PSID pSid );
static LPSTR (WINAPI *pGetTrusteeNameA)( PTRUSTEEA pTrustee );
static BOOL (WINAPI *pMakeSelfRelativeSD)( PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, LPDWORD );
-static BOOL (WINAPI *pConvertSidToStringSidA)( PSID pSid, LPSTR *str );
static BOOL (WINAPI *pConvertStringSidToSidA)( LPCSTR str, PSID pSid );
static BOOL (WINAPI *pCheckTokenMembership)(HANDLE, PSID, PBOOL);
static BOOL (WINAPI *pConvertStringSecurityDescriptorToSecurityDescriptorA)(LPCSTR, DWORD,
DWORD le = GetLastError();
char* res = debugsid_str[debugsid_index];
debugsid_index = (debugsid_index + 1) % SID_SLOTS;
- if (!pConvertSidToStringSidA)
- strcpy(res, "missing ConvertSidToStringSidA");
- else if (!pConvertSidToStringSidA(sid, &sidstr))
+
+ if (!ConvertSidToStringSidA(sid, &sidstr))
sprintf(res, "ConvertSidToStringSidA failed le=%u", GetLastError());
else if (strlen(sidstr) > sizeof(*debugsid_str) - 1)
{
pGetSecurityInfo = (void *)GetProcAddress(hmod, "GetSecurityInfo");
pSetSecurityInfo = (void *)GetProcAddress(hmod, "SetSecurityInfo");
pCreateRestrictedToken = (void *)GetProcAddress(hmod, "CreateRestrictedToken");
- pConvertSidToStringSidA = (void *)GetProcAddress(hmod, "ConvertSidToStringSidA");
pConvertStringSidToSidA = (void *)GetProcAddress(hmod, "ConvertStringSidToSidA");
pGetAclInformation = (void *)GetProcAddress(hmod, "GetAclInformation");
pGetAce = (void *)GetProcAddress(hmod, "GetAce");
pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
- pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
+ pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
myARGC = winetest_get_mainargs( &myARGV );
}
BOOL r;
LPSTR str;
- if( !pConvertSidToStringSidA || !pConvertStringSidToSidA )
+ if( !pConvertStringSidToSidA )
{
win_skip("ConvertSidToStringSidA or ConvertStringSidToSidA not available\n");
return;
r = AllocateAndInitializeSid( &refs[i].auth, 1,1,0,0,0,0,0,0,0,
&psid );
ok( r, "failed to allocate sid\n" );
- r = pConvertSidToStringSidA( psid, &str );
+ r = ConvertSidToStringSidA( psid, &str );
ok( r, "failed to convert sid\n" );
if (r)
{
*GetSidSubAuthority(psid, n) = 0;
}
- r = pConvertSidToStringSidA(psid, &sid_string);
+ r = ConvertSidToStringSidA(psid, &sid_string);
ok(r, "%s: ConvertSidToStringSid error %u\n", strsid_table[i].str, GetLastError());
if (winetest_debug > 1)
trace("%s => %s\n", strsid_table[i].str, sid_string);
r = pCreateWellKnownSid(strsid_table[i].sid_type, domain_sid, buf, &size);
ok(r, "%u: CreateWellKnownSid(%u) error %u\n", i, strsid_table[i].sid_type, GetLastError());
- r = pConvertSidToStringSidA(buf, &well_known_sid_string);
+ r = ConvertSidToStringSidA(buf, &well_known_sid_string);
ok(r, "%u: ConvertSidToStringSi(%u) error %u\n", i, strsid_table[i].sid_type, GetLastError());
if (winetest_debug > 1)
trace("%u => %s\n", strsid_table[i].sid_type, well_known_sid_string);
CloseHandle(Token);
}
- if(!pConvertSidToStringSidA)
- {
- win_skip("ConvertSidToStringSidA is not available\n");
- return;
- }
-
SetLastError(0xdeadbeef);
ret = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &Token);
ok(ret, "OpenProcessToken failed with error %d\n", GetLastError());
ret = LookupAccountSidA(NULL, Groups->Groups[i].Sid, Name, &NameLength, Domain, &DomainLength, &SidNameUse);
if (ret)
{
- pConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
+ ConvertSidToStringSidA(Groups->Groups[i].Sid, &SidString);
trace("%s, %s\\%s use: %d attr: 0x%08x\n", SidString, Domain, Name, SidNameUse, Groups->Groups[i].Attributes);
LocalFree(SidString);
}
ok(ret,
"GetTokenInformation(TokenUser) failed with error %d\n", GetLastError());
- pConvertSidToStringSidA(User->User.Sid, &SidString);
+ ConvertSidToStringSidA(User->User.Sid, &SidString);
trace("TokenUser: %s attr: 0x%08x\n", SidString, User->User.Attributes);
LocalFree(SidString);
HeapFree(GetProcessHeap(), 0, User);
static void test_sid_str(PSID * sid)
{
char *str_sid;
- BOOL ret = pConvertSidToStringSidA(sid, &str_sid);
+ BOOL ret = ConvertSidToStringSidA(sid, &str_sid);
ok(ret, "ConvertSidToStringSidA() failed: %d\n", GetLastError());
if (ret)
{
ok(pCreateWellKnownSid(i, value->without_domain ? NULL : domainsid, sid_buffer, &cb), "Couldn't create well known sid %u\n", i);
expect_eq(GetSidLengthRequired(*GetSidSubAuthorityCount(sid_buffer)), cb, DWORD, "%d");
ok(IsValidSid(sid_buffer), "The sid is not valid\n");
- ok(pConvertSidToStringSidA(sid_buffer, &str), "Couldn't convert SID to string\n");
+ ok(ConvertSidToStringSidA(sid_buffer, &str), "Couldn't convert SID to string\n");
ok(strcmp(str, value->sid_string) == 0, "%d: SID mismatch - expected %s, got %s\n", i,
value->sid_string, str);
LocalFree(str);
}
HeapFree(GetProcessHeap(), 0, ptiUser);
- if (pCreateWellKnownSid && pConvertSidToStringSidA)
+ if (pCreateWellKnownSid)
{
trace("Well Known SIDs:\n");
for (i = 0; i <= 84; i++)
size = SECURITY_MAX_SID_SIZE;
if (pCreateWellKnownSid(i, NULL, &max_sid.sid, &size))
{
- if (pConvertSidToStringSidA(&max_sid.sid, &str_sidA))
+ if (ConvertSidToStringSidA(&max_sid.sid, &str_sidA))
{
acc_sizeA = MAX_PATH;
dom_sizeA = MAX_PATH;
ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
ok(bret, "GetAclInformation failed\n");
- todo_wine
ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
acl_size.AceCount);
LocalFree(pSD);
ok(error == ERROR_SUCCESS, "GetNamedSecurityInfo failed with error %d\n", error);
bret = pGetAclInformation(pDacl, &acl_size, sizeof(acl_size), AclSizeInformation);
ok(bret, "GetAclInformation failed\n");
+ todo_wine
ok(acl_size.AceCount == 0, "GetAclInformation returned unexpected entry count (%d != 0).\n",
acl_size.AceCount);
LocalFree(pSD);
if (bret) admins_ace_id = i;
}
ok(users_ace_id != -1 || broken(users_ace_id == -1) /* win2k */,
- "Bultin Users ACE not found.\n");
+ "Builtin Users ACE not found.\n");
if (users_ace_id != -1)
{
bret = pGetAce(pDacl, users_ace_id, (VOID **)&ace);
"Builtin Users ACE has unexpected mask (0x%x != 0x%x)\n",
ace->Mask, GENERIC_READ);
}
- ok(admins_ace_id != -1, "Bultin Admins ACE not found.\n");
+ ok(admins_ace_id != -1, "Builtin Admins ACE not found.\n");
if (admins_ace_id != -1)
{
bret = pGetAce(pDacl, admins_ace_id, (VOID **)&ace);
static void test_CreateRestrictedToken(void)
{
+ TOKEN_PRIMARY_GROUP *primary_group, *primary_group2;
HANDLE process_token, token, r_token;
PTOKEN_GROUPS token_groups, groups2;
SID_AND_ATTRIBUTES sattr;
SECURITY_IMPERSONATION_LEVEL level;
+ TOKEN_PRIVILEGES *privs;
