
7921
7923 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
7924
7927 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7928
7931 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7932
7933 acl = NULL;
7934 present = FALSE;
7935 defaulted = TRUE;
7936 ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
7937 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7938 ok(present, "SACL not present\n");
7939 ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
7940 ok(!defaulted, "SACL defaulted\n");
7941 ok(acl->AceCount == 1, "Expected exactly one ACE\n");
7942 ret = pGetAce(acl, 0, (void **)&ace_label);
7943 ok(ret, "GetAce failed with error %u\n", GetLastError());
7945 "Unexpected ACE type %#x\n", ace_label->Header.AceType);
7946 ok(EqualSid(&ace_label->SidStart, &medium_level),
7947 "Expected medium integrity level\n");
7948
7949 memset(buffer_integrity, 0, sizeof(buffer_integrity));
7950 ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
7951 ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
7952 tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
7953 ok(EqualSid(tml->Label.Sid, &medium_level), "Expected medium integrity level\n");
7954
7955 HeapFree(GetProcessHeap(), 0, sd);
7956}
SID_AND_ATTRIBUTES Label
Definition: setypes.h:1061
@ TokenIntegrityLevel
Definition: setypes.h:990
unsigned char BYTE
Definition: xxhash.c:193

Referenced by START_TEST().

◆ test_child_token_sd_restricted()

static void test_child_token_sd_restricted ( void  )
static

Definition at line 7848 of file security.c.

7849{
7850 static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
7852 SYSTEM_MANDATORY_LABEL_ACE *ace_label;
7853 BOOL ret, present, defaulted;
7855 BYTE buffer_integrity[64];
7857 HANDLE token;
7858 DWORD size;
7859 ACL *acl;
7860
7861 if (!pAddMandatoryAce)
7862 {
7863 win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
7864 return;
7865 }
7866
7868 ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
7869
7872 "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
7873
7876 ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
7877
7878 acl = NULL;
7879 present = FALSE;
7880 defaulted = TRUE;
7881 ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
7882 ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
7883 ok(present, "SACL not present\n");
7884 ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
7885 ok(!defaulted, "SACL defaulted\n");
7886 ok(acl->AceCount == 1, "Expected exactly one ACE\n");
7887 ret = pGetAce(acl, 0, (void **)&ace_label);
7888 ok(ret, "GetAce failed with error %u\n", GetLastError());
7890 "Unexpected ACE type %#x\n", ace_label->Header.AceType);
7891 ok(EqualSid(&ace_label->SidStart, &high_level),
7892 "Expected high integrity level\n");
7893
7894 memset(buffer_integrity, 0, sizeof(buffer_integrity));
7895 ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
7896 ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
7897 tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
7898 ok(EqualSid(tml->Label.Sid, &high_level), "Expected high integrity level\n");
7899
7900 HeapFree(GetProcessHeap(), 0, sd);
7901}
#define SECURITY_MANDATORY_HIGH_RID
Definition: setypes.h:686

Referenced by START_TEST().

◆ test_ConvertSecurityDescriptorToString()

static void test_ConvertSecurityDescriptorToString ( void  )
static

Definition at line 4527 of file security.c.

