#include "precomp.h"
Include dependency graph for NtAccessCheckByType.c:
Go to the source code of this file.
Functions | |
| static HANDLE | GetTokenProcess (_In_ BOOLEAN WantImpersonateLevel, _In_ BOOLEAN WantImpersonateType) |
| static VOID | ParamsValidationTests (VOID) |
| static VOID | AccessGrantedNoDaclTests (VOID) |
| static VOID | AccessGrantedTests (VOID) |
| static VOID | AccessGrantedMultipleObjectsTests (VOID) |
| static VOID | DenyAccessTests (VOID) |
| START_TEST (NtAccessCheckByType) | |
Variables | |
| static GENERIC_MAPPING | RegMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS} |
| static GUID | ObjectType = {0x12345678, 0x1234, 0x5678, {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}} |
| static GUID | ChildObjectType = {0x23456789, 0x2345, 0x6786, {0x2, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99}} |
| static SID_IDENTIFIER_AUTHORITY | WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY} |
| static SID_IDENTIFIER_AUTHORITY | NtAuthority = {SECURITY_NT_AUTHORITY} |
Function Documentation
◆ AccessGrantedMultipleObjectsTests()
Definition at line 779 of file NtAccessCheckByType.c.
780{
785 ULONG PrivilegeSetLength;
789 SECURITY_DESCRIPTOR Sd;
790 OBJECT_TYPE_LIST ObjTypeList[6];
792 GUID ChildObjectType2 = {0x34578901, 0x3456, 0x7896, {0x3, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00}};
793 GUID ChildObjectType3 = {0x45678901, 0x4567, 0x1122, {0x4, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x01}};
794 GUID ChildObjectType4 = {0x56788901, 0x1111, 0x2222, {0x5, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x02}};
795 GUID ChildObjectType5 = {0x67901234, 0x2222, 0x3333, {0x4, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x03}};
796
797 /* Allocate all the stuff we need */
799 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
801 {
803 return;
804 }
805
807 1,
808 SECURITY_WORLD_RID,
809 0,
810 0,
811 0,
812 0,
813 0,
814 0,
815 0,
816 &EveryoneSid);
818 {
820 goto Quit;
821 }
822
824 2,
827 0,
828 0,
829 0,
830 0,
831 0,
832 0,
833 &AdminSid);
835 {
837 goto Quit;
838 }
839
841 2,
844 0,
845 0,
846 0,
847 0,
848 0,
849 0,
850 &UsersSid);
852 {
854 goto Quit;
855 }
856
859 {
861 goto Quit;
862 }
863
866 {
868 goto Quit;
869 }
870
879 HEAP_ZERO_MEMORY,
880 DaclSize);
882 {
884 goto Quit;
885 }
886
888 DaclSize,
889 ACL_REVISION4);
891 {
893 goto Quit;
894 }
895
896 /* Setup some rights for these objects, admins are granted everything */
898 ACL_REVISION4,
899 0,
900 KEY_ALL_ACCESS,
901 &ObjectType,
902 NULL,
903 AdminSid);
905 {
907 goto Quit;
908 }
909
911 ACL_REVISION4,
912 0,
913 KEY_READ,
914 &ChildObjectType,
915 NULL,
916 EveryoneSid);
918 {
920 goto Quit;
921 }
922
924 ACL_REVISION4,
925 0,
926 KEY_WRITE,
927 &ChildObjectType2,
928 NULL,
929 EveryoneSid);
931 {
933 goto Quit;
934 }
935
937 ACL_REVISION4,
938 0,
939 KEY_EXECUTE,
940 &ChildObjectType3,
941 NULL,
942 EveryoneSid);
944 {
946 goto Quit;
947 }
948
950 ACL_REVISION4,
951 0,
952 KEY_SET_VALUE,
953 &ChildObjectType4,
954 NULL,
955 EveryoneSid);
957 {
959 goto Quit;
960 }
961
963 ACL_REVISION4,
964 0,
965 KEY_QUERY_VALUE,
966 &ChildObjectType5,
967 NULL,
968 EveryoneSid);
970 {
972 goto Quit;
973 }
974
975 /* Setup the descriptor */
979
980 /* Setup the object type list */
982 ObjTypeList[0].Sbz = 0;
984
986 ObjTypeList[1].Sbz = 0;
988
