ReactOS  0.4.15-dev-3719-g41b8715
SeTokenFiltering.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS kernel-mode tests
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Kernel mode tests for token filtering implementation
5  * COPYRIGHT: Copyright 2021 George BiČ™oc <george.bisoc@reactos.org>
6  */
7 
8 #include <kmt_test.h>
9 #include <ntifs.h>
10 
11 static
12 VOID
14 {
17  PACCESS_TOKEN Token, FilteredToken;
18  TOKEN_GROUPS SidsToDisable, RestrictedGroups;
20 
21  /* Capture the subject context and token for tests */
23  if (SubjectContext == NULL)
24  {
25  trace("Failed to allocate memory pool for the subject context!\n");
26  return;
27  }
28 
32  ok(Token != NULL, "Token mustn't be NULL...\n");
33 
34  /* Delete a privilege */
35  Privilege.PrivilegeCount = 1;
36  Privilege.Privileges[0].Attributes = 0;
37  Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege;
38 
40  0,
41  NULL,
42  &Privilege,
43  NULL,
44  &FilteredToken);
45  ok_irql(PASSIVE_LEVEL);
47 
48  /* Disable all the privileges */
51  NULL,
52  NULL,
53  NULL,
54  &FilteredToken);
55  ok_irql(PASSIVE_LEVEL);
57 
58  /* Disable a SID */
59  SidsToDisable.GroupCount = 1;
60  SidsToDisable.Groups[0].Attributes = 0;
61  SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
62 
64  0,
65  &SidsToDisable,
66  NULL,
67  NULL,
68  &FilteredToken);
69  ok_irql(PASSIVE_LEVEL);
71 
72  /*
73  * Add a restricted SID but we're going to fail...
74  * Because no attributes must be within restricted
75  * SIDs.
76  */
77  RestrictedGroups.GroupCount = 1;
78  RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
79  RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
80 
82  0,
83  NULL,
84  NULL,
85  &RestrictedGroups,
86  &FilteredToken);
87  ok_irql(PASSIVE_LEVEL);
89 
90  /* Add a restricted SID now */
91  RestrictedGroups.GroupCount = 1;
92  RestrictedGroups.Groups[0].Attributes = 0;
93  RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
94 
96  0,
97  NULL,
98  NULL,
99  &RestrictedGroups,
100  &FilteredToken);
101  ok_irql(PASSIVE_LEVEL);
103 
104  /* We're done */
106  if (SubjectContext)
108 }
109 
110 START_TEST(SeTokenFiltering)
111 {
112  FilterToken();
113 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
START_TEST(SeTokenFiltering)
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:456
PSE_EXPORTS SeExports
Definition: semgr.c:21
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1193
PSID SeDialupSid
Definition: setypes.h:1202
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:487
NTSTATUS NTAPI SeFilterToken(_In_ PACCESS_TOKEN ExistingToken, _In_ ULONG Flags, _In_opt_ PTOKEN_GROUPS SidsToDisable, _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, _In_opt_ PTOKEN_GROUPS RestrictedSids, _Out_ PACCESS_TOKEN *FilteredToken)
Filters an access token from an existing token, making it more restricted than the previous one.
Definition: token.c:2947
Status
Definition: gdiplustypes.h:24
#define trace
Definition: atltest.h:70
#define SE_GROUP_ENABLED
Definition: setypes.h:92
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
#define ExAllocatePool(type, size)
Definition: fbtusb.h:44
#define PASSIVE_LEVEL
Definition: env_spec_w32.h:693
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
#define ok(value,...)
Definition: atltest.h:57
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:996
#define NULL
Definition: types.h:112
#define DISABLE_MAX_PRIVILEGE
Definition: setypes.h:114
$ULONG GroupCount
Definition: setypes.h:992
static VOID FilterToken(VOID)
PSID SeWorldSid
Definition: setypes.h:1197
#define ok_eq_hex(value, expected)
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePool(addr)
Definition: env_spec_w32.h:352