4528{
4531 LPSTR string;
4532 DWORD size;
4533 PSID psid, psid2;
4534 PACL pacl;
4535 char sid_buf[256];
4536 char acl_buf[8192];
4537 ULONG len;
4538
4539 if (!pConvertSecurityDescriptorToStringSecurityDescriptorA)
4540 {
4541 win_skip("ConvertSecurityDescriptorToStringSecurityDescriptor is not available\n");
4542 return;
4543 }
4544 if (!pCreateWellKnownSid)
4545 {
4546 win_skip("CreateWellKnownSid is not available\n");
4547 return;
4548 }
4549
4550/* It seems Windows XP adds an extra character to the length of the string for each ACE in an ACL. We
4551 * don't replicate this feature so we only test len >= strlen+1. */
4552#define CHECK_RESULT_AND_FREE(exp_str) \
4553 ok(strcmp(string, (exp_str)) == 0, "String mismatch (expected \"%s\", got \"%s\")\n", (exp_str), string); \
4554 ok(len >= (strlen(exp_str) + 1), "Length mismatch (expected %d, got %d)\n", lstrlenA(exp_str) + 1, len); \
4555 LocalFree(string);
4556
4557#define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2) \
4558 ok(strcmp(string, (exp_str1)) == 0 || strcmp(string, (exp_str2)) == 0, "String mismatch (expected\n\"%s\" or\n\"%s\", got\n\"%s\")\n", (exp_str1), (exp_str2), string); \
4559 ok(len >= (strlen(exp_str1) + 1) || len >= (strlen(exp_str2) + 1), "Length mismatch (expected %d or %d, got %d)\n", lstrlenA(exp_str1) + 1, lstrlenA(exp_str2) + 1, len); \
4560 LocalFree(string);
4561
4563 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4565
4566 size = 4096;
4567 pCreateWellKnownSid(WinLocalSid, NULL, sid_buf, &size);
4569 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4570 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4571
4573 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4574 CHECK_RESULT_AND_FREE("O:S-1-2-0");
4575
4576 size = sizeof(sid_buf);
4577 pCreateWellKnownSid(WinLocalSystemSid, NULL, sid_buf, &size);
4579 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4580 CHECK_RESULT_AND_FREE("O:SY");
4581
4582 pConvertStringSidToSidA("S-1-5-21-93476-23408-4576", &psid);
4584 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4585 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576");
4586
4587 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, GROUP_SECURITY_INFORMATION, &string, &len), "Conversion failed\n");
4588 CHECK_RESULT_AND_FREE("G:S-1-5-21-93476-23408-4576");
4589
4590 pacl = (PACL)acl_buf;
4591 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4593 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4594 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4595
4597 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4598 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:");
4599
4600 pConvertStringSidToSidA("S-1-5-6", &psid2);
4601 pAddAccessAllowedAceEx(pacl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, 0xf0000000, psid2);
4602 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4603 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)");
4604
4605 pAddAccessAllowedAceEx(pacl, ACL_REVISION, INHERIT_ONLY_ACE|INHERITED_ACE, 0x00000003, psid2);
4606 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4607 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)");
4608
4609 pAddAccessDeniedAceEx(pacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE, 0xffffffff, psid);
4610 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4611 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:(A;NP;GAGXGWGR;;;SU)(A;IOID;CCDC;;;SU)(D;OICI;0xffffffff;;;S-1-5-21-93476-23408-4576)");
4612
4613
4614 pacl = (PACL)acl_buf;
4615 InitializeAcl(pacl, sizeof(acl_buf), ACL_REVISION);
4617 ok(pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len), "Conversion failed\n");
4618 CHECK_RESULT_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:");
4619
4620 /* fails in win2k */
4622 pAddAuditAccessAceEx(pacl, ACL_REVISION, VALID_INHERIT_FLAGS, KEY_READ|KEY_WRITE, psid2, TRUE, TRUE);
4623 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4624 {
4625 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)", /* XP */
4626 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)" /* Vista */);
4627 }
4628
4629 /* fails in win2k */
4631 if (pConvertSecurityDescriptorToStringSecurityDescriptorA(&desc, SDDL_REVISION_1, sec_info, &string, &len))
4632 {
4633 CHECK_ONE_OF_AND_FREE("O:SYG:S-1-5-21-93476-23408-4576D:S:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)", /* XP */
4634 "O:SYG:S-1-5-21-93476-23408-4576D:NO_ACCESS_CONTROLS:(AU;OICINPIOIDSAFA;CCDCLCSWRPRC;;;SU)(AU;NPSA;0x12019f;;;SU)" /* Vista */);
4635 }
4636
4637 LocalFree(psid2);
4638 LocalFree(psid);
4639}
char string[160]
Definition: util.h:11
#define CHECK_ONE_OF_AND_FREE(exp_str1, exp_str2)
#define CHECK_RESULT_AND_FREE(exp_str)
static const WCHAR desc[]
Definition: protectdata.c:36
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
#define FILE_GENERIC_READ
Definition: nt_native.h:653
#define FILE_GENERIC_WRITE
Definition: nt_native.h:660
#define SDDL_REVISION_1
Definition: sddl.h:30
#define INHERITED_ACE
Definition: ph.h:47
#define VALID_INHERIT_FLAGS
Definition: setypes.h:751
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126

Referenced by START_TEST().

◆ test_ConvertStringSecurityDescriptor()

static void test_ConvertStringSecurityDescriptor ( void  )
static

Definition at line 4380 of file security.c.