990 ObjTypeList[2].Sbz = 0;
991 ObjTypeList[2].ObjectType = &ChildObjectType2;
992
994 ObjTypeList[3].Sbz = 0;
995 ObjTypeList[3].ObjectType = &ChildObjectType3;
996
998 ObjTypeList[4].Sbz = 0;
999 ObjTypeList[4].ObjectType = &ChildObjectType4;
1000
1002 ObjTypeList[5].Sbz = 0;
1003 ObjTypeList[5].ObjectType = &ChildObjectType5;
1004
1005 /* Evaluate access for each object case */
1007 NULL,
1008 Token,
1009 MAXIMUM_ALLOWED,
1010 ObjTypeList,
1011 RTL_NUMBER_OF(ObjTypeList),
1012 &RegMapping,
1013 PrivilegeSet,
1014 &PrivilegeSetLength,
1015 &GrantedAccess,
1016 &AccessStatus);
1018 ok(GrantedAccess == KEY_ALL_ACCESS, "Expected KEY_ALL_ACCESS as granted right but got 0x%08lx\n", GrantedAccess);
1019 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1020
1022 NULL,
1023 Token,
1024 KEY_READ,
1025 ObjTypeList,
1026 RTL_NUMBER_OF(ObjTypeList),
1027 &RegMapping,
1028 PrivilegeSet,
1029 &PrivilegeSetLength,
1030 &GrantedAccess,
1031 &AccessStatus);
1033 ok(GrantedAccess == KEY_READ, "Expected KEY_READ as granted right but got 0x%08lx\n", GrantedAccess);
1034 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1035
1037 NULL,
1038 Token,
1039 KEY_WRITE,
1040 ObjTypeList,
1041 RTL_NUMBER_OF(ObjTypeList),
1042 &RegMapping,
1043 PrivilegeSet,
1044 &PrivilegeSetLength,
1045 &GrantedAccess,
1046 &AccessStatus);
1048 ok(GrantedAccess == KEY_WRITE, "Expected KEY_WRITE as granted right but got 0x%08lx\n", GrantedAccess);
1049 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1050
1052 NULL,
1053 Token,
1054 KEY_EXECUTE,
1055 ObjTypeList,
1056 RTL_NUMBER_OF(ObjTypeList),
1057 &RegMapping,
1058 PrivilegeSet,
1059 &PrivilegeSetLength,
1060 &GrantedAccess,
1061 &AccessStatus);
1063 ok(GrantedAccess == KEY_EXECUTE, "Expected KEY_EXECUTE as granted right but got 0x%08lx\n", GrantedAccess);
1064 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1065
1067 NULL,
1068 Token,
1069 KEY_SET_VALUE,
1070 ObjTypeList,
1071 RTL_NUMBER_OF(ObjTypeList),
1072 &RegMapping,
1073 PrivilegeSet,
1074 &PrivilegeSetLength,
1075 &GrantedAccess,
1076 &AccessStatus);
1078 ok(GrantedAccess == KEY_SET_VALUE, "Expected KEY_SET_VALUE as granted right but got 0x%08lx\n", GrantedAccess);
1079 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1080
1082 NULL,
1083 Token,
1084 KEY_QUERY_VALUE,
1085 ObjTypeList,
1086 RTL_NUMBER_OF(ObjTypeList),
1087 &RegMapping,
1088 PrivilegeSet,
1089 &PrivilegeSetLength,
1090 &GrantedAccess,
1091 &AccessStatus);
1093 ok(GrantedAccess == KEY_QUERY_VALUE, "Expected KEY_QUERY_VALUE as granted right but got 0x%08lx\n", GrantedAccess);
1094 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1095
1096Quit:
1098 {
1100 }
1101
1103 {
1105 }
1106
1107 if (UsersSid)
1108 {
1109 RtlFreeSid(UsersSid);
1110 }
1111
1113 {
1115 }
1116
1117 if (EveryoneSid)
1118 {
1119 RtlFreeSid(EveryoneSid);
1120 }
1121
1122 if (PrivilegeSet)
1123 {
1124 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
1125 }
1126}
static HANDLE GetTokenProcess(_In_ BOOLEAN WantImpersonateLevel, _In_ BOOLEAN WantImpersonateType)
Definition: NtAccessCheckByType.c:18
NTSTATUS NTAPI NtAccessCheckByType(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID PrincipalSelfSid, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, _In_ ULONG ObjectTypeListLength, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on the object...
