2 * PROJECT: ReactOS kernel-mode tests
3 * LICENSE: LGPLv2.1+ - See COPYING.LIB in the top level directory
4 * PURPOSE: Kernel-Mode Test Suite object security test
5 * PROGRAMMER: Thomas Faber <thomas.faber@reactos.org>
9 #include "../ntos_se/se.h"
11 #define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount, ...) CheckDirectorySecurity_(name, Owner, Group, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
12 #define CheckDirectorySecurity(name, AceCount, ...) CheckDirectorySecurity_(name, SeExports->SeAliasAdminsSid, SeExports->SeLocalSystemSid, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
13 #define CheckDirectorySecurity_(name, Owner, Group, AceCount, file, line, ...) CheckDirectorySecurity__(name, Owner, Group, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
16 CheckDirectorySecurity__(
17 _In_ PCWSTR DirectoryName
,
18 _In_ PSID ExpectedOwner
,
19 _In_ PSID ExpectedGroup
,
21 _In_ PCSTR FileAndLine
,
25 UNICODE_STRING DirectoryNameString
;
26 OBJECT_ATTRIBUTES ObjectAttributes
;
27 HANDLE DirectoryHandle
;
28 PSECURITY_DESCRIPTOR SecurityDescriptor
;
29 ULONG SecurityDescriptorSize
;
38 RtlInitUnicodeString(&DirectoryNameString
, DirectoryName
);
39 InitializeObjectAttributes(&ObjectAttributes
,
44 Status
= ZwOpenDirectoryObject(&DirectoryHandle
,
45 READ_CONTROL
| ACCESS_SYSTEM_SECURITY
,
47 ok_eq_hex(Status
, STATUS_SUCCESS
);
48 if (skip(NT_SUCCESS(Status
), "No directory (%ls)\n", DirectoryName
))
53 Status
= ZwQuerySecurityObject(DirectoryHandle
,
54 OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
| SACL_SECURITY_INFORMATION
,
57 &SecurityDescriptorSize
);
58 ok_eq_hex(Status
, STATUS_BUFFER_TOO_SMALL
);
59 if (skip(Status
== STATUS_BUFFER_TOO_SMALL
, "No security size (%ls)\n", DirectoryName
))
61 ObCloseHandle(DirectoryHandle
, KernelMode
);
65 SecurityDescriptor
= ExAllocatePoolWithTag(PagedPool
,
66 SecurityDescriptorSize
,
68 ok(SecurityDescriptor
!= NULL
, "Failed to allocate %lu bytes\n", SecurityDescriptorSize
);
69 if (skip(SecurityDescriptor
!= NULL
, "No memory for descriptor (%ls)\n", DirectoryName
))
71 ObCloseHandle(DirectoryHandle
, KernelMode
);
75 Status
= ZwQuerySecurityObject(DirectoryHandle
,
76 OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
| SACL_SECURITY_INFORMATION
,
78 SecurityDescriptorSize
,
79 &SecurityDescriptorSize
);
80 ok_eq_hex(Status
, STATUS_SUCCESS
);
81 if (NT_SUCCESS(Status
))
84 Status
= RtlGetOwnerSecurityDescriptor(SecurityDescriptor
,
88 CheckSid__(Owner
, NO_SIZE
, ExpectedOwner
, FileAndLine
);
89 ok(Defaulted
== FALSE
, "Owner defaulted for %ls\n", DirectoryName
);
92 Status
= RtlGetGroupSecurityDescriptor(SecurityDescriptor
,
96 CheckSid__(Group
, NO_SIZE
, ExpectedGroup
, FileAndLine
);
97 ok(Defaulted
== FALSE
, "Group defaulted for %ls\n", DirectoryName
);
100 Status
= RtlGetDaclSecurityDescriptor(SecurityDescriptor
,
104 ok_eq_hex(Status
, STATUS_SUCCESS
);
105 ok(Present
== TRUE
, "DACL not present for %ls\n", DirectoryName
);
106 ok(Defaulted
== FALSE
, "DACL defaulted for %ls\n", DirectoryName
);
107 va_start(Arguments
, FileAndLine
);
108 VCheckAcl__(Dacl
, AceCount
, FileAndLine
, Arguments
);
112 Status
= RtlGetSaclSecurityDescriptor(SecurityDescriptor
,
116 ok_eq_hex(Status
, STATUS_SUCCESS
);
117 ok(Present
== FALSE
, "SACL present for %ls\n", DirectoryName
);
118 ok(Defaulted
== FALSE
, "SACL defaulted for %ls\n", DirectoryName
);
119 ok(Sacl
== NULL
, "Sacl is %p for %ls\n", Sacl
, DirectoryName
);
121 ExFreePoolWithTag(SecurityDescriptor
, 'dSmK');
122 ObCloseHandle(DirectoryHandle
, KernelMode
);
125 START_TEST(ObSecurity
)
128 /* Assume yes, that's the default on W2K3 */
129 ULONG LUIDMappingsEnabled
= 1, ReturnLength
;
131 #define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY
132 #define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY | DIRECTORY_CREATE_OBJECT
134 /* Check if LUID device maps are enabled */
135 Status
= ZwQueryInformationProcess(NtCurrentProcess(),
136 ProcessLUIDDeviceMapsEnabled
,
137 &LUIDMappingsEnabled
,
138 sizeof(LUIDMappingsEnabled
),
140 ok(NT_SUCCESS(Status
), "NtQueryInformationProcess failed: 0x%x\n", Status
);
142 trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled
);
143 if (LUIDMappingsEnabled
!= 0)
145 CheckDirectorySecurityWithOwnerAndGroup(L
"\\??", SeExports
->SeAliasAdminsSid
, NULL
, // Group is "Domain Users"