4381{
4382 BOOL ret;
4384 static const WCHAR Blank[] = { 0 };
4385 unsigned int i;
4386 ULONG size;
4387 ACL *acl;
4388 static const struct
4389 {
4390 const char *sidstring;
4391 DWORD revision;
4392 BOOL ret;
4393 DWORD GLE;
4394 DWORD altGLE;
4395 } cssd[] =
4396 {
4397 { "D:(A;;GA;;;WD)", 0xdeadbeef, FALSE, ERROR_UNKNOWN_REVISION },
4398 /* test ACE string type */
4399 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4400 { "D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4401 { "ERROR:(D;;GA;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_PARAMETER },
4402 /* test ACE string with spaces */
4403 { " D:(D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4404 { "D: (D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4405 { "D:( D;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4406 { "D:(D ;;GA;;;WD)", SDDL_REVISION_1, FALSE, RPC_S_INVALID_STRING_UUID, ERROR_INVALID_ACL }, /* Vista+ */
4407 { "D:(D; ;GA;;;WD)", SDDL_REVISION_1, TRUE },
4408 { "D:(D;; GA;;;WD)", SDDL_REVISION_1, TRUE },
4409 { "D:(D;;GA ;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4410 { "D:(D;;GA; ;;WD)", SDDL_REVISION_1, TRUE },
4411 { "D:(D;;GA;; ;WD)", SDDL_REVISION_1, TRUE },
4412 { "D:(D;;GA;;; WD)", SDDL_REVISION_1, TRUE },
4413 { "D:(D;;GA;;;WD )", SDDL_REVISION_1, TRUE },
4414 /* test ACE string access rights */
4415 { "D:(A;;GA;;;WD)", SDDL_REVISION_1, TRUE },
4416 { "D:(A;;GRGWGX;;;WD)", SDDL_REVISION_1, TRUE },
4417 { "D:(A;;RCSDWDWO;;;WD)", SDDL_REVISION_1, TRUE },
4418 { "D:(A;;RPWPCCDCLCSWLODTCR;;;WD)", SDDL_REVISION_1, TRUE },
4419 { "D:(A;;FAFRFWFX;;;WD)", SDDL_REVISION_1, TRUE },
4420 { "D:(A;;KAKRKWKX;;;WD)", SDDL_REVISION_1, TRUE },
4421 { "D:(A;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4422 { "S:(AU;;0xFFFFFFFF;;;WD)", SDDL_REVISION_1, TRUE },
4423 /* test ACE string access right error case */
4424 { "D:(A;;ROB;;;WD)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL },
4425 /* test behaviour with empty strings */
4426 { "", SDDL_REVISION_1, TRUE },
4427 /* test ACE string SID */
4428 { "D:(D;;GA;;;S-1-0-0)", SDDL_REVISION_1, TRUE },
4429 { "D:(D;;GA;;;Nonexistent account)", SDDL_REVISION_1, FALSE, ERROR_INVALID_ACL, ERROR_INVALID_SID } /* W2K */
4430 };
4431
4432 if (!pConvertStringSecurityDescriptorToSecurityDescriptorA)
4433 {
4434 win_skip("ConvertStringSecurityDescriptorToSecurityDescriptor is not available\n");
4435 return;
4436 }
4437
4438 for (i = 0; i < sizeof(cssd)/sizeof(cssd[0]); i++)
4439 {
4440 DWORD GLE;
4441
4442 SetLastError(0xdeadbeef);
4443 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4444 cssd[i].sidstring, cssd[i].revision, &pSD, NULL);
4445 GLE = GetLastError();
4446 ok(ret == cssd[i].ret, "(%02u) Expected %s (%d)\n", i, cssd[i].ret ? "success" : "failure", GLE);
4447 if (!cssd[i].ret)
4448 ok(GLE == cssd[i].GLE ||
4449 (cssd[i].altGLE && GLE == cssd[i].altGLE),
4450 "(%02u) Unexpected last error %d\n", i, GLE);
4451 if (ret)
4452 LocalFree(pSD);
4453 }
4454
4455 /* test behaviour with NULL parameters */
4456 SetLastError(0xdeadbeef);
4457 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4458 NULL, 0xdeadbeef, &pSD, NULL);
4459 todo_wine
4461 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4462 GetLastError());
4463
4464 SetLastError(0xdeadbeef);