Definition: accesschk.c:2254
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
Definition: tokenizer.hpp:28
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
Definition: shobjidl.idl:2913
Definition: nsiface.idl:2307
struct _ACCESS_ALLOWED_OBJECT_ACE ACCESS_ALLOWED_OBJECT_ACE
struct _ACL ACL
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedObjectAce(_Inout_ PACL pAcl, _In_ ULONG dwAceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ GUID *ObjectTypeGuid, _In_opt_ GUID *InheritedObjectTypeGuid, _In_ PSID pSid)
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1594
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
Definition: ms-dtyp.idl:221
Definition: ms-dtyp.idl:293
Definition: setypes.h:856
Definition: setypes.h:85
Definition: ms-dtyp.idl:301
Definition: ms-dtyp.idl:198
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
Referenced by START_TEST().
◆ AccessGrantedNoDaclTests()
Definition at line 359 of file NtAccessCheckByType.c.
360{
365 ULONG PrivilegeSetLength;
367 SECURITY_DESCRIPTOR Sd;
368 OBJECT_TYPE_LIST ObjTypeList[2];
370
371 /* Allocate all the stuff we need */
373 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
375 {
377 return;
378 }
379
381 2,
384 0,
385 0,
386 0,
387 0,
388 0,
389 0,
390 &AdminSid);
392 {
394 goto Quit;
395 }
396
398 2,
401 0,
402 0,
403 0,
404 0,
405 0,
406 0,
407 &UsersSid);
409 {
411 goto Quit;
412 }
413
416 {
418 goto Quit;
419 }
420
423 {
425 goto Quit;
426 }
427
428 /* Setup the descriptor with no DACL */
432
433 /* Setup the object type list */
435 ObjTypeList[0].Sbz = 0;
437
439 ObjTypeList[1].Sbz = 0;
441
442 /*
443 * Evaluate the access -- a SD with no DACL is always a granted
444 * access as no ACL is enforced to protect the object.
445 */
447 NULL,
448 Token,
449 KEY_READ,
450 ObjTypeList,
451 RTL_NUMBER_OF(ObjTypeList),
452 &RegMapping,
453 PrivilegeSet,
454 &PrivilegeSetLength,
455 &GrantedAccess,
456 &AccessStatus);
458 ok(GrantedAccess == KEY_READ, "Expected KEY_READ as granted right but got 0x%08lx\n", GrantedAccess);
459 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
462
463 /* Evaluate access for MAXIMUM_ALLOWED as well */
465 NULL,
466 Token,
467 MAXIMUM_ALLOWED,
468 ObjTypeList,
469 RTL_NUMBER_OF(ObjTypeList),
470 &RegMapping,
471 PrivilegeSet,
472 &PrivilegeSetLength,
473 &GrantedAccess,
474 &AccessStatus);
476 ok(GrantedAccess == KEY_ALL_ACCESS, "Expected KEY_ALL_ACCESS as granted right but got 0x%08lx\n", GrantedAccess);
477 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
480
481 /*
482 * Evaluate access but with no object type list.
483 * NtAccessCheckByType will be treated as a normal NtAccessCheck.
484 */
486 NULL,
487 Token,
488 KEY_READ,
489 NULL,
490 0,
491 &RegMapping,
492 PrivilegeSet,
493 &PrivilegeSetLength,
494 &GrantedAccess,
495 &AccessStatus);
497 ok(GrantedAccess == KEY_READ, "Expected KEY_READ as granted right but got 0x%08lx\n", GrantedAccess);
498 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
501
502Quit:
504 {
506 }
507
508 if (UsersSid)
509 {
510 RtlFreeSid(UsersSid);
511 }
512
514 {
516 }
517
518 if (PrivilegeSet)
519 {
520 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
521 }
522}
Referenced by START_TEST().
◆ AccessGrantedTests()
Definition at line 526 of file NtAccessCheckByType.c.
