ReactOS 0.4.15-dev-7961-gdcf9eb0
Functions
NtAccessCheck.c File Reference
#include "precomp.h"
Include dependency graph for NtAccessCheck.c:

Go to the source code of this file.

Functions

static HANDLE GetToken (VOID)
 
static VOID AccessCheckEmptyMappingTest (VOID)
 
 START_TEST (NtAccessCheck)
 

Function Documentation

◆ AccessCheckEmptyMappingTest()

static VOID AccessCheckEmptyMappingTest ( VOID  )
static

Definition at line 59 of file NtAccessCheck.c.

60{
61 NTSTATUS Status;
62 NTSTATUS AccessStatus;
63 ACCESS_MASK GrantedAccess;
64 PPRIVILEGE_SET PrivilegeSet = NULL;
65 ULONG PrivilegeSetLength;
66 HANDLE Token = NULL;
67 PACL Dacl = NULL;
68 ULONG DaclSize;
69 SECURITY_DESCRIPTOR Sd;
70 PSID WorldSid = NULL;
71 static SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY};
72 static GENERIC_MAPPING EmptyMapping = {0, 0, 0, 0};
73
74 /* Allocate all the stuff we need */
75 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
76 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
77 if (PrivilegeSet == NULL)
78 {
79 skip("Failed to allocate PrivilegeSet, skipping tests\n");
80 return;
81 }
82
83 Status = RtlAllocateAndInitializeSid(&WorldAuthority,
84 1,
85 SECURITY_WORLD_RID,
86 0,
87 0,
88 0,
89 0,
90 0,
91 0,
92 0,
93 &WorldSid);
94 if (!NT_SUCCESS(Status))
95 {
96 skip("Failed to create World SID, skipping tests\n");
97 goto Quit;
98 }
99
100 Token = GetToken();
101 if (Token == NULL)
102 {
103 skip("Failed to get token, skipping tests\n");
104 goto Quit;
105 }
106
107 Status = RtlCreateSecurityDescriptor(&Sd, SECURITY_DESCRIPTOR_REVISION);
108 if (!NT_SUCCESS(Status))
109 {
110 skip("Failed to create a security descriptor, skipping tests\n");
111 goto Quit;
112 }
113
114 DaclSize = sizeof(ACL) +
115 sizeof(ACCESS_ALLOWED_OBJECT_ACE) + RtlLengthSid(WorldSid);
116 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
117 HEAP_ZERO_MEMORY,
118 DaclSize);
119 if (Dacl == NULL)
120 {
121 skip("Failed to allocate memory for DACL, skipping tests\n");
122 goto Quit;
123 }
124
125 /* Setup a ACL and give full access to everyone */
126 Status = RtlCreateAcl(Dacl,
127 DaclSize,
128 ACL_REVISION);
129 if (!NT_SUCCESS(Status))
130 {
131 skip("Failed to create DACL, skipping tests\n");
132 goto Quit;
133 }
134
135 Status = RtlAddAccessAllowedAce(Dacl,
136 ACL_REVISION,
137 GENERIC_ALL,
138 WorldSid);
139 if (!NT_SUCCESS(Status))
140 {
141 skip("Failed to add allowed ACE for World SID, skipping tests\n");
142 goto Quit;
143 }
144
145 /* Setup the descriptor */
146 RtlSetGroupSecurityDescriptor(&Sd, WorldSid, FALSE);
147 RtlSetOwnerSecurityDescriptor(&Sd, WorldSid, FALSE);
148 RtlSetDaclSecurityDescriptor(&Sd, TRUE, Dacl, FALSE);
149
150 /* Do an access check with empty mapping */
151 Status = NtAccessCheck(&Sd,
152 Token,
153 MAXIMUM_ALLOWED,
154 &EmptyMapping,
155 PrivilegeSet,
156 &PrivilegeSetLength,
157 &GrantedAccess,
158 &AccessStatus);
159 ok_hex(Status, STATUS_SUCCESS);
160 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
161 trace("GrantedAccess == 0x%08lx\n", GrantedAccess);
162
163Quit:
164 if (Dacl)
165 {
166 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
167 }
168
169 if (Token)
170 {
171 NtClose(Token);
172 }
173
174 if (WorldSid)
175 {
176 RtlFreeSid(WorldSid);
177 }
178
179 if (PrivilegeSet)
180 {
181 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
182 }
183}
GetToken
static HANDLE GetToken(VOID)
Definition: NtAccessCheck.c:12
NtAccessCheck
NTSTATUS NTAPI NtAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on an object.
Definition: accesschk.c:2214
ok_hex
#define ok_hex(expression, result)
Definition: atltest.h:94
trace
#define trace
Definition: atltest.h:70
ok
#define ok(value,...)
Definition: atltest.h:57
skip
#define skip(...)
Definition: atltest.h:64
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
WorldSid
PSID WorldSid
Definition: globals.c:15
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
NULL
#define NULL
Definition: types.h:112
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
WorldAuthority
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14
Status
Status
Definition: gdiplustypes.h:25
RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
ACL
struct _ACL ACL
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
RtlFreeSid
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)
DaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1594
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
GENERIC_ALL
#define GENERIC_ALL
Definition: nt_native.h:92
NtClose
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3402
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
RtlAllocateAndInitializeSid
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
_ACCESS_ALLOWED_OBJECT_ACE
Definition: ms-dtyp.idl:221
_ACL
Definition: ms-dtyp.idl:293
_GENERIC_MAPPING
Definition: nt_native.h:564
_PRIVILEGE_SET
Definition: setypes.h:85
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194
_SID
Definition: ms-dtyp.idl:198
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
ULONG
uint32_t ULONG
Definition: typedefs.h:59
Privilege
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
SECURITY_WORLD_SID_AUTHORITY
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
SECURITY_WORLD_RID
#define SECURITY_WORLD_RID
Definition: setypes.h:541
SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39

