ReactOS  0.4.14-dev-297-g23e575c
ObSecurity.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS kernel-mode tests
3  * LICENSE: LGPLv2.1+ - See COPYING.LIB in the top level directory
4  * PURPOSE: Kernel-Mode Test Suite object security test
5  * PROGRAMMER: Thomas Faber <thomas.faber@reactos.org>
6  */
7 
8 #include <kmt_test.h>
9 #include "../ntos_se/se.h"
10 
11 #define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount, ...) CheckDirectorySecurity_(name, Owner, Group, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
12 #define CheckDirectorySecurity(name, AceCount, ...) CheckDirectorySecurity_(name, SeExports->SeAliasAdminsSid, SeExports->SeLocalSystemSid, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
13 #define CheckDirectorySecurity_(name, Owner, Group, AceCount, file, line, ...) CheckDirectorySecurity__(name, Owner, Group, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
14 static
15 VOID
17  _In_ PCWSTR DirectoryName,
18  _In_ PSID ExpectedOwner,
19  _In_ PSID ExpectedGroup,
20  _In_ ULONG AceCount,
21  _In_ PCSTR FileAndLine,
22  ...)
23 {
25  UNICODE_STRING DirectoryNameString;
29  ULONG SecurityDescriptorSize;
30  PSID Owner;
31  PSID Group;
32  PACL Dacl;
33  PACL Sacl;
34  BOOLEAN Present;
35  BOOLEAN Defaulted;
36  va_list Arguments;
37 
38  RtlInitUnicodeString(&DirectoryNameString, DirectoryName);
40  &DirectoryNameString,
42  NULL,
43  NULL);
48  if (skip(NT_SUCCESS(Status), "No directory (%ls)\n", DirectoryName))
49  {
50  return;
51  }
52 
53  Status = ZwQuerySecurityObject(DirectoryHandle,
55  NULL,
56  0,
57  &SecurityDescriptorSize);
59  if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", DirectoryName))
60  {
62  return;
63  }
64 
66  SecurityDescriptorSize,
67  'dSmK');
68  ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
69  if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", DirectoryName))
70  {
72  return;
73  }
74 
75  Status = ZwQuerySecurityObject(DirectoryHandle,
78  SecurityDescriptorSize,
79  &SecurityDescriptorSize);
81  if (NT_SUCCESS(Status))
82  {
83  Owner = NULL;
85  &Owner,
86  &Defaulted);
87  if (ExpectedOwner)
88  CheckSid__(Owner, NO_SIZE, ExpectedOwner, FileAndLine);
89  ok(Defaulted == FALSE, "Owner defaulted for %ls\n", DirectoryName);
90 
91  Group = NULL;
93  &Group,
94  &Defaulted);
95  if (ExpectedGroup)
96  CheckSid__(Group, NO_SIZE, ExpectedGroup, FileAndLine);
97  ok(Defaulted == FALSE, "Group defaulted for %ls\n", DirectoryName);
98 
99  Dacl = NULL;
101  &Present,
102  &Dacl,
103  &Defaulted);
105  ok(Present == TRUE, "DACL not present for %ls\n", DirectoryName);
106  ok(Defaulted == FALSE, "DACL defaulted for %ls\n", DirectoryName);
107  va_start(Arguments, FileAndLine);
108  VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
109  va_end(Arguments);
110 
111  Sacl = NULL;
113  &Present,
114  &Sacl,
115  &Defaulted);
117  ok(Present == FALSE, "SACL present for %ls\n", DirectoryName);
118  ok(Defaulted == FALSE, "SACL defaulted for %ls\n", DirectoryName);
119  ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, DirectoryName);
120  }
123 }
124 
125 START_TEST(ObSecurity)
126 {
128  /* Assume yes, that's the default on W2K3 */
129  ULONG LUIDMappingsEnabled = 1, ReturnLength;
130 
131 #define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY
132 #define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY | DIRECTORY_CREATE_OBJECT
133 
134  /* Check if LUID device maps are enabled */
137  &LUIDMappingsEnabled,
138  sizeof(LUIDMappingsEnabled),
139  &ReturnLength);
140  ok(NT_SUCCESS(Status), "NtQueryInformationProcess failed: 0x%x\n", Status);
141 
142  trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled);
143  if (LUIDMappingsEnabled != 0)
144  {
145  CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
154  }
155  else
156  {
157  CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
172  }
173 
179 
180  CheckDirectorySecurity(L"\\ArcName",
185 