+ PRIVILEGE_SET privset;
TOKEN_TYPE type;
BOOL is_member;
DWORD size;
ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
ok(ret, "got error %d\n", GetLastError());
- ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_QUERY,
+ ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
NULL, SecurityImpersonation, TokenImpersonation, &token);
ok(ret, "got error %d\n", GetLastError());
ok(ret, "got error %d\n", GetLastError());
ok(is_member, "not a member\n");
- /* disable a SID in new token */
+ privset.PrivilegeCount = 1;
+ privset.Control = PRIVILEGE_SET_ALL_NECESSARY;
+ ret = LookupPrivilegeValueA(NULL, "SeChangeNotifyPrivilege", &privset.Privilege[0].Luid);
+ ok(ret, "got error %d\n", GetLastError());
+
+ is_member = FALSE;
+ ret = PrivilegeCheck(token, &privset, &is_member);
+ ok(ret, "got error %d\n", GetLastError());
+ ok(is_member, "Expected SeChangeNotifyPrivilege to be enabled\n");
+
+ /* disable a SID and a privilege in new token */
sattr.Sid = token_groups->Groups[i].Sid;
sattr.Attributes = 0;
r_token = NULL;
- ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
+ ret = pCreateRestrictedToken(token, 0, 1, &sattr, 1, &privset.Privilege[0], 0, NULL, &r_token);
ok(ret, "got error %d\n", GetLastError());
if (ret)
is_member = TRUE;
ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
ok(ret, "got error %d\n", GetLastError());
- todo_wine ok(!is_member, "not a member\n");
+ ok(!is_member, "not a member\n");
ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
break;
}
- todo_wine ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
+ ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
"got wrong attributes\n");
- todo_wine ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
+ ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
"got wrong attributes\n");
HeapFree(GetProcessHeap(), 0, groups2);
ret = GetTokenInformation(r_token, TokenImpersonationLevel, &level, size, &size);
ok(ret, "got error %d\n", GetLastError());
ok(level == SecurityImpersonation, "got level %u\n", type);
+
+ is_member = TRUE;
+ ret = PrivilegeCheck(r_token, &privset, &is_member);
+ ok(ret, "got error %d\n", GetLastError());
+ ok(!is_member, "Expected SeChangeNotifyPrivilege not to be enabled\n");
+
+ ret = GetTokenInformation(r_token, TokenPrivileges, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
+ ret, GetLastError());
+ privs = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetTokenInformation(r_token, TokenPrivileges, privs, size, &size);
+ ok(ret, "got error %d\n", GetLastError());
+
+ is_member = FALSE;
+ for (j = 0; j < privs->PrivilegeCount; j++)
+ {
+ if (RtlEqualLuid(&privs->Privileges[j].Luid, &privset.Privilege[0].Luid))
+ {
+ is_member = TRUE;
+ break;
+ }
+ }
+
+ ok(!is_member, "Expected not to find privilege\n");
+ HeapFree(GetProcessHeap(), 0, privs);
}
HeapFree(GetProcessHeap(), 0, token_groups);
CloseHandle(r_token);
+
+ ret = GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
+ ret, GetLastError());
+ primary_group = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetTokenInformation(token, TokenPrimaryGroup, primary_group, size, &size);
+ ok(ret, "got error %d\n", GetLastError());
+
+ /* disable primary group */
+ sattr.Sid = primary_group->PrimaryGroup;
+ sattr.Attributes = 0;
+ r_token = NULL;
+ ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
+ ok(ret, "got error %d\n", GetLastError());
+
+ if (ret)
+ {
+ is_member = TRUE;
+ ret = pCheckTokenMembership(r_token, primary_group->PrimaryGroup, &is_member);
+ ok(ret, "got error %d\n", GetLastError());
+ ok(!is_member, "not a member\n");
+
+ ret = GetTokenInformation(r_token, TokenPrimaryGroup, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
+ ret, GetLastError());
+ primary_group2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetTokenInformation(r_token, TokenPrimaryGroup, primary_group2, size, &size);
+ ok(ret, "got error %d\n", GetLastError());
+
+ ok(EqualSid(primary_group2->PrimaryGroup, primary_group->PrimaryGroup),
+ "Expected same primary group\n");
+
+ HeapFree(GetProcessHeap(), 0, primary_group2);
+ }
+
+ HeapFree(GetProcessHeap(), 0, primary_group);
+ CloseHandle(r_token);
+
CloseHandle(token);
CloseHandle(process_token);
}
case GENERIC_WRITE:
ok(access == map[i].mapped ||
access == (map[i].mapped | PROCESS_TERMINATE) /* before Vista */ ||
- access == (map[i].mapped | PROCESS_SET_LIMITED_INFORMATION) /* win8 */,
+ access == (map[i].mapped | PROCESS_SET_LIMITED_INFORMATION) /* win8 */ ||
+ access == (map[i].mapped | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SET_LIMITED_INFORMATION) /* Win10 Anniversary Update */,
"%d: expected %#x, got %#x\n", i, map[i].mapped, access);
break;
case GENERIC_EXECUTE:
static void test_AdjustTokenPrivileges(void)
{
- TOKEN_PRIVILEGES tp, prev;
+ TOKEN_PRIVILEGES tp;
HANDLE token;
DWORD len;
LUID luid;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 0;
- AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &prev, NULL);
+ ret = AdjustTokenPrivileges(token, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
+ ok(ret, "got %d\n", ret);
CloseHandle(token);
}
{SECURITY_MANDATORY_LOW_RID}};
static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
{SECURITY_MANDATORY_MEDIUM_RID}};
- static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
- {SECURITY_MANDATORY_HIGH_RID}};
- SYSTEM_MANDATORY_LABEL_ACE *ace;
+ static SID_IDENTIFIER_AUTHORITY sia_world = {SECURITY_WORLD_SID_AUTHORITY};
char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
- SECURITY_ATTRIBUTES sa;
- char buffer_acl[256];
- ACL *pAcl = (ACL *)&buffer_acl;
- ACL *sAcl;
BOOL defaulted, present, ret, found, found2;
- HANDLE handle;
+ ACL_SIZE_INFORMATION acl_size_info;
+ SYSTEM_MANDATORY_LABEL_ACE *ace;
+ char buffer_acl[256];
+ ACL *acl = (ACL *)&buffer_acl;
+ SECURITY_ATTRIBUTES sa;
DWORD index, size;
+ HANDLE handle;
+ SID *everyone;
+ ACL *sacl;
if (!pAddMandatoryAce)
{
}
ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
- ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+ ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
- sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = sd;
- sa.bInheritHandle = FALSE;
+ sa.bInheritHandle = FALSE;
handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
present = TRUE;
- defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- ok(!present, "sAcl is present\n");
- ok(sAcl == (void *)0xdeadbeef, "sAcl is set\n");