527{
532 ULONG PrivilegeSetLength;
536 SECURITY_DESCRIPTOR Sd;
537 OBJECT_TYPE_LIST ObjTypeList[2];
539
540 /* Allocate all the stuff we need */
542 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
544 {
546 return;
547 }
548
550 1,
551 SECURITY_WORLD_RID,
552 0,
553 0,
554 0,
555 0,
556 0,
557 0,
558 0,
559 &EveryoneSid);
561 {
563 goto Quit;
564 }
565
567 2,
570 0,
571 0,
572 0,
573 0,
574 0,
575 0,
576 &AdminSid);
578 {
580 goto Quit;
581 }
582
584 2,
587 0,
588 0,
589 0,
590 0,
591 0,
592 0,
593 &UsersSid);
595 {
597 goto Quit;
598 }
599
602 {
604 goto Quit;
605 }
606
609 {
611 goto Quit;
612 }
613
618 HEAP_ZERO_MEMORY,
619 DaclSize);
621 {
623 goto Quit;
624 }
625
626 /*
627 * Create an ordinary ACL with an old revision. Object types are supported
628 * starting with Revision 4, so adding ACEs to it will fail.
629 */
631 DaclSize,
632 ACL_REVISION);
634 {
636 goto Quit;
637 }
638
640 ACL_REVISION,
641 0,
642 KEY_READ,
643 &ObjectType,
644 NULL,
645 EveryoneSid);
647
648 /* Free the ACL and create a proper one with correct revision */
651 HEAP_ZERO_MEMORY,
652 DaclSize);
654 {
656 goto Quit;
657 }
658
660 DaclSize,
661 ACL_REVISION4);
663 {
665 goto Quit;
666 }
667
668 /* Setup ACEs -- READ for everyone and READ/WRITE for admins */
670 ACL_REVISION4,
671 0,
672 KEY_READ,
673 &ObjectType,
674 NULL,
675 EveryoneSid);
677 {
679 goto Quit;
680 }
681
683 ACL_REVISION4,
684 0,
686 &ObjectType,
687 NULL,
688 AdminSid);
690 {
692 goto Quit;
693 }
694
695 /* Setup the descriptor */
699
700 /* Setup the object type list */
702 ObjTypeList[0].Sbz = 0;
704
706 ObjTypeList[1].Sbz = 0;
708
709 /* Evaluate access -- KEY_READ has to be granted */
711 NULL,
712 Token,
713 KEY_READ,
714 ObjTypeList,
715 RTL_NUMBER_OF(ObjTypeList),
716 &RegMapping,
717 PrivilegeSet,
718 &PrivilegeSetLength,
719 &GrantedAccess,
720 &AccessStatus);
722 ok(GrantedAccess == KEY_READ, "Expected KEY_READ as granted right but got 0x%08lx\n", GrantedAccess);
723 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
726
727 /* Admins should be granted WRITE access */
729 NULL,
730 Token,
731 KEY_WRITE,
732 ObjTypeList,
733 RTL_NUMBER_OF(ObjTypeList),
734 &RegMapping,
735 PrivilegeSet,
736 &PrivilegeSetLength,
737 &GrantedAccess,
738 &AccessStatus);
740 ok(GrantedAccess == KEY_WRITE, "Expected KEY_WRITE as granted right but got 0x%08lx\n", GrantedAccess);
741 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
744
745Quit:
747 {
749 }
750
752 {
754 }
755
756 if (UsersSid)
757 {
758 RtlFreeSid(UsersSid);
759 }
760
762 {
764 }
765
766 if (EveryoneSid)
767 {
768 RtlFreeSid(EveryoneSid);
769 }
770
771 if (PrivilegeSet)
772 {
773 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
774 }
775}
Referenced by START_TEST().
◆ DenyAccessTests()
Definition at line 1130 of file NtAccessCheckByType.c.
1131{
1136 ULONG PrivilegeSetLength;
1140 SECURITY_DESCRIPTOR Sd;
1141 OBJECT_TYPE_LIST ObjTypeList[2];
1143
1144 /* Allocate all the stuff we need */
1146 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
1148 {
1150 return;
1151 }
1152
1154 1,
1155 SECURITY_WORLD_RID,
1156 0,
1157 0,
1158 0,
1159 0,
1160 0,
1161 0,
1162 0,
1163 &EveryoneSid);
1165 {
1167 goto Quit;
1168 }
1169
1171 2,
1173 DOMAIN_ALIAS_RID_ADMINS,
1174 0,
1175 0,
1176 0,
1177 0,
1178 0,
1179 0,
1180 &AdminSid);
1182 {
1184 goto Quit;
1185 }
1186
1188 2,
1190 DOMAIN_ALIAS_RID_USERS,
1191 0,
1192 0,
1193 0,
1194 0,
1195 0,
1196 0,
1197 &UsersSid);
1199 {
1201 goto Quit;
1202 }
1203
1206 {
1208 goto Quit;
1209 }
1210
1213 {
1215 goto Quit;
1216 }
1217
1223 HEAP_ZERO_MEMORY,
1224 DaclSize);
1226 {
1228 goto Quit;
1229 }
1230
1232 DaclSize,
1233 ACL_REVISION4);
1235 {
1237 goto Quit;
1238 }
1239
1240 /*
1241 * Admins can't query values from keys and everyone else is denied writing to
1242 * keys to child sub-object but can enumerate subkeys from the object itself.