186  CheckDirectorySecurity(L"\\BaseNamedObjects",
190 
191  CheckDirectorySecurity(L"\\Callback",
195 
196  CheckDirectorySecurity(L"\\Device",
201 
202  CheckDirectorySecurity(L"\\Driver",
205 
206  CheckDirectorySecurity(L"\\GLOBAL??",
221 
222  CheckDirectorySecurity(L"\\KernelObjects",
226 
227  CheckDirectorySecurity(L"\\ObjectTypes",
230 }
PSID SeAliasAdminsSid
Definition: setypes.h:1175
VOID VCheckAcl__(_In_ PACL Acl, _In_ ULONG AceCount, _In_ PCSTR FileAndLine, _In_ va_list Arguments)
Definition: SeHelpers.c:128
#define DIRECTORY_GENERIC_READ
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
const uint16_t * PCWSTR
Definition: typedefs.h:55
#define GENERIC_ALL
Definition: nt_native.h:92
#define TRUE
Definition: types.h:120
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
#define DIRECTORY_GENERIC_WRITE
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
VOID CheckSid__(_In_ PSID Sid, _In_ ULONG SidSize, _In_ PISID ExpectedSid, _In_ PCSTR FileAndLine)
Definition: SeHelpers.c:89
_In_opt_ PSID Group
Definition: rtlfuncs.h:1606
LONG NTSTATUS
Definition: precomp.h:26
static HANDLE DirectoryHandle
Definition: ObType.c:48
static VOID CheckDirectorySecurity__(_In_ PCWSTR DirectoryName, _In_ PSID ExpectedOwner, _In_ PSID ExpectedGroup, _In_ ULONG AceCount, _In_ PCSTR FileAndLine,...)
Definition: ObSecurity.c:16
NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:64
NTSYSAPI NTSTATUS NTAPI RtlGetGroupSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Group, OUT PBOOLEAN GroupDefaulted)
Definition: sd.c:280
#define va_end(ap)
Definition: acmsvcex.h:90
Definition: trio.c:380
PSE_EXPORTS SeExports
Definition: semgr.c:18
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
char * va_list
Definition: acmsvcex.h:78
#define NtCurrentProcess()
Definition: nt_native.h:1657
#define DIRECTORY_TRAVERSE
Definition: nt_native.h:1255
START_TEST(ObSecurity)
Definition: ObSecurity.c:125
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:715
#define trace
Definition: atltest.h:70
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(_In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength)
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:685
#define READ_CONTROL
Definition: nt_native.h:58
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1553
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
Definition: obhandle.c:3376
static const WCHAR L[]
Definition: oid.c:1250
Status
Definition: gdiplustypes.h:24
#define _In_
Definition: no_sal2.h:204
NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted)
PSID SeCreatorOwnerSid
Definition: setypes.h:1167
#define DIRECTORY_ALL_ACCESS
Definition: nt_native.h:1259
#define ok(value,...)
Definition: atltest.h:57
#define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount,...)
Definition: ObSecurity.c:11
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define va_start(ap, A)
Definition: acmsvcex.h:91
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1557
NTSYSAPI NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Owner, OUT PBOOLEAN OwnerDefaulted)
Definition: sd.c:257
#define skip(...)
Definition: atltest.h:64
PSID SeRestrictedSid
Definition: setypes.h:1184
unsigned int ULONG
Definition: retypes.h:1
#define DIRECTORY_QUERY
Definition: nt_native.h:1254
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1555
#define INHERIT_ONLY_ACE
Definition: setypes.h:717
PSID SeWorldSid
Definition: setypes.h:1165
const char * PCSTR
Definition: typedefs.h:51
#define ok_eq_hex(value, expected)
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define CheckDirectorySecurity(name, AceCount,...)
Definition: ObSecurity.c:12
#define GENERIC_EXECUTE
Definition: nt_native.h:91
return STATUS_SUCCESS
Definition: btrfs.c:2966
#define OBJ_KERNEL_HANDLE
Definition: winternl.h:231
#define OBJECT_INHERIT_ACE
Definition: setypes.h:714
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
PSID SeLocalSystemSid
Definition: setypes.h:1174