projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[KMTESTS:OB] Add support for LUID mappings being disabled in ObSecurity tests
[reactos.git] / modules / rostests / kmtests / ntos_ob / ObSecurity.c
1 /*
2 * PROJECT: ReactOS kernel-mode tests
3 * LICENSE: LGPLv2.1+ - See COPYING.LIB in the top level directory
4 * PURPOSE: Kernel-Mode Test Suite object security test
5 * PROGRAMMER: Thomas Faber <thomas.faber@reactos.org>
6 */
7
8 #include <kmt_test.h>
9 #include "../ntos_se/se.h"
10
11 #define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount, ...) CheckDirectorySecurity_(name, Owner, Group, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
12 #define CheckDirectorySecurity(name, AceCount, ...) CheckDirectorySecurity_(name, SeExports->SeAliasAdminsSid, SeExports->SeLocalSystemSid, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
13 #define CheckDirectorySecurity_(name, Owner, Group, AceCount, file, line, ...) CheckDirectorySecurity__(name, Owner, Group, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
14 static
15 VOID
16 CheckDirectorySecurity__(
17 _In_ PCWSTR DirectoryName,
18 _In_ PSID ExpectedOwner,
19 _In_ PSID ExpectedGroup,
20 _In_ ULONG AceCount,
21 _In_ PCSTR FileAndLine,
22 ...)
23 {
24 NTSTATUS Status;
25 UNICODE_STRING DirectoryNameString;
26 OBJECT_ATTRIBUTES ObjectAttributes;
27 HANDLE DirectoryHandle;
28 PSECURITY_DESCRIPTOR SecurityDescriptor;
29 ULONG SecurityDescriptorSize;
30 PSID Owner;
31 PSID Group;
32 PACL Dacl;
33 PACL Sacl;
34 BOOLEAN Present;
35 BOOLEAN Defaulted;
36 va_list Arguments;
37
38 RtlInitUnicodeString(&DirectoryNameString, DirectoryName);
39 InitializeObjectAttributes(&ObjectAttributes,
40 &DirectoryNameString,
41 OBJ_KERNEL_HANDLE,
42 NULL,
43 NULL);
44 Status = ZwOpenDirectoryObject(&DirectoryHandle,
45 READ_CONTROL | ACCESS_SYSTEM_SECURITY,
46 &ObjectAttributes);
47 ok_eq_hex(Status, STATUS_SUCCESS);
48 if (skip(NT_SUCCESS(Status), "No directory (%ls)\n", DirectoryName))
49 {
50 return;
51 }
52
53 Status = ZwQuerySecurityObject(DirectoryHandle,
54 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
55 NULL,
56 0,
57 &SecurityDescriptorSize);
58 ok_eq_hex(Status, STATUS_BUFFER_TOO_SMALL);
59 if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", DirectoryName))
60 {
61 ObCloseHandle(DirectoryHandle, KernelMode);
62 return;
63 }
64
65 SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
66 SecurityDescriptorSize,
67 'dSmK');
68 ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
69 if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", DirectoryName))
70 {
71 ObCloseHandle(DirectoryHandle, KernelMode);
72 return;
73 }
74
75 Status = ZwQuerySecurityObject(DirectoryHandle,
76 OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
77 SecurityDescriptor,
78 SecurityDescriptorSize,
79 &SecurityDescriptorSize);
80 ok_eq_hex(Status, STATUS_SUCCESS);
81 if (NT_SUCCESS(Status))
82 {
83 Owner = NULL;
84 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
85 &Owner,
86 &Defaulted);
87 if (ExpectedOwner)
88 CheckSid__(Owner, NO_SIZE, ExpectedOwner, FileAndLine);
89 ok(Defaulted == FALSE, "Owner defaulted for %ls\n", DirectoryName);
90
91 Group = NULL;
92 Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor,
93 &Group,
94 &Defaulted);
95 if (ExpectedGroup)
96 CheckSid__(Group, NO_SIZE, ExpectedGroup, FileAndLine);
97 ok(Defaulted == FALSE, "Group defaulted for %ls\n", DirectoryName);
98
99 Dacl = NULL;
100 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
101 &Present,
102 &Dacl,
103 &Defaulted);
104 ok_eq_hex(Status, STATUS_SUCCESS);
105 ok(Present == TRUE, "DACL not present for %ls\n", DirectoryName);
106 ok(Defaulted == FALSE, "DACL defaulted for %ls\n", DirectoryName);
107 va_start(Arguments, FileAndLine);
108 VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
109 va_end(Arguments);
110
111 Sacl = NULL;
112 Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor,
113 &Present,
114 &Sacl,
115 &Defaulted);
116 ok_eq_hex(Status, STATUS_SUCCESS);
117 ok(Present == FALSE, "SACL present for %ls\n", DirectoryName);
118 ok(Defaulted == FALSE, "SACL defaulted for %ls\n", DirectoryName);
119 ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, DirectoryName);
120 }
121 ExFreePoolWithTag(SecurityDescriptor, 'dSmK');
122 ObCloseHandle(DirectoryHandle, KernelMode);
123 }
124
125 START_TEST(ObSecurity)
126 {
127 NTSTATUS Status;
128 /* Assume yes, that's the default on W2K3 */
129 ULONG LUIDMappingsEnabled = 1, ReturnLength;
130
131 #define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY
132 #define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY | DIRECTORY_CREATE_OBJECT
133
134 /* Check if LUID device maps are enabled */
135 Status = ZwQueryInformationProcess(NtCurrentProcess(),
136 ProcessLUIDDeviceMapsEnabled,
137 &LUIDMappingsEnabled,
138 sizeof(LUIDMappingsEnabled),
139 &ReturnLength);
140 ok(NT_SUCCESS(Status), "NtQueryInformationProcess failed: 0x%x\n", Status);
141
142 trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled);
143 if (LUIDMappingsEnabled != 0)
144 {
145 CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
146 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
147 OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
148 ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
149 OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
150 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
151 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
152 CONTAINER_INHERIT_ACE |
153 OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL);
154 }
155 else
156 {
157 CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
158 6, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
159 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
160 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
161 CONTAINER_INHERIT_ACE |
162 OBJECT_INHERIT_ACE, SeExports->SeWorldSid, GENERIC_EXECUTE,
163 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
164 CONTAINER_INHERIT_ACE |
165 OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid,GENERIC_ALL,
166 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
167 CONTAINER_INHERIT_ACE |
168 OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid,GENERIC_ALL,
169 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
170 CONTAINER_INHERIT_ACE |
171 OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL);
172 }
173
174 CheckDirectorySecurity(L"\\",
175 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
176 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
177 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
178 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, DIRECTORY_GENERIC_READ);
179
180 CheckDirectorySecurity(L"\\ArcName",
181 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
182 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
183 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
184 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, DIRECTORY_GENERIC_READ);
185
186 CheckDirectorySecurity(L"\\BaseNamedObjects",
187 3, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_WRITE | DIRECTORY_GENERIC_READ,
188 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
189 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, DIRECTORY_TRAVERSE);
190
191 CheckDirectorySecurity(L"\\Callback",
192 3, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
193 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
194 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS);
195
196 CheckDirectorySecurity(L"\\Device",
197 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
198 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
199 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
200 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, DIRECTORY_GENERIC_READ);
201
202 CheckDirectorySecurity(L"\\Driver",
203 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
204 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_GENERIC_READ);
205
206 CheckDirectorySecurity(L"\\GLOBAL??",
207 6, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
208 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
209 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
210 CONTAINER_INHERIT_ACE |
211 OBJECT_INHERIT_ACE, SeExports->SeWorldSid, GENERIC_EXECUTE,
212 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
213 CONTAINER_INHERIT_ACE |
214 OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
215 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
216 CONTAINER_INHERIT_ACE |
217 OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
218 ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
219 CONTAINER_INHERIT_ACE |
220 OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL);
221
222 CheckDirectorySecurity(L"\\KernelObjects",
223 3, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
224 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
225 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS);
226
227 CheckDirectorySecurity(L"\\ObjectTypes",
228 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
229 ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_GENERIC_READ);
230 }
A free Windows-compatible Operating System