146 4, ACCESS_ALLOWED_ACE_TYPE
, CONTAINER_INHERIT_ACE
|
147 OBJECT_INHERIT_ACE
, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
148 ACCESS_ALLOWED_ACE_TYPE
, CONTAINER_INHERIT_ACE
|
149 OBJECT_INHERIT_ACE
, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
,
150 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
,
151 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
152 CONTAINER_INHERIT_ACE
|
153 OBJECT_INHERIT_ACE
, SeExports
->SeCreatorOwnerSid
,GENERIC_ALL
);
157 CheckDirectorySecurityWithOwnerAndGroup(L
"\\??", SeExports
->SeAliasAdminsSid
, NULL
, // Group is "Domain Users"
158 6, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, READ_CONTROL
| DIRECTORY_TRAVERSE
| DIRECTORY_QUERY
,
159 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
160 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
161 CONTAINER_INHERIT_ACE
|
162 OBJECT_INHERIT_ACE
, SeExports
->SeWorldSid
, GENERIC_EXECUTE
,
163 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
164 CONTAINER_INHERIT_ACE
|
165 OBJECT_INHERIT_ACE
, SeExports
->SeAliasAdminsSid
,GENERIC_ALL
,
166 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
167 CONTAINER_INHERIT_ACE
|
168 OBJECT_INHERIT_ACE
, SeExports
->SeLocalSystemSid
,GENERIC_ALL
,
169 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
170 CONTAINER_INHERIT_ACE
|
171 OBJECT_INHERIT_ACE
, SeExports
->SeCreatorOwnerSid
,GENERIC_ALL
);
174 CheckDirectorySecurity(L
"\\",
175 4, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_READ
,
176 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
177 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
,
178 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeRestrictedSid
, DIRECTORY_GENERIC_READ
);
180 CheckDirectorySecurity(L
"\\ArcName",
181 4, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_READ
,
182 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
183 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
,
184 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeRestrictedSid
, DIRECTORY_GENERIC_READ
);
186 CheckDirectorySecurity(L
"\\BaseNamedObjects",
187 3, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_WRITE
| DIRECTORY_GENERIC_READ
,
188 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
189 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeRestrictedSid
, DIRECTORY_TRAVERSE
);
191 CheckDirectorySecurity(L
"\\Callback",
192 3, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_READ
,
193 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
194 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
);
196 CheckDirectorySecurity(L
"\\Device",
197 4, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_READ
,
198 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
199 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
,
200 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeRestrictedSid
, DIRECTORY_GENERIC_READ
);
202 CheckDirectorySecurity(L
"\\Driver",
203 2, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
204 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_GENERIC_READ
);
206 CheckDirectorySecurity(L
"\\GLOBAL??",
207 6, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_READ
,
208 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
209 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
210 CONTAINER_INHERIT_ACE
|
211 OBJECT_INHERIT_ACE
, SeExports
->SeWorldSid
, GENERIC_EXECUTE
,
212 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
213 CONTAINER_INHERIT_ACE
|
214 OBJECT_INHERIT_ACE
, SeExports
->SeAliasAdminsSid
, GENERIC_ALL
,
215 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
216 CONTAINER_INHERIT_ACE
|
217 OBJECT_INHERIT_ACE
, SeExports
->SeLocalSystemSid
, GENERIC_ALL
,
218 ACCESS_ALLOWED_ACE_TYPE
, INHERIT_ONLY_ACE
|
219 CONTAINER_INHERIT_ACE
|
220 OBJECT_INHERIT_ACE
, SeExports
->SeCreatorOwnerSid
,GENERIC_ALL
);
222 CheckDirectorySecurity(L
"\\KernelObjects",
223 3, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeWorldSid
, DIRECTORY_GENERIC_READ
,
224 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_ALL_ACCESS
,
225 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
);
227 CheckDirectorySecurity(L
"\\ObjectTypes",
228 2, ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeLocalSystemSid
, DIRECTORY_ALL_ACCESS
,
229 ACCESS_ALLOWED_ACE_TYPE
, 0, SeExports
->SeAliasAdminsSid
, DIRECTORY_GENERIC_READ
);