1243 */
1245 ACL_REVISION4,
1246 0,
1247 KEY_QUERY_VALUE,
1248 &ObjectType,
1249 NULL,
1250 AdminSid);
1252 {
1254 goto Quit;
1255 }
1256
1258 ACL_REVISION4,
1259 0,
1260 KEY_WRITE,
1261 &ChildObjectType,
1262 NULL,
1263 EveryoneSid);
1265 {
1267 goto Quit;
1268 }
1269
1271 ACL_REVISION4,
1272 0,
1273 KEY_ENUMERATE_SUB_KEYS,
1274 &ObjectType,
1275 NULL,
1276 EveryoneSid);
1278 {
1280 goto Quit;
1281 }
1282
1283 /* Setup the descriptor */
1287
1288 /* Setup the object type list */
1290 ObjTypeList[0].Sbz = 0;
1292
1294 ObjTypeList[1].Sbz = 0;
1296
1297 /* Evaluate access -- they should be denied */
1299 NULL,
1300 Token,
1301 KEY_QUERY_VALUE,
1302 ObjTypeList,
1303 RTL_NUMBER_OF(ObjTypeList),
1304 &RegMapping,
1305 PrivilegeSet,
1306 &PrivilegeSetLength,
1307 &GrantedAccess,
1308 &AccessStatus);
1311 ok(AccessStatus == STATUS_ACCESS_DENIED, "Expected access denied as status but got 0x%08lx\n", AccessStatus);
1312
1314 NULL,
1315 Token,
1316 KEY_WRITE,
1317 ObjTypeList,
1318 RTL_NUMBER_OF(ObjTypeList),
1319 &RegMapping,
1320 PrivilegeSet,
1321 &PrivilegeSetLength,
1322 &GrantedAccess,
1323 &AccessStatus);
1326 ok(AccessStatus == STATUS_ACCESS_DENIED, "Expected access denied as status but got 0x%08lx\n", AccessStatus);
1327
1328 /* Everyone else should be granted only enumerate subkey access */
1330 NULL,
1331 Token,
1332 KEY_ENUMERATE_SUB_KEYS,
1333 ObjTypeList,
1334 RTL_NUMBER_OF(ObjTypeList),
1335 &RegMapping,
1336 PrivilegeSet,
1337 &PrivilegeSetLength,
1338 &GrantedAccess,
1339 &AccessStatus);
1341 ok(GrantedAccess == KEY_ENUMERATE_SUB_KEYS, "Expected KEY_ENUMERATE_SUB_KEYS as granted right but got 0x%08lx\n", GrantedAccess);
1342 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
1343
1344Quit:
1346 {
1348 }
1349
1351 {
1353 }
1354
1355 if (UsersSid)
1356 {
1357 RtlFreeSid(UsersSid);
1358 }
1359
1361 {
1363 }
1364
1365 if (EveryoneSid)
1366 {
1367 RtlFreeSid(EveryoneSid);
1368 }
1369
1370 if (PrivilegeSet)
1371 {
1372 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
1373 }
1374}
NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedObjectAce(_Inout_ PACL pAcl, _In_ ULONG dwAceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ GUID *ObjectTypeGuid, _In_opt_ GUID *InheritedObjectTypeGuid, _In_ PSID pSid)
Definition: setypes.h:777
struct _ACCESS_DENIED_OBJECT_ACE ACCESS_DENIED_OBJECT_ACE
Referenced by START_TEST().
◆ GetTokenProcess()
|
static |
Definition at line 18 of file NtAccessCheckByType.c.