4465 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4466 NULL, 0xdeadbeef, &pSD, NULL);
4468 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4469 GetLastError());
4470
4471 SetLastError(0xdeadbeef);
4472 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4473 "D:(A;;ROB;;;WD)", 0xdeadbeef, NULL, NULL);
4475 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4476 GetLastError());
4477
4478 SetLastError(0xdeadbeef);
4479 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4480 "D:(A;;ROB;;;WD)", SDDL_REVISION_1, NULL, NULL);
4482 "ConvertStringSecurityDescriptorToSecurityDescriptor should have failed with ERROR_INVALID_PARAMETER instead of %d\n",
4483 GetLastError());
4484
4485 /* test behaviour with empty strings */
4486 SetLastError(0xdeadbeef);
4487 ret = pConvertStringSecurityDescriptorToSecurityDescriptorW(
4488 Blank, SDDL_REVISION_1, &pSD, NULL);
4489 ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
4490 LocalFree(pSD);
4491
4492 SetLastError(0xdeadbeef);
4493 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
4494 "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
4495 ok(ret || broken(!ret && GetLastError() == ERROR_INVALID_DATATYPE) /* win2k */,
4496 "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %u\n", GetLastError());
4497 if (ret) LocalFree(pSD);
4498
4499 /* empty DACL */
4500 size = 0;
4501 SetLastError(0xdeadbeef);
4502 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("D:", SDDL_REVISION_1, &pSD, &size);
4503 ok(ret, "unexpected error %u\n", GetLastError());
4504 ok(size == sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sizeof(ACL), "got %u\n", size);
4505 acl = (ACL *)((char *)pSD + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
4506 ok(acl->AclRevision == ACL_REVISION, "got %u\n", acl->AclRevision);
4507 ok(!acl->Sbz1, "got %u\n", acl->Sbz1);
4508 ok(acl->AclSize == sizeof(*acl), "got %u\n", acl->AclSize);
4509 ok(!acl->AceCount, "got %u\n", acl->AceCount);
4510 ok(!acl->Sbz2, "got %u\n", acl->Sbz2);
4511 LocalFree(pSD);
4512
4513 /* empty SACL */
4514 size = 0;
4515 SetLastError(0xdeadbeef);
4516 ret = pConvertStringSecurityDescriptorToSecurityDescriptorA("S:", SDDL_REVISION_1, &pSD, &size);
4517 ok(ret, "unexpected error %u\n", GetLastError());
4518 ok(size == sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sizeof(ACL), "got %u\n", size);
4519 acl = (ACL *)((char *)pSD + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
4520 ok(!acl->Sbz1, "got %u\n", acl->Sbz1);
4521 ok(acl->AclSize == sizeof(*acl), "got %u\n", acl->AclSize);
4522 ok(!acl->AceCount, "got %u\n", acl->AceCount);
4523 ok(!acl->Sbz2, "got %u\n", acl->Sbz2);
4524 LocalFree(pSD);
4525}
#define broken(x)
Definition: _sntprintf.h:21
static DWORD GLE
Definition: registry.c:38
USHORT Sbz2
Definition: ms-dtyp.idl:298
UCHAR Sbz1
Definition: ms-dtyp.idl:295
USHORT AclSize
Definition: ms-dtyp.idl:296
#define ERROR_INVALID_DATATYPE
Definition: winerror.h:1111
#define ERROR_UNKNOWN_REVISION
Definition: winerror.h:787
#define RPC_S_INVALID_STRING_UUID
Definition: winerror.h:1016
#define ERROR_INVALID_ACL
Definition: winerror.h:818
#define ERROR_INVALID_SID
Definition: winerror.h:819
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
__wchar_t WCHAR
Definition: xmlstorage.h:180