- todo_wine ok(!defaulted, "sAcl defaulted\n");
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(!present, "SACL is present\n");
+ ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
HeapFree(GetProcessHeap(), 0, sd2);
CloseHandle(handle);
- ret = InitializeAcl(pAcl, 256, ACL_REVISION);
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
ok(ret, "InitializeAcl failed with %u\n", GetLastError());
SetLastError(0xdeadbeef);
- ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, 0x1234, &low_level);
+ ret = pAddMandatoryAce(acl, ACL_REVISION, 0, 0x1234, &low_level);
ok(!ret, "AddMandatoryAce succeeded\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
- ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
+ ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
index = 0;
found = FALSE;
- while (pGetAce( pAcl, index++, (void **)&ace ))
+ while (pGetAce(acl, index++, (void **)&ace))
{
if (ace->Header.AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
ok(ace->Header.AceFlags == 0, "Expected flags 0, got %x\n", ace->Header.AceFlags);
}
ok(found, "Could not find mandatory label ace\n");
- ret = SetSecurityDescriptorSacl(sd, TRUE, pAcl, FALSE);
- ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- ok(present, "sAcl not present\n");
- ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
- ok(!defaulted, "sAcl defaulted\n");
-
- index = 0;
- found = FALSE;
- while (pGetAce( sAcl, index++, (void **)&ace ))
- {
- if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
- {
- found = TRUE;
- ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
- ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
- "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
- ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
- }
- }
- ok(found, "Could not find mandatory label\n");
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ret = pGetAclInformation(sacl, &acl_size_info, sizeof(acl_size_info), AclSizeInformation);
+ ok(ret, "GetAclInformation failed with error %u\n", GetLastError());
+ ok(acl_size_info.AceCount == 1, "SACL contains an unexpected ACE count %u\n", acl_size_info.AceCount);
+
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
+ ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
+ ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
HeapFree(GetProcessHeap(), 0, sd2);
- ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
- ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+ ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
+ ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- ok(present, "sAcl not present\n");
- ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
- ok(sAcl->AceCount == 2, "Expected 2 ACEs, got %d\n", sAcl->AceCount);
- ok(!defaulted, "sAcl defaulted\n");
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
+ ok(sacl->AceCount == 2, "Expected 2 ACEs, got %d\n", sacl->AceCount);
+ ok(!defaulted, "SACL defaulted\n");
index = 0;
found = found2 = FALSE;
- while (pGetAce( sAcl, index++, (void **)&ace ))
+ while (pGetAce(sacl, index++, (void **)&ace))
{
if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
{
if (EqualSid(&ace->SidStart, &low_level))
{
found = TRUE;
- ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
+ ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
- "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
+ "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as mask, got %#x\n", ace->Mask);
}
if (EqualSid(&ace->SidStart, &medium_level))
{
found2 = TRUE;
- ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
+ ok(!ace->Header.AceFlags, "Expected 0 as flags, got %#x\n", ace->Header.AceFlags);
ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP,
- "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as flag, got %x\n", ace->Mask);
+ "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as mask, got %#x\n", ace->Mask);
}
}
}
ok(found, "Could not find low mandatory label\n");
ok(found2, "Could not find medium mandatory label\n");
- HeapFree( GetProcessHeap(), 0, sd2);
+ HeapFree(GetProcessHeap(), 0, sd2);
ret = SetSecurityDescriptorSacl(sd, FALSE, NULL, FALSE);
- ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- ok(present, "sAcl not present\n");
- ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
- ok(sAcl->AceCount == 0, "Expected 0 ACEs, got %d\n", sAcl->AceCount);
- ok(!defaulted, "sAcl defaulted\n");
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
HeapFree(GetProcessHeap(), 0, sd2);
- ret = InitializeAcl(pAcl, 256, ACL_REVISION);
- ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
- ret = pAddMandatoryAce(pAcl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
- ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+ ret = pAddMandatoryAce(acl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
+ ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
- ret = SetSecurityDescriptorSacl(sd, TRUE, pAcl, FALSE);
- ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- ok(present, "sAcl not present\n");
- ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
- ok(sAcl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sAcl->AclRevision);
- ok(!defaulted, "sAcl defaulted\n");
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(sacl != (void *)0xdeadbeef, "SACL not set\n");
+ ok(sacl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sacl->AclRevision);
+ ok(!defaulted, "SACL defaulted\n");
HeapFree(GetProcessHeap(), 0, sd2);
- CloseHandle(handle);
- ret = OpenProcessToken(GetCurrentProcess(), READ_CONTROL, &handle);
- ok(ret, "got %d with %d (expected TRUE)\n", ret, GetLastError());
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
+
+ ret = AllocateAndInitializeSid(&sia_world, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, (void **)&everyone);
+ ok(ret, "AllocateAndInitializeSid failed with error %u\n", GetLastError());
+
+ ret = AddAccessAllowedAce(acl, ACL_REVISION, KEY_READ, everyone);
+ ok(ret, "AddAccessAllowedAce failed with error %u\n", GetLastError());
+
+ ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+
+ ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
+ ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- ok(present, "sAcl not present\n");
- ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
- ok(sAcl->AceCount == 1, "Expected 1 ACEs, got %d\n", sAcl->AceCount);
- ok(!defaulted, "sAcl defaulted\n");
-
- index = 0;
- found = FALSE;