21{
24 HANDLE DuplicatedToken;
26 SECURITY_QUALITY_OF_SERVICE Sqos;
27
30 &Token);
32 {
35 }
36
39 Sqos.ContextTrackingMode = 0;
41
43 NULL,
44 0,
45 NULL,
46 NULL);
47 ObjectAttributes.SecurityQualityOfService = &Sqos;
48
51 &ObjectAttributes,
52 FALSE,
54 &DuplicatedToken);
56 {
60 }
61
62 return DuplicatedToken;
63}
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
Definition: umtypes.h:182
Definition: lsa.idl:63
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
Definition: lsa.idl:66
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtDuplicateToken(_In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle)
Duplicates a token.
Definition: tokenlif.c:1869
Referenced by AccessGrantedMultipleObjectsTests(), AccessGrantedNoDaclTests(), AccessGrantedTests(), DenyAccessTests(), and ParamsValidationTests().
◆ ParamsValidationTests()
Definition at line 67 of file NtAccessCheckByType.c.
68{
73 ULONG PrivilegeSetLength;
75 SECURITY_DESCRIPTOR Sd;
76 OBJECT_TYPE_LIST ObjTypeList[2];
77
78 /* Everything is NULL */
80 NULL,
81 NULL,
82 0,
83 NULL,
84 0,
85 NULL,
86 NULL,
87 0,
88 NULL,
89 NULL);
91
92 /* Allocate a buffer for privileges set */
94 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
96 {
98 goto Quit;
99 }
100
101 /* No token given */
103 NULL,
104 NULL,
105 MAXIMUM_ALLOWED,
106 NULL,
107 0,
108 &RegMapping,
109 PrivilegeSet,
110 &PrivilegeSetLength,
111 &GrantedAccess,
112 &AccessStatus);
114
115 /* Get a token now */
118 {
120 goto Quit;
121 }
122
123 /* Token given but it's not an impersonation one */
125 NULL,
126 Token,
127 MAXIMUM_ALLOWED,
128 NULL,
129 0,
130 &RegMapping,
131 PrivilegeSet,
132 &PrivilegeSetLength,
133 &GrantedAccess,
134 &AccessStatus);
136
137 /* Get a token but this time with an invalid impersonation level */
141 {
143 goto Quit;
144 }
145
146 /* Token given but it doesn't have the right impersonation level */
148 NULL,
149 Token,
150 MAXIMUM_ALLOWED,
151 NULL,
152 0,
153 &RegMapping,
154 PrivilegeSet,
155 &PrivilegeSetLength,
156 &GrantedAccess,
157 &AccessStatus);
159
160 /* A generic access right is given */
162 NULL,
163 Token,
164 GENERIC_WRITE,
165 NULL,
166 0,
167 &RegMapping,
168 PrivilegeSet,
169 &PrivilegeSetLength,
170 &GrantedAccess,
171 &AccessStatus);
173
174 /* Close the token, get a valid one that we want */
178 {
180 goto Quit;
181 }
182
183 /* No security descriptor is given */
185 NULL,
186 Token,
187 MAXIMUM_ALLOWED,
188 NULL,
189 0,
190 &RegMapping,
191 PrivilegeSet,
192 &PrivilegeSetLength,
193 &GrantedAccess,
194 &AccessStatus);
196
197 /* The function expects a privilege set */
199 NULL,
200 Token,
201 MAXIMUM_ALLOWED,
202 NULL,
203 0,
204 &RegMapping,
205 NULL,
206 0,
207 &GrantedAccess,
208 &AccessStatus);
210
211 /* Create a security descriptor */
214 {
216 goto Quit;
217 }
218
219 /* This descriptor will have no group, owner and DACL */
223
224 /* Give the invalid descriptor */
226 NULL,
227 Token,
228 MAXIMUM_ALLOWED,
229 NULL,
230 0,
231 &RegMapping,
232 PrivilegeSet,
233 &PrivilegeSetLength,
234 &GrantedAccess,
235 &AccessStatus);
237
238 /* Give a bogus principal SID */
240 (PSID)1,
241 Token,
242 MAXIMUM_ALLOWED,
243 NULL,
244 0,
245 &RegMapping,
246 PrivilegeSet,
247 &PrivilegeSetLength,
248 &GrantedAccess,
249 &AccessStatus);
250
251 /*
252 * On newer versions of Windows such as 10 the principal SID is validated
253 * after the security descriptor so it will always trigger an invalid
254 * descriptor case. On Windows Server 2003 the principal SID is captured
255 * before the security descriptor. ReactOS currently follows the Windows
256 * 10's behavior.