Referenced by START_TEST().

◆ test_CreateDirectoryA()

static void test_CreateDirectoryA ( void  )
static

Definition at line 3619 of file security.c.

3620{
3621 char admin_ptr[sizeof(SID)+sizeof(ULONG)*SID_MAX_SUB_AUTHORITIES], *user;
3622 DWORD sid_size = sizeof(admin_ptr), user_size;
3623 PSID admin_sid = (PSID) admin_ptr, user_sid;
3625 PSECURITY_DESCRIPTOR pSD = &sd;
3626 ACL_SIZE_INFORMATION acl_size;
3627 UNICODE_STRING tmpfileW;
3630 char tmpfile[MAX_PATH];
3631 char tmpdir[MAX_PATH];
3632 HANDLE token, hTemp;
3634 struct _SID *owner;
3635 BOOL bret = TRUE;
3637 DWORD error;
3638 PACL pDacl;
3639
3640 if (!pGetSecurityInfo || !pGetNamedSecurityInfoA || !pCreateWellKnownSid)
3641 {
3642 win_skip("Required functions are not available\n");
3643 return;
3644 }
3645
3647 {
3648 if (GetLastError() != ERROR_NO_TOKEN) bret = FALSE;
3650 }
3651 if (!bret)
3652 {
3653 win_skip("Failed to get current user token\n");
3654 return;
3655 }
3656 bret = GetTokenInformation(token, TokenUser, NULL, 0, &user_size);
3658 "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3659 user = HeapAlloc(GetProcessHeap(), 0, user_size);
3660 bret = GetTokenInformation(token, TokenUser, user, user_size, &user_size);
3661 ok(bret, "GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
3662 CloseHandle( token );
3663 user_sid = ((TOKEN_USER *)user)->User.Sid;
3664
3665 sa.nLength = sizeof(sa);
3666 sa.lpSecurityDescriptor = pSD;
3667 sa.bInheritHandle = TRUE;
3669 pCreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
3670 pDacl = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 100);
3671 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3672 ok(bret, "Failed to initialize ACL.\n");
3673 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3674 GENERIC_ALL, user_sid);
3675 ok(bret, "Failed to add Current User to ACL.\n");
3676 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE,
3677 GENERIC_ALL, admin_sid);
3678 ok(bret, "Failed to add Administrator Group to ACL.\n");
3679 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3680 ok(bret, "Failed to add ACL to security descriptor.\n");
3681
3683 lstrcatA(tmpdir, "Please Remove Me");
3684 bret = CreateDirectoryA(tmpdir, &sa);
3685 ok(bret == TRUE, "CreateDirectoryA(%s) failed err=%d\n", tmpdir, GetLastError());
3686 HeapFree(GetProcessHeap(), 0, pDacl);
3687
3688 SetLastError(0xdeadbeef);
3689 error = pGetNamedSecurityInfoA(tmpdir, SE_FILE_OBJECT,
3691 NULL, &pDacl, NULL, &pSD);
3693 {
3694 win_skip("GetNamedSecurityInfoA is not implemented\n");
3695 goto done;
3696 }
3697 ok(!error, "GetNamedSecurityInfo failed with error %d\n", error);
3699 0x1f01ff, FALSE, FALSE, FALSE, __LINE__);
3700 LocalFree(pSD);
3701
3702 /* Test inheritance of ACLs in CreateFile without security descriptor */
3704 lstrcatA(tmpfile, "/tmpfile");
3705
3708 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3709
3710 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3712 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3713 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3714 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3715 0x1f01ff, FALSE, FALSE, FALSE, __LINE__);
3716 LocalFree(pSD);
3717 CloseHandle(hTemp);
3718
3719 /* Test inheritance of ACLs in CreateFile with security descriptor -
3720 * When a security descriptor is set, then inheritance doesn't take effect */
3721 pSD = &sd;
3723 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3724 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3725 ok(bret, "Failed to initialize ACL\n");
3726 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3727 ok(bret, "Failed to add ACL to security descriptor\n");
3728
3730 lstrcatA(tmpfile, "/tmpfile");
3731
3732 sa.nLength = sizeof(sa);
3733 sa.lpSecurityDescriptor = pSD;
3734 sa.bInheritHandle = TRUE;
3737 ok(hTemp != INVALID_HANDLE_VALUE, "CreateFile error %u\n", GetLastError());
3738 HeapFree(GetProcessHeap(), 0, pDacl);
3739
3740 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3742 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3743 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3744 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3745 ok(bret, "GetAclInformation failed\n");
3746 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3747 acl_size.AceCount);
3748 LocalFree(pSD);
3749
3750 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3752 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3753 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3754 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3755 ok(bret, "GetAclInformation failed\n");
3756 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3757 acl_size.AceCount);
3758 LocalFree(pSD);
3759 CloseHandle(hTemp);
3760
3761 /* Test inheritance of ACLs in NtCreateFile without security descriptor */
3763 lstrcatA(tmpfile, "/tmpfile");
3764 get_nt_pathW(tmpfile, &tmpfileW);
3765
3766 attr.Length = sizeof(attr);
3767 attr.RootDirectory = 0;
3768 attr.ObjectName = &tmpfileW;
3769 attr.Attributes = OBJ_CASE_INSENSITIVE;
3770 attr.SecurityDescriptor = NULL;