- while (pGetAce( sAcl, index++, (void **)&ace ))
- {
- if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE &&
- (EqualSid(&ace->SidStart, &medium_level) || EqualSid(&ace->SidStart, &high_level)))
- {
- found = TRUE;
- ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
- ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
- "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
- }
- }
- ok(found, "Could not find medium/high mandatory label\n");
-
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(sacl && sacl != (void *)0xdeadbeef, "SACL not set\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(!sacl->AceCount, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
+
+ FreeSid(everyone);
HeapFree(GetProcessHeap(), 0, sd2);
CloseHandle(handle);
}
CloseHandle(handle);
}
-static void test_GetExplicitEntriesFromAclW(void)
+static void test_token_label(void)
{
- static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
- SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
- SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
- PSID everyone_sid = NULL, users_sid = NULL;
- EXPLICIT_ACCESSW access;
- EXPLICIT_ACCESSW *access2;
- PACL new_acl, old_acl = NULL;
- ULONG count;
- DWORD res;
-
- if (!pGetExplicitEntriesFromAclW)
- {
- win_skip("GetExplicitEntriesFromAclW is not available\n");
- return;
- }
-
- if (!pSetEntriesInAclW)
- {
- win_skip("SetEntriesInAclW is not available\n");
- return;
- }
-
- old_acl = HeapAlloc(GetProcessHeap(), 0, 256);
- res = InitializeAcl(old_acl, 256, ACL_REVISION);
- if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
- {
- win_skip("ACLs not implemented - skipping tests\n");
- HeapFree(GetProcessHeap(), 0, old_acl);
- return;
- }
- ok(res, "InitializeAcl failed with error %d\n", GetLastError());
-
- res = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid);
- ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+ static SID medium_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_MEDIUM_RID}};
+ static SID high_sid = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_HIGH_RID}};
+ SECURITY_DESCRIPTOR_CONTROL control;
+ SYSTEM_MANDATORY_LABEL_ACE *ace;
+ BOOL ret, present, defaulted;
+ SECURITY_DESCRIPTOR *sd;
+ ACL *sacl = NULL, *dacl;
+ DWORD size, revision;
+ HANDLE token;
+ char *str;
+ SID *sid;
- res = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &users_sid);
- ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+ ret = OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, &token);
+ ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
- res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, users_sid);
- ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
- access2 = NULL;
- res = pGetExplicitEntriesFromAclW(old_acl, &count, &access2);
- ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
- ok(count == 1, "Expected count == 1, got %d\n", count);
- ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
- ok(access2[0].grfAccessPermissions == KEY_READ, "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
- ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
- ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
- ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
- LocalFree(access2);
+ sd = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
- access.Trustee.pMultipleTrustee = NULL;
+ ret = GetSecurityDescriptorControl(sd, &control, &revision);
+ ok(ret, "GetSecurityDescriptorControl failed with error %u\n", GetLastError());
+ todo_wine ok(control == (SE_SELF_RELATIVE | SE_SACL_AUTO_INHERITED | SE_SACL_PRESENT) ||
+ broken(control == SE_SELF_RELATIVE) /* WinXP, Win2003 */,
+ "Unexpected security descriptor control %#x\n", control);
+ ok(revision == 1, "Unexpected security descriptor revision %u\n", revision);
- access.grfAccessPermissions = KEY_WRITE;
- access.grfAccessMode = GRANT_ACCESS;
- access.grfInheritance = NO_INHERITANCE;
- access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
- access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
- access.Trustee.ptstrName = everyone_sid;
- res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
- ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
- ok(new_acl != NULL, "returned acl was NULL\n");
+ sid = (void *)0xdeadbeef;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorOwner(sd, (void **)&sid, &defaulted);
+ ok(ret, "GetSecurityDescriptorOwner failed with error %u\n", GetLastError());
+ ok(!sid, "Owner present\n");
+ ok(!defaulted, "Owner defaulted\n");
- access2 = NULL;
- res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
- ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
- ok(count == 2, "Expected count == 2, got %d\n", count);
- ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
- ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
- ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
- "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
- ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
- ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
- ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
- LocalFree(access2);
- LocalFree(new_acl);
+ sid = (void *)0xdeadbeef;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorGroup(sd, (void **)&sid, &defaulted);
+ ok(ret, "GetSecurityDescriptorGroup failed with error %u\n", GetLastError());
+ ok(!sid, "Group present\n");
+ ok(!defaulted, "Group defaulted\n");
- access.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
- res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
- ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
- ok(new_acl != NULL, "returned acl was NULL\n");
+ ret = GetSecurityDescriptorSacl(sd, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present || broken(!present) /* WinXP, Win2003 */, "No SACL in the security descriptor\n");
+ ok(sacl || broken(!sacl) /* WinXP, Win2003 */, "NULL SACL in the security descriptor\n");
- access2 = NULL;
- res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
- ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
- ok(count == 2, "Expected count == 2, got %d\n", count);
- ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
- ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
- ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
- "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
- ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
- ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
- ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
- LocalFree(access2);
- LocalFree(new_acl);
+ if (present)
+ {
+ ok(!defaulted, "SACL defaulted\n");
+ ok(sacl->AceCount == 1, "SACL contains an unexpected ACE count %u\n", sacl->AceCount);
- access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
- access.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
- res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
- ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
- ok(new_acl != NULL, "returned acl was NULL\n");
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
- access2 = NULL;
- res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
- ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
- ok(count == 2, "Expected count == 2, got %d\n", count);
- ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
- ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
- ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
- "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
- ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
- ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
- LocalFree(access2);
- LocalFree(new_acl);
+ ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(!ace->Header.AceFlags, "Unexpected ACE flags %#x\n", ace->Header.AceFlags);
+ ok(ace->Header.AceSize, "Unexpected ACE size %u\n", ace->Header.AceSize);
+ ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, "Unexpected ACE mask %#x\n", ace->Mask);
- access.grfAccessMode = REVOKE_ACCESS;
- access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
- access.Trustee.ptstrName = users_sid;
- res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
- ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
- ok(new_acl != NULL, "returned acl was NULL\n");
+ sid = (SID *)&ace->SidStart;
+ ConvertSidToStringSidA(sid, &str);
+ ok(EqualSid(sid, &medium_sid) || EqualSid(sid, &high_sid), "Got unexpected SID %s\n", str);
+ LocalFree(str);
+ }
- access2 = (void *)0xdeadbeef;
- res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
- ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
- ok(count == 0, "Expected count == 0, got %d\n", count);
- ok(access2 == NULL, "access2 was not NULL\n");
- LocalFree(new_acl);
+ ret = GetSecurityDescriptorDacl(sd, &present, &dacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ todo_wine ok(!present, "DACL present\n");
- FreeSid(users_sid);
- FreeSid(everyone_sid);
- HeapFree(GetProcessHeap(), 0, old_acl);
+ HeapFree(GetProcessHeap(), 0, sd);
+ CloseHandle(token);
}
static void test_token_security_descriptor(void)
{
static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
- {SECURITY_MANDATORY_LOW_RID}};
- ACCESS_ALLOWED_ACE *ace;
+ {SECURITY_MANDATORY_LOW_RID}};
+ static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_MEDIUM_RID}};
+ static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_HIGH_RID}};
char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
- SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
+ SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2, *sd3;
char buffer_acl[256], buffer[MAX_PATH];
- ACL *pAcl = (ACL *)&buffer_acl, *pAcl2, *pAclChild;
+ ACL *acl = (ACL *)&buffer_acl, *acl2, *acl_child, *sacl;
BOOL defaulted, present, ret, found;
- HANDLE token, token2, token3;
+ HANDLE token, token2, token3, token4, token5, token6;
EXPLICIT_ACCESSW exp_access;
+ TOKEN_MANDATORY_LABEL *tml;
+ BYTE buffer_integrity[64];
PROCESS_INFORMATION info;
- SECURITY_ATTRIBUTES sa;
DWORD size, index, retd;
+ ACCESS_ALLOWED_ACE *ace;
+ SECURITY_ATTRIBUTES sa;
STARTUPINFOA startup;
PSID psid;
- if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce || !pSetEntriesInAclW)
+ if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
+ || !pSetEntriesInAclW)
{
win_skip("Some functions not available\n");
return;
ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
- ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+ ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
- ret = InitializeAcl(pAcl, 256, ACL_REVISION);
- ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
ret = pConvertStringSidToSidA("S-1-5-6", &psid);
- ok(ret, "ConvertStringSidToSidA failed with %u\n", GetLastError());
+ ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
- ret = pAddAccessAllowedAceEx(pAcl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
- ok(ret, "AddAccessAllowedAceEx failed with %u\n", GetLastError());
+ ret = pAddAccessAllowedAceEx(acl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
+ ok(ret, "AddAccessAllowedAceEx failed with error %u\n", GetLastError());
- ret = SetSecurityDescriptorDacl(sd, TRUE, pAcl, FALSE);
- ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
+ ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
- sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = sd;
- sa.bInheritHandle = FALSE;
+ sa.bInheritHandle = FALSE;
ret = pDuplicateTokenEx(token, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenImpersonation, &token2);
- ok(ret, "DuplicateTokenEx failed with %u\n", GetLastError());
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- pAcl2 = (void *)0xdeadbeef;
+ acl2 = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
- ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
- ok(present, "pAcl2 not present\n");
- ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
- ok(pAcl2->AceCount == 1, "Expected 1 ACEs, got %d\n", pAcl2->AceCount);
- ok(!defaulted, "pAcl2 defaulted\n");
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ ok(present, "acl2 not present\n");
+ ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
+ ok(acl2->AceCount == 1, "Expected 1 ACE, got %d\n", acl2->AceCount);
+ ok(!defaulted, "acl2 defaulted\n");
+
+ ret = pGetAce(acl2, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, psid), "Expected access allowed ACE\n");
+ ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
+ "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
- index = 0;
- found = FALSE;
- while (pGetAce( pAcl2, index++, (void **)&ace ))
- {
- if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
- {
- found = TRUE;
- ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
- "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
- }
- }
- ok(found, "Could not find access allowed ace\n");
-
- HeapFree( GetProcessHeap(), 0, sd2);
+ HeapFree(GetProcessHeap(), 0, sd2);
/* Duplicate token without security attributes.
