ReactOS  0.4.15-dev-4574-g434cf85
SeTokenFiltering.c File Reference
#include <kmt_test.h>
#include <ntifs.h>
Include dependency graph for SeTokenFiltering.c:

Go to the source code of this file.

Functions

static VOID FilterToken (VOID)
 
 START_TEST (SeTokenFiltering)
 

Function Documentation

◆ FilterToken()

static VOID FilterToken ( VOID  )
static

Definition at line 13 of file SeTokenFiltering.c.

14 {
17  PACCESS_TOKEN Token, FilteredToken;
18  TOKEN_GROUPS SidsToDisable, RestrictedGroups;
20 
21  /* Capture the subject context and token for tests */
23  if (SubjectContext == NULL)
24  {
25  trace("Failed to allocate memory pool for the subject context!\n");
26  return;
27  }
28 
32  ok(Token != NULL, "Token mustn't be NULL...\n");
33 
34  /* Delete a privilege */
35  Privilege.PrivilegeCount = 1;
36  Privilege.Privileges[0].Attributes = 0;
37  Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege;
38 
40  0,
41  NULL,
42  &Privilege,
43  NULL,
44  &FilteredToken);
45  ok_irql(PASSIVE_LEVEL);
47 
48  /* Disable all the privileges */
51  NULL,
52  NULL,
53  NULL,
54  &FilteredToken);
55  ok_irql(PASSIVE_LEVEL);
57 
58  /* Disable a SID */
59  SidsToDisable.GroupCount = 1;
60  SidsToDisable.Groups[0].Attributes = 0;
61  SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
62 
64  0,
65  &SidsToDisable,
66  NULL,
67  NULL,
68  &FilteredToken);
69  ok_irql(PASSIVE_LEVEL);
71 
72  /*
73  * Add a restricted SID but we're going to fail...
74  * Because no attributes must be within restricted
75  * SIDs.
76  */
77  RestrictedGroups.GroupCount = 1;
78  RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
79  RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
80 
82  0,
83  NULL,
84  NULL,
85  &RestrictedGroups,
86  &FilteredToken);
87  ok_irql(PASSIVE_LEVEL);
89 
90  /* Add a restricted SID now */
91  RestrictedGroups.GroupCount = 1;
92  RestrictedGroups.Groups[0].Attributes = 0;
93  RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
94 
96  0,
97  NULL,
98  NULL,
99  &RestrictedGroups,
100  &FilteredToken);
101  ok_irql(PASSIVE_LEVEL);
103 
104  /* We're done */
106  if (SubjectContext)
108 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:459
PSE_EXPORTS SeExports
Definition: semgr.c:21
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1211
PSID SeDialupSid
Definition: setypes.h:1220
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:490
NTSTATUS NTAPI SeFilterToken(_In_ PACCESS_TOKEN ExistingToken, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PACCESS_TOKEN *FilteredToken)
Filters an access token from an existing token, making it more restricted than the previous one.
Definition: token.c:2995
Status
Definition: gdiplustypes.h:24
#define trace
Definition: atltest.h:70
#define SE_GROUP_ENABLED
Definition: setypes.h:92
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:437
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define ExAllocatePool(type, size)
Definition: fbtusb.h:44
#define PASSIVE_LEVEL
Definition: env_spec_w32.h:693
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
#define ok(value,...)
Definition: atltest.h:57
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1014
#define NULL
Definition: types.h:112
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
$ULONG GroupCount
Definition: setypes.h:1010
PSID SeWorldSid
Definition: setypes.h:1215
#define ok_eq_hex(value, expected)
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePool(addr)
Definition: env_spec_w32.h:352

Referenced by START_TEST().

◆ START_TEST()

START_TEST ( SeTokenFiltering  )

Definition at line 110 of file SeTokenFiltering.c.

111 {
112  FilterToken();
113 }
static VOID FilterToken(VOID)