ReactOS 0.4.16-dev-250-g3ecd236
NtAccessCheck.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS API tests
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Tests for the NtAccessCheck API
5 * COPYRIGHT: Copyright 2023 George Bișoc <george.bisoc@reactos.org>
6 */
7
8#include "precomp.h"
9
10static
13{
16 HANDLE DuplicatedToken;
19
22 &Token);
23 if (!NT_SUCCESS(Status))
24 {
25 trace("Failed to get current process token (Status 0x%08lx)\n", Status);
26 return NULL;
27 }
28
31 Sqos.ContextTrackingMode = 0;
32 Sqos.EffectiveOnly = FALSE;
33
35 NULL,
36 0,
37 NULL,
38 NULL);
39 ObjectAttributes.SecurityQualityOfService = &Sqos;
40
44 FALSE,
46 &DuplicatedToken);
47 if (!NT_SUCCESS(Status))
48 {
49 trace("Failed to duplicate token (Status 0x%08lx)\n", Status);
51 return NULL;
52 }
53
54 return DuplicatedToken;
55}
56
57static
58VOID
60{
64 PPRIVILEGE_SET PrivilegeSet = NULL;
65 ULONG PrivilegeSetLength;
67 PACL Dacl = NULL;
72 static GENERIC_MAPPING EmptyMapping = {0, 0, 0, 0};
73
74 /* Allocate all the stuff we need */
75 PrivilegeSetLength = FIELD_OFFSET(PRIVILEGE_SET, Privilege[16]);
76 PrivilegeSet = RtlAllocateHeap(RtlGetProcessHeap(), 0, PrivilegeSetLength);
77 if (PrivilegeSet == NULL)
78 {
79 skip("Failed to allocate PrivilegeSet, skipping tests\n");
80 return;
81 }
82
84 1,
86 0,
87 0,
88 0,
89 0,
90 0,
91 0,
92 0,
93 &WorldSid);
94 if (!NT_SUCCESS(Status))
95 {
96 skip("Failed to create World SID, skipping tests\n");
97 goto Quit;
98 }
99
100 Token = GetToken();
101 if (Token == NULL)
102 {
103 skip("Failed to get token, skipping tests\n");
104 goto Quit;
105 }
106
108 if (!NT_SUCCESS(Status))
109 {
110 skip("Failed to create a security descriptor, skipping tests\n");
111 goto Quit;
112 }
113
114 DaclSize = sizeof(ACL) +
116 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
118 DaclSize);
119 if (Dacl == NULL)
120 {
121 skip("Failed to allocate memory for DACL, skipping tests\n");
122 goto Quit;
123 }
124
125 /* Setup a ACL and give full access to everyone */
127 DaclSize,
129 if (!NT_SUCCESS(Status))
130 {
131 skip("Failed to create DACL, skipping tests\n");
132 goto Quit;
133 }
134
138 WorldSid);
139 if (!NT_SUCCESS(Status))
140 {
141 skip("Failed to add allowed ACE for World SID, skipping tests\n");
142 goto Quit;
143 }
144
145 /* Setup the descriptor */
149
150 /* Do an access check with empty mapping */
151 Status = NtAccessCheck(&Sd,
152 Token,
154 &EmptyMapping,
155 PrivilegeSet,
156 &PrivilegeSetLength,
158 &AccessStatus);
160 ok(AccessStatus == STATUS_SUCCESS, "Expected a success status but got 0x%08lx\n", AccessStatus);
161 trace("GrantedAccess == 0x%08lx\n", GrantedAccess);
162
163Quit:
164 if (Dacl)
165 {
166 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
167 }
168
169 if (Token)
170 {
171 NtClose(Token);
172 }
173
174 if (WorldSid)
175 {
177 }
178
179 if (PrivilegeSet)
180 {
181 RtlFreeHeap(RtlGetProcessHeap(), 0, PrivilegeSet);
182 }
183}
184
186{
188}
static HANDLE GetToken(VOID)
Definition: NtAccessCheck.c:12
static VOID AccessCheckEmptyMappingTest(VOID)
Definition: NtAccessCheck.c:59
NTSTATUS NTAPI NtAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on an object.
Definition: accesschk.c:2214
#define ok_hex(expression, result)
Definition: atltest.h:94
#define trace
Definition: atltest.h:70
#define ok(value,...)
Definition: atltest.h:57
#define skip(...)
Definition: atltest.h:64
#define START_TEST(x)
Definition: atltest.h:75
LONG NTSTATUS
Definition: precomp.h:26
PSID WorldSid
Definition: globals.c:15
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14
Status
Definition: gdiplustypes.h:25
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
@ SecurityImpersonation
Definition: lsa.idl:57
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
@ TokenImpersonation
Definition: imports.h:274
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
struct _ACL ACL
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1605
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1606
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define NtCurrentProcess()
Definition: nt_native.h:1657
#define GENERIC_ALL
Definition: nt_native.h:92
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3402
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
#define STATUS_SUCCESS
Definition: shellext.h:65
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
Definition: lsa.idl:66
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: lsa.idl:65
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtDuplicateToken(_In_ HANDLE ExistingTokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN EffectiveOnly, _In_ TOKEN_TYPE TokenType, _Out_ PHANDLE NewTokenHandle)
Duplicates a token.
Definition: tokenlif.c:1869
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
uint32_t ULONG
Definition: typedefs.h:59
BOOL Privilege(LPTSTR pszPrivilege, BOOL bEnable)
Definition: user_lib.cpp:531
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
#define TOKEN_DUPLICATE
Definition: setypes.h:926
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define TOKEN_QUERY
Definition: setypes.h:928
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define ACL_REVISION
Definition: setypes.h:39