ReactOS 0.4.16-dev-122-g325d74c
SeTokenFiltering.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS kernel-mode tests
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Kernel mode tests for token filtering implementation
5 * COPYRIGHT: Copyright 2021 George Bișoc <george.bisoc@reactos.org>
6 */
7
8#include <kmt_test.h>
9#include <ntifs.h>
10
11static
12VOID
14{
17 PACCESS_TOKEN Token, FilteredToken;
18 TOKEN_GROUPS SidsToDisable, RestrictedGroups;
20
21 /* Capture the subject context and token for tests */
23 if (SubjectContext == NULL)
24 {
25 trace("Failed to allocate memory pool for the subject context!\n");
26 return;
27 }
28
32 ok(Token != NULL, "Token mustn't be NULL...\n");
33
34 /* Delete a privilege */
35 Privilege.PrivilegeCount = 1;
36 Privilege.Privileges[0].Attributes = 0;
38
40 0,
41 NULL,
42 &Privilege,
43 NULL,
44 &FilteredToken);
45 ok_irql(PASSIVE_LEVEL);
47
48 /* Disable all the privileges */
51 NULL,
52 NULL,
53 NULL,
54 &FilteredToken);
55 ok_irql(PASSIVE_LEVEL);
57
58 /* Disable a SID */
59 SidsToDisable.GroupCount = 1;
60 SidsToDisable.Groups[0].Attributes = 0;
61 SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
62
64 0,
65 &SidsToDisable,
66 NULL,
67 NULL,
68 &FilteredToken);
69 ok_irql(PASSIVE_LEVEL);
71
72 /*
73 * Add a restricted SID but we're going to fail...
74 * Because no attributes must be within restricted
75 * SIDs.
76 */
77 RestrictedGroups.GroupCount = 1;
78 RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
79 RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
80
82 0,
83 NULL,
84 NULL,
85 &RestrictedGroups,
86 &FilteredToken);
87 ok_irql(PASSIVE_LEVEL);
89
90 /* Add a restricted SID now */
91 RestrictedGroups.GroupCount = 1;
92 RestrictedGroups.Groups[0].Attributes = 0;
93 RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
94
96 0,
97 NULL,
98 NULL,
99 &RestrictedGroups,
100 &FilteredToken);
101 ok_irql(PASSIVE_LEVEL);
103
104 /* We're done */
106 if (SubjectContext)
108}
109
110START_TEST(SeTokenFiltering)
111{
112 FilterToken();
113}
static VOID FilterToken(VOID)
#define ok_eq_hex(value, expected)
Definition: apitest.h:77
#define trace
Definition: atltest.h:70
#define ok(value,...)
Definition: atltest.h:57
#define START_TEST(x)
Definition: atltest.h:75
LONG NTSTATUS
Definition: precomp.h:26
#define NULL
Definition: types.h:112
#define PASSIVE_LEVEL
Definition: env_spec_w32.h:693
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
#define PagedPool
Definition: env_spec_w32.h:308
#define ExAllocatePool(type, size)
Definition: fbtusb.h:44
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
Status
Definition: gdiplustypes.h:25
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
#define SE_GROUP_ENABLED
Definition: setypes.h:92
PSE_EXPORTS SeExports
Definition: semgr.c:21
#define STATUS_SUCCESS
Definition: shellext.h:65
PSID SeDialupSid
Definition: setypes.h:1224
PSID SeWorldSid
Definition: setypes.h:1219
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1215
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1018
$ULONG GroupCount
Definition: setypes.h:1014
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: subject.c:107
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: subject.c:138
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
NTSTATUS NTAPI SeFilterToken(_In_ PACCESS_TOKEN ExistingToken, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PACCESS_TOKEN *FilteredToken)
Filters an access token from an existing token, making it more restricted than the previous one.
Definition: tokenlif.c:1438
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583