3771 attr.SecurityQualityOfService = NULL;
3772
3773 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3775 ok(!status, "NtCreateFile failed with %08x\n", status);
3776 pRtlFreeUnicodeString(&tmpfileW);
3777
3778 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3780 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3781 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3782 test_inherited_dacl(pDacl, admin_sid, user_sid, INHERITED_ACE,
3783 0x1f01ff, FALSE, FALSE, FALSE, __LINE__);
3784 LocalFree(pSD);
3785 CloseHandle(hTemp);
3786
3787 /* Test inheritance of ACLs in NtCreateFile with security descriptor -
3788 * When a security descriptor is set, then inheritance doesn't take effect */
3789 pSD = &sd;
3791 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3792 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3793 ok(bret, "Failed to initialize ACL\n");
3794 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3795 ok(bret, "Failed to add ACL to security descriptor\n");
3796
3798 lstrcatA(tmpfile, "/tmpfile");
3799 get_nt_pathW(tmpfile, &tmpfileW);
3800
3801 attr.Length = sizeof(attr);
3802 attr.RootDirectory = 0;
3803 attr.ObjectName = &tmpfileW;
3804 attr.Attributes = OBJ_CASE_INSENSITIVE;
3805 attr.SecurityDescriptor = pSD;
3806 attr.SecurityQualityOfService = NULL;
3807
3808 status = pNtCreateFile(&hTemp, GENERIC_WRITE | DELETE, &attr, &io, NULL, 0,
3810 ok(!status, "NtCreateFile failed with %08x\n", status);
3811 pRtlFreeUnicodeString(&tmpfileW);
3812 HeapFree(GetProcessHeap(), 0, pDacl);
3813
3814 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3816 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3817 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3818 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3819 ok(bret, "GetAclInformation failed\n");
3820 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3821 acl_size.AceCount);
3822 LocalFree(pSD);
3823
3824 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3826 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3827 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3828 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3829 ok(bret, "GetAclInformation failed\n");
3830 todo_wine
3831 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3832 acl_size.AceCount);
3833 LocalFree(pSD);
3834 CloseHandle(hTemp);
3835
3836 /* Test inheritance of ACLs in CreateDirectory without security descriptor */
3838 lstrcatA(tmpfile, "/tmpdir");
3839 bret = CreateDirectoryA(tmpfile, NULL);
3840 ok(bret == TRUE, "CreateDirectoryA failed with error %u\n", GetLastError());
3841
3842 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3844 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3845 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3846 test_inherited_dacl(pDacl, admin_sid, user_sid,
3848 0x1f01ff, FALSE, FALSE, FALSE, __LINE__);
3849 LocalFree(pSD);
3850 bret = RemoveDirectoryA(tmpfile);
3851 ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError());
3852
3853 /* Test inheritance of ACLs in CreateDirectory with security descriptor */
3854 pSD = &sd;
3856 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3857 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3858 ok(bret, "Failed to initialize ACL\n");
3859 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3860 ok(bret, "Failed to add ACL to security desciptor\n");
3861
3863 lstrcatA(tmpfile, "/tmpdir1");
3864
3865 sa.nLength = sizeof(sa);
3866 sa.lpSecurityDescriptor = pSD;
3867 sa.bInheritHandle = TRUE;
3868 bret = CreateDirectoryA(tmpfile, &sa);
3869 ok(bret == TRUE, "CreateDirectoryA failed with error %u\n", GetLastError());
3870 HeapFree(GetProcessHeap(), 0, pDacl);
3871
3872 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3874 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3875 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3876 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3877 ok(bret, "GetAclInformation failed\n");
3878 todo_wine
3879 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3880 acl_size.AceCount);
3881 LocalFree(pSD);
3882
3883 SetLastError(0xdeadbeef);
3884 bret = RemoveDirectoryA(tmpfile);
3885 error = GetLastError();
3886 ok(bret == FALSE, "RemoveDirectoryA unexpected succeeded\n");
3887 ok(error == ERROR_ACCESS_DENIED, "expected ERROR_ACCESS_DENIED, got %u\n", error);
3888
3889 pSD = &sd;
3891 pDacl = HeapAlloc(GetProcessHeap(), 0, 100);
3892 bret = InitializeAcl(pDacl, 100, ACL_REVISION);
3893 ok(bret, "Failed to initialize ACL.\n");
3894 bret = pAddAccessAllowedAceEx(pDacl, ACL_REVISION, 0, GENERIC_ALL, user_sid);
3895 ok(bret, "Failed to add Current User to ACL.\n");
3896 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3897 ok(bret, "Failed to add ACL to security desciptor.\n");
3898 error = pSetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL,
3899 NULL, pDacl, NULL);
3900 ok(error == ERROR_SUCCESS, "SetNamedSecurityInfoA failed with error %u\n", error);
3901 HeapFree(GetProcessHeap(), 0, pDacl);
3902
3903 bret = RemoveDirectoryA(tmpfile);
