ReactOS 0.4.15-dev-8241-g63935f8
SeTokenFiltering.c File Reference
#include <kmt_test.h>
#include <ntifs.h>
Include dependency graph for SeTokenFiltering.c:

Go to the source code of this file.

Functions

static VOID FilterToken (VOID)
 
 START_TEST (SeTokenFiltering)
 

Function Documentation

◆ FilterToken()

static VOID FilterToken ( VOID  )
static

Definition at line 13 of file SeTokenFiltering.c.

14{
17 PACCESS_TOKEN Token, FilteredToken;
18 TOKEN_GROUPS SidsToDisable, RestrictedGroups;
20
21 /* Capture the subject context and token for tests */
23 if (SubjectContext == NULL)
24 {
25 trace("Failed to allocate memory pool for the subject context!\n");
26 return;
27 }
28
32 ok(Token != NULL, "Token mustn't be NULL...\n");
33
34 /* Delete a privilege */
35 Privilege.PrivilegeCount = 1;
36 Privilege.Privileges[0].Attributes = 0;
38
40 0,
41 NULL,
42 &Privilege,
43 NULL,
44 &FilteredToken);
45 ok_irql(PASSIVE_LEVEL);
47
48 /* Disable all the privileges */
51 NULL,
52 NULL,
53 NULL,
54 &FilteredToken);
55 ok_irql(PASSIVE_LEVEL);
57
58 /* Disable a SID */
59 SidsToDisable.GroupCount = 1;
60 SidsToDisable.Groups[0].Attributes = 0;
61 SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
62
64 0,
65 &SidsToDisable,
66 NULL,
67 NULL,
68 &FilteredToken);
69 ok_irql(PASSIVE_LEVEL);
71
72 /*
73 * Add a restricted SID but we're going to fail...
74 * Because no attributes must be within restricted
75 * SIDs.
76 */
77 RestrictedGroups.GroupCount = 1;
78 RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
79 RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
80
82 0,
83 NULL,
84 NULL,
85 &RestrictedGroups,
86 &FilteredToken);
87 ok_irql(PASSIVE_LEVEL);
89
90 /* Add a restricted SID now */
91 RestrictedGroups.GroupCount = 1;
92 RestrictedGroups.Groups[0].Attributes = 0;
93 RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
94
96 0,
97 NULL,
98 NULL,
99 &RestrictedGroups,
100 &FilteredToken);
101 ok_irql(PASSIVE_LEVEL);
103
104 /* We're done */
106 if (SubjectContext)
108}
#define ok_eq_hex(value, expected)
Definition: apitest.h:77
#define trace
Definition: atltest.h:70
#define ok(value,...)
Definition: atltest.h:57
LONG NTSTATUS
Definition: precomp.h:26
#define NULL
Definition: types.h:112
#define PASSIVE_LEVEL
Definition: env_spec_w32.h:693
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define PagedPool
Definition: env_spec_w32.h:308
#define ExAllocatePool(type, size)
Definition: fbtusb.h:44
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
Status
Definition: gdiplustypes.h:25
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
#define SE_GROUP_ENABLED
Definition: setypes.h:92
PSE_EXPORTS SeExports
Definition: semgr.c:21
#define STATUS_SUCCESS
Definition: shellext.h:65
PSID SeDialupSid
Definition: setypes.h:1224
PSID SeWorldSid
Definition: setypes.h:1219
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1215
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1018
$ULONG GroupCount
Definition: setypes.h:1014
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: subject.c:107
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: subject.c:138
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
NTSTATUS NTAPI SeFilterToken(_In_ PACCESS_TOKEN ExistingToken, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PACCESS_TOKEN *FilteredToken)
Filters an access token from an existing token, making it more restricted than the previous one.
Definition: tokenlif.c:1438
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583

Referenced by START_TEST().

◆ START_TEST()

START_TEST ( SeTokenFiltering  )

Definition at line 110 of file SeTokenFiltering.c.

111{
112 FilterToken();
113}
static VOID FilterToken(VOID)