- * Tokens do not inherit the security descriptor when calling DuplicateToken,
- * see https://blogs.msdn.microsoft.com/oldnewthing/20160512-00/?p=93447
- */
+ * Tokens do not inherit the security descriptor in DuplicateToken. */
ret = pDuplicateTokenEx(token2, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenImpersonation, &token3);
- ok(ret, "DuplicateTokenEx failed with %u\n", GetLastError());
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- pAcl2 = (void *)0xdeadbeef;
+ acl2 = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
- ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
- todo_wine
- ok(present, "pAcl2 not present\n");
- ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
- ok(!defaulted, "pAcl2 defaulted\n");
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ ok(present, "DACL not present\n");
- if (pAcl2)
+ if (present)
{
+ ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
+ ok(!defaulted, "DACL defaulted\n");
+
index = 0;
found = FALSE;
- while (pGetAce( pAcl2, index++, (void **)&ace ))
+ while (pGetAce(acl2, index++, (void **)&ace))
{
if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
found = TRUE;
}
- ok(!found, "Access allowed ace got inherited!\n");
+ ok(!found, "Access allowed ACE was inherited\n");
}
HeapFree(GetProcessHeap(), 0, sd2);
- /* When creating a child process, the process does only inherit the
- * Token of the parent, but not the DACL of the token.
- */
+ /* When creating a child process, the process does inherit the token of
+ * the parent but not the DACL of the token */
ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd2 = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd2, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- pAcl2 = (void *)0xdeadbeef;
+ acl2 = (void *)0xdeadbeef;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
- ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
- ok(present, "pAcl2 not present\n");
- ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
- ok(!defaulted, "pAcl2 defaulted\n");
-
- /* check that the ace we add for testing does not already exist! */
- if (pAcl2)
- {
- index = 0;
- found = FALSE;
- while (pGetAce( pAcl2, index++, (void **)&ace ))
- {
- if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
- found = TRUE;
- }
- ok(!found, "Test ace does already exist!\n");
- }
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ ok(present, "DACL not present\n");
+ ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
+ ok(!defaulted, "DACL defaulted\n");
exp_access.grfAccessPermissions = GENERIC_ALL;
exp_access.grfAccessMode = GRANT_ACCESS;
exp_access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
exp_access.Trustee.ptstrName = (void*)psid;
- retd = pSetEntriesInAclW(1, &exp_access, pAcl2, &pAclChild);
+ retd = pSetEntriesInAclW(1, &exp_access, acl2, &acl_child);
ok(retd == ERROR_SUCCESS, "Expected ERROR_SUCCESS, got %u\n", retd);
memset(sd, 0, sizeof(buffer_sd));
ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
- ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+ ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
- ret = SetSecurityDescriptorDacl(sd, TRUE, pAclChild, FALSE);
- ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
+ ret = SetSecurityDescriptorDacl(sd, TRUE, acl_child, FALSE);
+ ok(ret, "SetSecurityDescriptorDacl failed with error %u\n", GetLastError());
ret = SetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd);
- ok(ret, "SetKernelObjectSecurity failed with %u\n", GetLastError());
+ ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
/* The security label is also not inherited */
if (pAddMandatoryAce)
{
- ret = InitializeAcl(pAcl, 256, ACL_REVISION);
- ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
+ "Expected medium or high integrity level\n");
+
+ if (EqualSid(tml->Label.Sid, &high_level))
+ {
+ DWORD process_id;
+ HANDLE process;
+ HWND shell;
+
+ /* This test tries to get a medium token and then impersonates this token. The
+ * idea is to check whether the sd label of a newly created token depends on the
+ * current active token or the integrity level of the newly created token. */
+
+ /* Steal process token of the explorer.exe process */
+ shell = GetShellWindow();
+ todo_wine ok(shell != NULL, "Failed to get shell window\n");
+ if (!shell) shell = GetDesktopWindow(); /* FIXME: Workaround for Wine */
+ ok(GetWindowThreadProcessId(shell, &process_id),
+ "Failed to get process id of shell window: %u\n", GetLastError());
+ process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, process_id);
+ ok(process != NULL, "Failed to open process: %u\n", GetLastError());
+ ok(OpenProcessToken(process, TOKEN_ALL_ACCESS, &token4),
+ "Failed to open process token: %u\n", GetLastError());
+ CloseHandle(process);
+
+ /* Check TokenIntegrityLevel and LABEL_SECURITY_INFORMATION of explorer.exe token */
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token4, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level), "Expected medium integrity level\n");
+
+ size = 0;
+ ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
+
+ sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
+ ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, sd3, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ sacl = NULL;
+ ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "No SACL in the security descriptor\n");
+ ok(sacl != NULL, "NULL SACL in the security descriptor\n");
+
+ if (sacl)
+ {
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, &medium_level),
+ "Expected medium integrity level\n");
+ }
+
+ HeapFree(GetProcessHeap(), 0, sd3);
+
+ /* Start child process with the explorer.exe token */
+ memset(&startup, 0, sizeof(startup));
+ startup.cb = sizeof(startup);
+ startup.dwFlags = STARTF_USESHOWWINDOW;
+ startup.wShowWindow = SW_SHOWNORMAL;
+
+ sprintf(buffer, "%s tests/security.c test_token_sd_medium", myARGV[0]);
+ ret = CreateProcessAsUserA(token4, NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &startup, &info);
+ ok(ret || GetLastError() == ERROR_PRIVILEGE_NOT_HELD,
+ "CreateProcess failed with error %u\n", GetLastError());
+ if (ret)
+ {
+ winetest_wait_child_process(info.hProcess);
+ CloseHandle(info.hProcess);
+ CloseHandle(info.hThread);
+ }
+ else
+ win_skip("Skipping test for creating process with medium level token\n");
+
+ ret = DuplicateTokenEx(token4, 0, NULL, SecurityImpersonation, TokenImpersonation, &token5);
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
+ ret = SetThreadToken(NULL, token5);
+ ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
+ CloseHandle(token4);
+
+ /* Restrict current process token while impersonating a medium integrity token */
+ ret = CreateRestrictedToken(token, 0, 0, NULL, 0, NULL, 0, NULL, &token6);
+ ok(ret, "CreateRestrictedToken failed with error %u\n", GetLastError());
+
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token6, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &high_level), "Expected high integrity level\n");
+
+ size = 0;
+ ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
+
+ sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
+ ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, sd3, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ sacl = NULL;
+ ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "No SACL in the security descriptor\n");
+ ok(sacl != NULL, "NULL SACL in the security descriptor\n");
+
+ if (sacl)
+ {
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, &medium_level),
+ "Expected medium integrity level\n");
+ }
+
+ HeapFree(GetProcessHeap(), 0, sd3);
+ RevertToSelf();
+ CloseHandle(token5);
+
+ /* Start child process with the restricted token */
+ sprintf(buffer, "%s tests/security.c test_token_sd_restricted", myARGV[0]);
+ ret = CreateProcessAsUserA(token6, NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &startup, &info);
+ ok(ret, "CreateProcess failed with error %u\n", GetLastError());
+ winetest_wait_child_process(info.hProcess);
+ CloseHandle(info.hProcess);
+ CloseHandle(info.hThread);
+ CloseHandle(token6);
+
+ /* DuplicateTokenEx should assign security label even when SA points to empty SD */
+ memset(sd, 0, sizeof(buffer_sd));
+ ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+ ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
+
+ sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.lpSecurityDescriptor = sd;
+ sa.bInheritHandle = FALSE;
+
+ ret = DuplicateTokenEx(token, 0, &sa, 0, TokenPrimary, &token6);
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
+
+ size = 0;
+ ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
+
+ sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
+ ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, sd3, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ sacl = NULL;
+ ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "No SACL in the security descriptor\n");
+ ok(sacl != NULL, "NULL SACL in the security descriptor\n");
+
+ if (sacl)
+ {
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, &high_level),
+ "Expected high integrity level\n");
+ }
+
+ HeapFree(GetProcessHeap(), 0, sd3);
+ CloseHandle(token6);
+ }
+ else
+ skip("Skipping test, running without admin rights\n");
+
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with error %u\n", GetLastError());
- ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
- ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+ ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
+ ok(ret, "AddMandatoryAce failed with error %u\n", GetLastError());
memset(sd, 0, sizeof(buffer_sd));
ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
- ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+ ok(ret, "InitializeSecurityDescriptor failed with error %u\n", GetLastError());
- ret = SetSecurityDescriptorSacl(sd, TRUE, pAcl, FALSE);
- ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with error %u\n", GetLastError());
ret = SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd);
- ok(ret, "SetKernelObjectSecurity failed with %u\n", GetLastError());
+ ok(ret, "SetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ /* changing the label of the security descriptor does not change the integrity level of the token itself */
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
+ "Expected medium or high integrity level\n");
+
+ /* restricting / duplicating a token resets the mandatory sd label */
+ ret = CreateRestrictedToken(token, 0, 0, NULL, 0, NULL, 0, NULL, &token4);
+ ok(ret, "CreateRestrictedToken failed with error %u\n", GetLastError());
+
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token4, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
+ "Expected medium or high integrity level\n");
+
+ size = 0;
+ ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
+
+ sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
+ ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, sd3, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "No SACL in the security descriptor\n");
+ ok(sacl != NULL, "NULL SACL in the security descriptor\n");
+
+ if (sacl)
+ {
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, &medium_level) || EqualSid(&ace->SidStart, &high_level),
+ "Low integrity level should not have been inherited\n");
+ }
+
+ HeapFree(GetProcessHeap(), 0, sd3);
+ CloseHandle(token4);
+
+ ret = DuplicateTokenEx(token, 0, NULL, 0, TokenPrimary, &token4);
+ ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
+
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token4, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL*) buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level) || EqualSid(tml->Label.Sid, &high_level),
+ "Expected medium or high integrity level\n");
+
+ size = 0;
+ ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
+
+ sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
+ ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, sd3, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ sacl = NULL;
+ ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "No SACL in the security descriptor\n");
+ ok(sacl != NULL, "NULL SACL in the security descriptor\n");
+
+ if (sacl)
+ {
+ ret = pGetAce(sacl, 0, (void **)&ace);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace->Header.AceType);
+ ok(EqualSid(&ace->SidStart, &medium_level) || EqualSid(&ace->SidStart, &high_level),
+ "Low integrity level should not have been inherited\n");
+ }
+
+ HeapFree(GetProcessHeap(), 0, sd3);
+ CloseHandle(token4);
}
else
win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
- /* start child process with our modified token */
+ /* Start child process with our modified token */
memset(&startup, 0, sizeof(startup));
startup.cb = sizeof(startup);
startup.dwFlags = STARTF_USESHOWWINDOW;
CloseHandle(info.hProcess);
CloseHandle(info.hThread);
- LocalFree(pAclChild);
+ LocalFree(acl_child);
LocalFree(psid);
CloseHandle(token3);
static void test_child_token_sd(void)
{
static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
- {SECURITY_MANDATORY_LOW_RID}};
+ {SECURITY_MANDATORY_LOW_RID}};
SYSTEM_MANDATORY_LABEL_ACE *ace_label;
- BOOL ret, present, defaulted, found;
- ACCESS_ALLOWED_ACE *ace_acc;
+ BOOL ret, present, defaulted;
+ ACCESS_ALLOWED_ACE *acc_ace;
SECURITY_DESCRIPTOR *sd;
- DWORD size, index;
+ DWORD size, i;
HANDLE token;
- ACL *pAcl;
PSID psid;
+ ACL *acl;
ret = pConvertStringSidToSidA("S-1-5-6", &psid);
- ok(ret, "ConvertStringSidToSidA failed with %u\n", GetLastError());
+ ok(ret, "ConvertStringSidToSidA failed with error %u\n", GetLastError());
ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- pAcl = NULL;
+ acl = NULL;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorDacl(sd, &present, &pAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
+ ok(present, "DACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
+ ok(!defaulted, "DACL defaulted\n");
- index = 0;
- found = FALSE;
- if (present && pAcl)
+ ok(acl->AceCount, "Expected at least one ACE\n");
+ for (i = 0; i < acl->AceCount; i++)
{
- ok(pAcl->AceCount > 0, "Expected at least one ACE\n");
- while (pGetAce( pAcl, index++, (void **)&ace_acc ))
- {
- if (ace_acc->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace_acc->SidStart, psid))
- found = TRUE;
- }
+ ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
+ ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
+ "ACE inherited from the parent\n");
}
- ok(!found, "The ACE should not haven been inherited from the parent\n");
LocalFree(psid);
HeapFree(GetProcessHeap(), 0, sd);
ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
- "GetKernelObjectSecurity failed with %u\n", GetLastError());
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
sd = HeapAlloc(GetProcessHeap(), 0, size);
ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
- ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- pAcl = NULL;
+ acl = NULL;
present = FALSE;
defaulted = TRUE;
- ret = GetSecurityDescriptorSacl(sd, &present, &pAcl, &defaulted);
- ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(acl->AceCount == 1, "Expected exactly one ACE\n");
+ ret = pGetAce(acl, 0, (void **)&ace_label);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace_label->Header.AceType);
+ ok(!EqualSid(&ace_label->SidStart, &low_level),
+ "Low integrity level should not have been inherited\n");
- index = 0;
- found = FALSE;
- if (present && pAcl)
+ HeapFree(GetProcessHeap(), 0, sd);
+}
+
+static void test_child_token_sd_restricted(void)
+{
+ static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_HIGH_RID}};
+ SYSTEM_MANDATORY_LABEL_ACE *ace_label;
+ BOOL ret, present, defaulted;
+ TOKEN_MANDATORY_LABEL *tml;
+ BYTE buffer_integrity[64];
+ SECURITY_DESCRIPTOR *sd;
+ HANDLE token;
+ DWORD size;
+ ACL *acl;
+
+ if (!pAddMandatoryAce)
{
- while (pGetAce( pAcl, index++, (void **)&ace_label ))
- {
- if (ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE && EqualSid(&ace_label->SidStart, &low_level))
- found = TRUE;
- }
+ win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
+ return;
}
- ok(!found, "Low integrity level should not have been inherited\n");
+
+ ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
+ ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
+
+ sd = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ acl = NULL;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(acl->AceCount == 1, "Expected exactly one ACE\n");
+ ret = pGetAce(acl, 0, (void **)&ace_label);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace_label->Header.AceType);
+ ok(EqualSid(&ace_label->SidStart, &high_level),
+ "Expected high integrity level\n");
+
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &high_level), "Expected high integrity level\n");
HeapFree(GetProcessHeap(), 0, sd);
}
+static void test_child_token_sd_medium(void)
+{
+ static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_MEDIUM_RID}};
+ SYSTEM_MANDATORY_LABEL_ACE *ace_label;
+ BOOL ret, present, defaulted;
+ TOKEN_MANDATORY_LABEL *tml;
+ BYTE buffer_integrity[64];
+ SECURITY_DESCRIPTOR *sd;
+ HANDLE token;
+ DWORD size;
+ ACL *acl;
+
+ if (!pAddMandatoryAce)
+ {
+ win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
+ return;
+ }
+
+ ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
+ ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
+
+ sd = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ acl = NULL;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(acl->AceCount == 1, "Expected exactly one ACE\n");
+ ret = pGetAce(acl, 0, (void **)&ace_label);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace_label->Header.AceType);
+ ok(EqualSid(&ace_label->SidStart, &medium_level),
+ "Expected medium integrity level\n");
+
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level), "Expected medium integrity level\n");
+
+ HeapFree(GetProcessHeap(), 0, sd);
+}
+
+static void test_GetExplicitEntriesFromAclW(void)
+{
+ static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
+ SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
+ SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
+ PSID everyone_sid = NULL, users_sid = NULL;
+ EXPLICIT_ACCESSW access;
+ EXPLICIT_ACCESSW *access2;
+ PACL new_acl, old_acl = NULL;
+ ULONG count;
+ DWORD res;
+
+ if (!pGetExplicitEntriesFromAclW)
+ {
+ win_skip("GetExplicitEntriesFromAclW is not available\n");
+ return;
+ }
+
+ if (!pSetEntriesInAclW)
+ {
+ win_skip("SetEntriesInAclW is not available\n");
+ return;
+ }
+
+ old_acl = HeapAlloc(GetProcessHeap(), 0, 256);
+ res = InitializeAcl(old_acl, 256, ACL_REVISION);
+ if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
+ {
+ win_skip("ACLs not implemented - skipping tests\n");
+ HeapFree(GetProcessHeap(), 0, old_acl);
+ return;
+ }
+ ok(res, "InitializeAcl failed with error %d\n", GetLastError());
+
+ res = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid);
+ ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+
+ res = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &users_sid);
+ ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+
+ res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, users_sid);
+ ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(old_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 1, "Expected count == 1, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_READ, "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+
+ access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+ access.Trustee.pMultipleTrustee = NULL;
+
+ access.grfAccessPermissions = KEY_WRITE;
+ access.grfAccessMode = GRANT_ACCESS;
+ access.grfInheritance = NO_INHERITANCE;
+ access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+ access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ access.Trustee.ptstrName = everyone_sid;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
+ "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+ LocalFree(new_acl);
+
+ access.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
+ "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+ LocalFree(new_acl);
+
+ access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
+ access.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
+ "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ LocalFree(access2);
+ LocalFree(new_acl);
+
+ access.grfAccessMode = REVOKE_ACCESS;
+ access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ access.Trustee.ptstrName = users_sid;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = (void *)0xdeadbeef;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 0, "Expected count == 0, got %d\n", count);
+ ok(access2 == NULL, "access2 was not NULL\n");
+ LocalFree(new_acl);
+
+ FreeSid(users_sid);
+ FreeSid(everyone_sid);
+ HeapFree(GetProcessHeap(), 0, old_acl);
+}
+
static void test_BuildSecurityDescriptorW(void)
{
SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
{
if (!strcmp(myARGV[2], "test_token_sd"))
test_child_token_sd();
+ else if (!strcmp(myARGV[2], "test_token_sd_restricted"))
+ test_child_token_sd_restricted();
+ else if (!strcmp(myARGV[2], "test_token_sd_medium"))
+ test_child_token_sd_medium();
else
test_process_security_child();
return;
test_GetSidIdentifierAuthority();
test_pseudo_tokens();
test_maximum_allowed();
+ test_token_label();
test_GetExplicitEntriesFromAclW();
test_BuildSecurityDescriptorW();
- /* must be the last test, modifies process token */
+ /* Must be the last test, modifies process token */
test_token_security_descriptor();
}