3904 ok(bret == TRUE, "RemoveDirectoryA failed with error %u\n", GetLastError());
3905
3906 /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) without security descriptor */
3908 lstrcatA(tmpfile, "/tmpdir");
3909 get_nt_pathW(tmpfile, &tmpfileW);
3910
3911 attr.Length = sizeof(attr);
3912 attr.RootDirectory = 0;
3913 attr.ObjectName = &tmpfileW;
3914 attr.Attributes = OBJ_CASE_INSENSITIVE;
3915 attr.SecurityDescriptor = NULL;
3916 attr.SecurityQualityOfService = NULL;
3917
3918 status = pNtCreateFile(&hTemp, GENERIC_READ | DELETE, &attr, &io, NULL, FILE_ATTRIBUTE_NORMAL,
3920 ok(!status, "NtCreateFile failed with %08x\n", status);
3921 RtlFreeUnicodeString(&tmpfileW);
3922
3923 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3925 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3926 ok(error == ERROR_SUCCESS, "Failed to get permissions on file\n");
3927 test_inherited_dacl(pDacl, admin_sid, user_sid,
3929 0x1f01ff, FALSE, FALSE, FALSE, __LINE__);
3930 LocalFree(pSD);
3931 CloseHandle(hTemp);
3932
3933 /* Test inheritance of ACLs in NtCreateFile(..., FILE_DIRECTORY_FILE, ...) with security descriptor */
3934 pSD = &sd;
3936 pDacl = HeapAlloc(GetProcessHeap(), 0, sizeof(ACL));
3937 bret = InitializeAcl(pDacl, sizeof(ACL), ACL_REVISION);
3938 ok(bret, "Failed to initialize ACL\n");
3939 bret = SetSecurityDescriptorDacl(pSD, TRUE, pDacl, FALSE);
3940 ok(bret, "Failed to add ACL to security desciptor\n");
3941
3943 lstrcatA(tmpfile, "/tmpdir2");
3944 get_nt_pathW(tmpfile, &tmpfileW);
3945
3946 attr.Length = sizeof(attr);
3947 attr.RootDirectory = 0;
3948 attr.ObjectName = &tmpfileW;
3949 attr.Attributes = OBJ_CASE_INSENSITIVE;
3950 attr.SecurityDescriptor = pSD;
3951 attr.SecurityQualityOfService = NULL;
3952
3953 status = pNtCreateFile(&hTemp, GENERIC_READ | DELETE, &attr, &io, NULL, FILE_ATTRIBUTE_NORMAL,
3955 ok(!status, "NtCreateFile failed with %08x\n", status);
3956 RtlFreeUnicodeString(&tmpfileW);
3957 HeapFree(GetProcessHeap(), 0, pDacl);
3958
3959 error = pGetSecurityInfo(hTemp, SE_FILE_OBJECT,
3961 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3962 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3963 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3964 ok(bret, "GetAclInformation failed\n");
3965 todo_wine
3966 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3967 acl_size.AceCount);
3968 LocalFree(pSD);
3969
3970 error = pGetNamedSecurityInfoA(tmpfile, SE_FILE_OBJECT,
3972 (PSID *)&owner, NULL, &pDacl, NULL, &pSD);
3973 ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
3974 bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
3975 ok(bret, "GetAclInformation failed\n");
3976 todo_wine
3977 ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
3978 acl_size.AceCount);
3979 LocalFree(pSD);
3980 CloseHandle(hTemp);
3981
3982done:
3984 bret = RemoveDirectoryA(tmpdir);
3985 ok(bret == TRUE, "RemoveDirectoryA should always succeed\n");
3986}
@ SE_FILE_OBJECT
Definition: accctrl.h:160
#define FILE_DIRECTORY_FILE
Definition: constants.h:491
#define FILE_DELETE_ON_CLOSE
Definition: constants.h:494
BOOL WINAPI OpenThreadToken(HANDLE ThreadHandle, DWORD DesiredAccess, BOOL OpenAsSelf, HANDLE *TokenHandle)
Definition: security.c:336
#define INVALID_HANDLE_VALUE
Definition: compat.h:731
#define CreateFileA(a, b, c, d, e, f, g)
Definition: compat.h:740
#define MAX_PATH
Definition: compat.h:34
#define FILE_ATTRIBUTE_NORMAL
Definition: compat.h:137
#define FILE_SHARE_READ
Definition: compat.h:136
BOOL WINAPI RemoveDirectoryA(IN LPCSTR lpPathName)
Definition: dir.c:714
BOOL WINAPI CreateDirectoryA(IN LPCSTR lpPathName, IN LPSECURITY_ATTRIBUTES lpSecurityAttributes)
Definition: dir.c:37
DWORD WINAPI GetTempPathA(IN DWORD nBufferLength, OUT LPSTR lpBuffer)
Definition: path.c:2054
#define FILE_CREATE
Definition: from_kernel.h:55
_Check_return_ _CRTIMP FILE *__cdecl tmpfile(void)
Definition: file.c:3914
#define OBJ_CASE_INSENSITIVE
Definition: winternl.h:228
LPSTR WINAPI lstrcatA(LPSTR lpString1, LPCSTR lpString2)
Definition: lstring.c:123
#define error(str)
Definition: mkdosfs.c:1605
#define FILE_FLAG_DELETE_ON_CLOSE
Definition: disk.h:42
#define CREATE_NEW
Definition: disk.h:69
static void test_inherited_dacl(PACL dacl, PSID admin_sid, PSID user_sid, DWORD flags, DWORD mask, BOOL todo_count, BOOL todo_sid, BOOL todo_flags, int line)
Definition: security.c:3566
static void get_nt_pathW(const char *name, UNICODE_STRING *nameW)
Definition: security.c:3548
static HANDLE PIO_APC_ROUTINE PVOID PIO_STATUS_BLOCK io
Definition: file.c:100
struct _SID * PSID
Definition: eventlog.c:35
#define GENERIC_ALL
Definition: nt_native.h:92
#define DELETE
Definition: nt_native.h:57
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
#define GENERIC_WRITE
Definition: nt_native.h:90
static char tmpdir[MAX_PATH]
Definition: shlexec.c:52
Definition: cookie.c:202
HANDLE WINAPI GetCurrentThread(void)
Definition: proc.c:1148
#define ERROR_NO_TOKEN
Definition: winerror.h:587
@ TokenUser
Definition: setypes.h:966
#define TOKEN_READ
Definition: setypes.h:951
#define SID_MAX_SUB_AUTHORITIES
Definition: setypes.h:482

