SeTokenFiltering.c File Reference

#include <kmt_test.h>
#include <ntifs.h>

Include dependency graph for SeTokenFiltering.c:

Go to the source code of this file.

Functions
static VOID	FilterToken (VOID)
	START_TEST (SeTokenFiltering)

Function Documentation

FilterToken()

static VOID FilterToken ( VOID  )

static

Definition at line 13 of file SeTokenFiltering.c.

{
    NTSTATUS Status;
    PSECURITY_SUBJECT_CONTEXT SubjectContext;
    PACCESS_TOKEN Token, FilteredToken;
    TOKEN_GROUPS SidsToDisable, RestrictedGroups;
    TOKEN_PRIVILEGES Privilege;
 
    /* Capture the subject context and token for tests */
    SubjectContext = ExAllocatePool(PagedPool, sizeof(SECURITY_SUBJECT_CONTEXT));
    if (SubjectContext == NULL)
    {
        trace("Failed to allocate memory pool for the subject context!\n");
        return;
    }
 
    SeCaptureSubjectContext(SubjectContext);
    SeLockSubjectContext(SubjectContext);
    Token = SeQuerySubjectContextToken(SubjectContext);
    ok(Token != NULL, "Token mustn't be NULL...\n");
 
    /* Delete a privilege */
    Privilege.PrivilegeCount = 1;
    Privilege.Privileges[0].Attributes = 0;
    Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege;
 
    Status = SeFilterToken(Token,
                           0,
                           NULL,
                           &Privilege,
                           NULL,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
 
    /* Disable all the privileges */
    Status = SeFilterToken(Token,
                           DISABLE_MAX_PRIVILEGE,
                           NULL,
                           NULL,
                           NULL,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
 
    /* Disable a SID */
    SidsToDisable.GroupCount = 1;
    SidsToDisable.Groups[0].Attributes = 0;
    SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
 
    Status = SeFilterToken(Token,
                           0,
                           &SidsToDisable,
                           NULL,
                           NULL,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
 
    /*
     * Add a restricted SID but we're going to fail...
     * Because no attributes must be within restricted
     * SIDs.
     */
    RestrictedGroups.GroupCount = 1;
    RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
    RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
 
    Status = SeFilterToken(Token,
                           0,
                           NULL,
                           NULL,
                           &RestrictedGroups,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_INVALID_PARAMETER);
 
    /* Add a restricted SID now */
    RestrictedGroups.GroupCount = 1;
    RestrictedGroups.Groups[0].Attributes = 0;
    RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
 
    Status = SeFilterToken(Token,
                           0,
                           NULL,
                           NULL,
                           &RestrictedGroups,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
 
    /* We're done */
    SeUnlockSubjectContext(SubjectContext);
    if (SubjectContext)
        ExFreePool(SubjectContext);
}

Referenced by START_TEST().

START_TEST()

START_TEST

(

SeTokenFiltering

)

Definition at line 110 of file SeTokenFiltering.c.

{
    FilterToken();
}