Referenced by START_TEST().

◆ GetToken()

static HANDLE GetToken ( VOID  )
static

Definition at line 12 of file NtAccessCheck.c.

13{
14 NTSTATUS Status;
15 HANDLE Token;
16 HANDLE DuplicatedToken;
17 OBJECT_ATTRIBUTES ObjectAttributes;
18 SECURITY_QUALITY_OF_SERVICE Sqos;
19
20 Status = NtOpenProcessToken(NtCurrentProcess(),
21 TOKEN_QUERY | TOKEN_DUPLICATE,
22 &Token);
23 if (!NT_SUCCESS(Status))
24 {
25 trace("Failed to get current process token (Status 0x%08lx)\n", Status);
26 return NULL;
27 }
28
29 Sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
30 Sqos.ImpersonationLevel = SecurityImpersonation;
31 Sqos.ContextTrackingMode = 0;
32 Sqos.EffectiveOnly = FALSE;
33
34 InitializeObjectAttributes(&ObjectAttributes,
35 NULL,
36 0,
37 NULL,
38 NULL);
39 ObjectAttributes.SecurityQualityOfService = &Sqos;
40
41 Status = NtDuplicateToken(Token,
42 TOKEN_QUERY | TOKEN_DUPLICATE,
43 &ObjectAttributes,
44 FALSE,
45 TokenImpersonation,
46 &DuplicatedToken);
47 if (!NT_SUCCESS(Status))
48 {
49 trace("Failed to duplicate token (Status 0x%08lx)\n", Status);
50 NtClose(Token);
51 return NULL;
52 }
53
54 return DuplicatedToken;
55}
ObjectAttributes
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
SecurityImpersonation
@ SecurityImpersonation
Definition: lsa.idl:57
SECURITY_QUALITY_OF_SERVICE
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
TokenImpersonation
@ TokenImpersonation
Definition: imports.h:274
InitializeObjectAttributes
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657
NtOpenProcessToken
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
_OBJECT_ATTRIBUTES
Definition: umtypes.h:182
_SECURITY_QUALITY_OF_SERVICE
Definition: lsa.idl:63
_SECURITY_QUALITY_OF_SERVICE::ContextTrackingMode
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
Definition: lsa.idl:66
_SECURITY_QUALITY_OF_SERVICE::EffectiveOnly
BOOLEAN EffectiveOnly
Definition: lsa.idl:67
_SECURITY_QUALITY_OF_SERVICE::Length
DWORD Length
Definition: lsa.idl:64
_SECURITY_QUALITY_OF_SERVICE::ImpersonationLevel
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
NtDuplicateToken
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtDuplicateToken(_In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle)
Duplicates a token.
Definition: tokenlif.c:1869
TOKEN_DUPLICATE
#define TOKEN_DUPLICATE
Definition: setypes.h:926
TOKEN_QUERY
#define TOKEN_QUERY
Definition: setypes.h:928

Referenced by AccessCheckEmptyMappingTest().

◆ START_TEST()

START_TEST ( NtAccessCheck  )

Definition at line 185 of file NtAccessCheck.c.

186{
187 AccessCheckEmptyMappingTest();
188}
AccessCheckEmptyMappingTest
static VOID AccessCheckEmptyMappingTest(VOID)
Definition: NtAccessCheck.c:59