ReactOS 0.4.15-dev-7842-g558ab78
ObSecurity.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS kernel-mode tests
3 * LICENSE: LGPLv2.1+ - See COPYING.LIB in the top level directory
4 * PURPOSE: Kernel-Mode Test Suite object security test
5 * PROGRAMMER: Thomas Faber <thomas.faber@reactos.org>
6 */
7
8#include <kmt_test.h>
9#include "../ntos_se/se.h"
10
11#define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount, ...) CheckDirectorySecurity_(name, Owner, Group, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
12#define CheckDirectorySecurity(name, AceCount, ...) CheckDirectorySecurity_(name, SeExports->SeAliasAdminsSid, SeExports->SeLocalSystemSid, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
13#define CheckDirectorySecurity_(name, Owner, Group, AceCount, file, line, ...) CheckDirectorySecurity__(name, Owner, Group, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
14static
15VOID
17 _In_ PCWSTR DirectoryName,
18 _In_ PSID ExpectedOwner,
19 _In_ PSID ExpectedGroup,
20 _In_ ULONG AceCount,
21 _In_ PCSTR FileAndLine,
22 ...)
23{
25 UNICODE_STRING DirectoryNameString;
29 ULONG SecurityDescriptorSize;
30 PSID Owner;
31 PSID Group;
32 PACL Dacl;
33 PACL Sacl;
34 BOOLEAN Present;
35 BOOLEAN Defaulted;
36 va_list Arguments;
37
38 RtlInitUnicodeString(&DirectoryNameString, DirectoryName);
40 &DirectoryNameString,
42 NULL,
43 NULL);
48 if (skip(NT_SUCCESS(Status), "No directory (%ls)\n", DirectoryName))
49 {
50 return;
51 }
52
53 Status = ZwQuerySecurityObject(DirectoryHandle,
55 NULL,
56 0,
57 &SecurityDescriptorSize);
59 if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", DirectoryName))
60 {
62 return;
63 }
64
66 SecurityDescriptorSize,
67 'dSmK');
68 ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
69 if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", DirectoryName))
70 {
72 return;
73 }
74
75 Status = ZwQuerySecurityObject(DirectoryHandle,
78 SecurityDescriptorSize,
79 &SecurityDescriptorSize);
81 if (NT_SUCCESS(Status))
82 {
83 Owner = NULL;
85 &Owner,
86 &Defaulted);
87 if (ExpectedOwner)
88 CheckSid__(Owner, NO_SIZE, ExpectedOwner, FileAndLine);
89 ok(Defaulted == FALSE, "Owner defaulted for %ls\n", DirectoryName);
90
91 Group = NULL;
93 &Group,
94 &Defaulted);
95 if (ExpectedGroup)
96 CheckSid__(Group, NO_SIZE, ExpectedGroup, FileAndLine);
97 ok(Defaulted == FALSE, "Group defaulted for %ls\n", DirectoryName);
98
99 Dacl = NULL;
101 &Present,
102 &Dacl,
103 &Defaulted);
105 ok(Present == TRUE, "DACL not present for %ls\n", DirectoryName);
106 ok(Defaulted == FALSE, "DACL defaulted for %ls\n", DirectoryName);
107 va_start(Arguments, FileAndLine);
108 VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
109 va_end(Arguments);
110
111 Sacl = NULL;
113 &Present,
114 &Sacl,
115 &Defaulted);
117 ok(Present == FALSE, "SACL present for %ls\n", DirectoryName);
118 ok(Defaulted == FALSE, "SACL defaulted for %ls\n", DirectoryName);
119 ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, DirectoryName);
120 }
123}
124
125START_TEST(ObSecurity)
126{
128 /* Assume yes, that's the default on W2K3 */
129 ULONG LUIDMappingsEnabled = 1, ReturnLength;
130
131#define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY
132#define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY | DIRECTORY_CREATE_OBJECT
133
134 /* Check if LUID device maps are enabled */
137 &LUIDMappingsEnabled,
138 sizeof(LUIDMappingsEnabled),
139 &ReturnLength);
140 ok(NT_SUCCESS(Status), "NtQueryInformationProcess failed: 0x%x\n", Status);
141
142 trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled);
143 if (LUIDMappingsEnabled != 0)
144 {
145 CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
154 }
155 else
156 {
157 CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
172 }
173
179
180 CheckDirectorySecurity(L"\\ArcName",
185
186 CheckDirectorySecurity(L"\\BaseNamedObjects",
190
191 CheckDirectorySecurity(L"\\Callback",
195
196 CheckDirectorySecurity(L"\\Device",
201
202 CheckDirectorySecurity(L"\\Driver",
205
206 CheckDirectorySecurity(L"\\GLOBAL??",
221
222 CheckDirectorySecurity(L"\\KernelObjects",
226
227 CheckDirectorySecurity(L"\\ObjectTypes",
230}
static VOID CheckDirectorySecurity__(_In_ PCWSTR DirectoryName, _In_ PSID ExpectedOwner, _In_ PSID ExpectedGroup, _In_ ULONG AceCount, _In_ PCSTR FileAndLine,...)