257 */
260
261 /* The first object element is not the root */
263 ObjTypeList[0].Sbz = 0;
265
266 /* Give a bogus list */
268 (PSID)1,
269 Token,
270 MAXIMUM_ALLOWED,
271 ObjTypeList,
272 RTL_NUMBER_OF(ObjTypeList),
273 &RegMapping,
274 PrivilegeSet,
275 &PrivilegeSetLength,
276 &GrantedAccess,
277 &AccessStatus);
279
280 /* This list has two roots */
282 ObjTypeList[0].Sbz = 0;
284
286 ObjTypeList[1].Sbz = 0;
288
289 /* Give a bogus list */
291 (PSID)1,
292 Token,
293 MAXIMUM_ALLOWED,
294 ObjTypeList,
295 RTL_NUMBER_OF(ObjTypeList),
296 &RegMapping,
297 PrivilegeSet,
298 &PrivilegeSetLength,
299 &GrantedAccess,
300 &AccessStatus);
302
303 /* This list has an object whose level is invalid */
304 ObjTypeList[0].Level = 0xa;
305 ObjTypeList[0].Sbz = 0;
307
308 /* Give a bogus list */
310 (PSID)1,
311 Token,
312 MAXIMUM_ALLOWED,
313 ObjTypeList,
314 RTL_NUMBER_OF(ObjTypeList),
315 &RegMapping,
316 PrivilegeSet,
317 &PrivilegeSetLength,
318 &GrantedAccess,
319 &AccessStatus);
321
322 /* This list doesn't have consistent object levels */
324 ObjTypeList[0].Sbz = 0;
326
328 ObjTypeList[1].Sbz = 0;
330
331 /* Give a bogus list */
333 (PSID)1,
334 Token,
335 MAXIMUM_ALLOWED,
336 ObjTypeList,
337 RTL_NUMBER_OF(ObjTypeList),
338 &RegMapping,
339 PrivilegeSet,
340 &PrivilegeSetLength,
341 &GrantedAccess,
342 &AccessStatus);
344
345Quit:
347 {
349 }
350
351 if (PrivilegeSet)
352 {
353 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
354 }
355}
Referenced by START_TEST().
◆ START_TEST()
| START_TEST | ( | NtAccessCheckByType | ) |
Definition at line 1376 of file NtAccessCheckByType.c.
1377{
1378 ParamsValidationTests();
1379 AccessGrantedNoDaclTests();
1380 AccessGrantedTests();
1382 DenyAccessTests();
1383}
static VOID AccessGrantedMultipleObjectsTests(VOID)
Definition: NtAccessCheckByType.c:779
static VOID AccessGrantedNoDaclTests(VOID)
Definition: NtAccessCheckByType.c:359
Variable Documentation
◆ ChildObjectType
|
static |
Definition at line 12 of file NtAccessCheckByType.c.
Referenced by AccessGrantedMultipleObjectsTests(), AccessGrantedNoDaclTests(), AccessGrantedTests(), DenyAccessTests(), and ParamsValidationTests().
◆ NtAuthority
|
static |
Definition at line 14 of file NtAccessCheckByType.c.
Referenced by AccessGrantedMultipleObjectsTests(), AccessGrantedNoDaclTests(), AccessGrantedTests(), and DenyAccessTests().
◆ ObjectType
|
static |
Definition at line 11 of file NtAccessCheckByType.c.
Referenced by AccessGrantedMultipleObjectsTests(), AccessGrantedNoDaclTests(), AccessGrantedTests(), DenyAccessTests(), and ParamsValidationTests().
◆ RegMapping
|
static |
Definition at line 10 of file NtAccessCheckByType.c.
Referenced by AccessGrantedMultipleObjectsTests(), AccessGrantedNoDaclTests(), AccessGrantedTests(), DenyAccessTests(), and ParamsValidationTests().
◆ WorldAuthority
|
static |
Definition at line 13 of file NtAccessCheckByType.c.
Referenced by AccessGrantedMultipleObjectsTests(), AccessGrantedTests(), and DenyAccessTests().