Referenced by START_TEST().

◆ test_CreateRestrictedToken()

static void test_CreateRestrictedToken ( void  )
static

Definition at line 5397 of file security.c.

5398{
5399 TOKEN_PRIMARY_GROUP *primary_group, *primary_group2;
5400 HANDLE process_token, token, r_token;
5401 PTOKEN_GROUPS token_groups, groups2;
5402 SID_AND_ATTRIBUTES sattr;
5404 TOKEN_PRIVILEGES *privs;
5405 PRIVILEGE_SET privset;
5407 BOOL is_member;
5408 DWORD size;
5409 BOOL ret;
5410 DWORD i, j;
5411
5412 if (!pCreateRestrictedToken)
5413 {
5414 win_skip("CreateRestrictedToken is not available\n");
5415 return;
5416 }
5417
5419 ok(ret, "got error %d\n", GetLastError());
5420
5423 ok(ret, "got error %d\n", GetLastError());
5424
5425 /* groups */
5428 "got %d with error %d\n", ret, GetLastError());
5429 token_groups = HeapAlloc(GetProcessHeap(), 0, size);
5430 ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
5431 ok(ret, "got error %d\n", GetLastError());
5432
5433 for (i = 0; i < token_groups->GroupCount; i++)
5434 {
5435 if (token_groups->Groups[i].Attributes & SE_GROUP_ENABLED)
5436 break;
5437 }
5438
5439 if (i == token_groups->GroupCount)
5440 {
5441 HeapFree(GetProcessHeap(), 0, token_groups);
5443 skip("User not a member of any group\n");
5444 return;
5445 }
5446
5447 is_member = FALSE;
5448 ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
5449 ok(ret, "got error %d\n", GetLastError());
5450 ok(is_member, "not a member\n");
5451
5452 privset.PrivilegeCount = 1;
5454 ret = LookupPrivilegeValueA(NULL, "SeChangeNotifyPrivilege", &privset.Privilege[0].Luid);
5455 ok(ret, "got error %d\n", GetLastError());
5456
5457 is_member = FALSE;
5458 ret = PrivilegeCheck(token, &privset, &is_member);
5459 ok(ret, "got error %d\n", GetLastError());
5460 ok(is_member, "Expected SeChangeNotifyPrivilege to be enabled\n");
5461
5462 /* disable a SID and a privilege in new token */
5463 sattr.Sid = token_groups->Groups[i].Sid;
5464 sattr.Attributes = 0;
5465 r_token = NULL;
5466 ret = pCreateRestrictedToken(token, 0, 1, &sattr, 1, &privset.Privilege[0], 0, NULL, &r_token);
5467 ok(ret, "got error %d\n", GetLastError());
5468
5469 if (ret)
5470 {
5471 /* check if a SID is enabled */
5472 is_member = TRUE;
5473 ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
5474 ok(ret, "got error %d\n", GetLastError());
5475 ok(!is_member, "not a member\n");
5476
5477 ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
5478 ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
5479 ret, GetLastError());
5480 groups2 = HeapAlloc(GetProcessHeap(), 0, size);
5481 ret = GetTokenInformation(r_token, TokenGroups, groups2, size, &size);
5482 ok(ret, "got error %d\n", GetLastError());
5483
5484 for (j = 0; j < groups2->GroupCount; j++)
5485 {
5486 if (EqualSid(groups2->Groups[j].Sid, token_groups->Groups[i].Sid))
5487 break;
5488 }
5489
5491 "got wrong attributes\n");
5492 ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
5493 "got wrong attributes\n");
5494
5495 HeapFree(GetProcessHeap(), 0, groups2);
5496
5497 size = sizeof(type);
5498 ret = GetTokenInformation(r_token, TokenType, &type, size, &size);
5499 ok(ret, "got error %d\n", GetLastError());
5500 ok(type == TokenImpersonation, "got type %u\n", type);
5501
5502 size = sizeof(level);
5504 ok(ret, "got error %d\n", GetLastError());
5505 ok(level == SecurityImpersonation, "got level %u\n", type);
5506
5507 is_member = TRUE;
5508 ret = PrivilegeCheck(r_token, &privset, &is_member);
5509 ok(ret, "got error %d\n", GetLastError());
5510 ok(!is_member, "Expected SeChangeNotifyPrivilege not to be enabled\n");
5511
5513 ok(!