Definition: ObSecurity.c:16
#define CheckDirectorySecurity(name, AceCount,...)
Definition: ObSecurity.c:12
#define DIRECTORY_GENERIC_WRITE
#define DIRECTORY_GENERIC_READ
#define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount,...)
Definition: ObSecurity.c:11
static HANDLE DirectoryHandle
Definition: ObType.c:48
unsigned char BOOLEAN
char * va_list
Definition: acmsvcex.h:78
#define va_end(ap)
Definition: acmsvcex.h:90
#define va_start(ap, A)
Definition: acmsvcex.h:91
#define ok_eq_hex(value, expected)
Definition: apitest.h:76
#define trace
Definition: atltest.h:70
#define ok(value,...)
Definition: atltest.h:57
#define skip(...)
Definition: atltest.h:64
#define START_TEST(x)
Definition: atltest.h:75
LONG NTSTATUS
Definition: precomp.h:26
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:43
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define PagedPool
Definition: env_spec_w32.h:308
Status
Definition: gdiplustypes.h:25
#define OBJ_KERNEL_HANDLE
Definition: winternl.h:231
@ ProcessLUIDDeviceMapsEnabled
Definition: winternl.h:884
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1109
VOID VCheckAcl__(_In_ PACL Acl, _In_ ULONG AceCount, _In_ PCSTR FileAndLine, _In_ va_list Arguments)
Definition: SeHelpers.c:128
#define NO_SIZE
Definition: se.h:29
VOID CheckSid__(_In_ PSID Sid, _In_ ULONG SidSize, _In_ PISID ExpectedSid, _In_ PCSTR FileAndLine)
Definition: SeHelpers.c:89
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
#define _In_
Definition: ms_sal.h:308
#define KernelMode
Definition: asm.h:34
NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(_In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
_In_opt_ PSID Group
Definition: rtlfuncs.h:1646
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1597
NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1595
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
#define DIRECTORY_QUERY
Definition: nt_native.h:1254
#define DIRECTORY_TRAVERSE
Definition: nt_native.h:1255
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define NtCurrentProcess()
Definition: nt_native.h:1657
#define GENERIC_ALL
Definition: nt_native.h:92
#define READ_CONTROL
Definition: nt_native.h:58
#define DIRECTORY_ALL_ACCESS
Definition: nt_native.h:1259
#define GENERIC_EXECUTE
Definition: nt_native.h:91
NTSYSAPI NTSTATUS NTAPI RtlGetGroupSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Group, OUT PBOOLEAN GroupDefaulted)
Definition: sd.c:280
NTSYSAPI NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Owner, OUT PBOOLEAN OwnerDefaulted)
Definition: sd.c:257
#define L(x)
Definition: ntvdm.h:50
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
Definition: obhandle.c:3379
PSE_EXPORTS SeExports
Definition: semgr.c:21
#define STATUS_SUCCESS
Definition: shellext.h:65
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
PSID SeAliasAdminsSid
Definition: setypes.h:1229
PSID SeCreatorOwnerSid
Definition: setypes.h:1221
PSID SeRestrictedSid
Definition: setypes.h:1238
PSID SeWorldSid
Definition: setypes.h:1219
PSID SeLocalSystemSid
Definition: setypes.h:1228
const uint16_t * PCWSTR
Definition: typedefs.h:57
const char * PCSTR
Definition: typedefs.h:52
uint32_t ULONG
Definition: typedefs.h:59
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:717
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126