+static void test_child_token_sd_medium(void)
+{
+ static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_MEDIUM_RID}};
+ SYSTEM_MANDATORY_LABEL_ACE *ace_label;
+ BOOL ret, present, defaulted;
+ TOKEN_MANDATORY_LABEL *tml;
+ BYTE buffer_integrity[64];
+ SECURITY_DESCRIPTOR *sd;
+ HANDLE token;
+ DWORD size;
+ ACL *acl;
+
+ if (!pAddMandatoryAce)
+ {
+ win_skip("SYSTEM_MANDATORY_LABEL not supported\n");
+ return;
+ }
+
+ ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
+ ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "Unexpected GetKernelObjectSecurity return value %d, error %u\n", ret, GetLastError());
+
+ sd = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
+
+ acl = NULL;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
+ ok(present, "SACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(acl->AceCount == 1, "Expected exactly one ACE\n");
+ ret = pGetAce(acl, 0, (void **)&ace_label);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace_label->Header.AceType);
+ ok(EqualSid(&ace_label->SidStart, &medium_level),
+ "Expected medium integrity level\n");
+
+ memset(buffer_integrity, 0, sizeof(buffer_integrity));
+ ret = GetTokenInformation(token, TokenIntegrityLevel, buffer_integrity, sizeof(buffer_integrity), &size);
+ ok(ret, "GetTokenInformation failed with error %u\n", GetLastError());
+ tml = (TOKEN_MANDATORY_LABEL *)buffer_integrity;
+ ok(EqualSid(tml->Label.Sid, &medium_level), "Expected medium integrity level\n");
+
+ HeapFree(GetProcessHeap(), 0, sd);
+}
+
+static void test_GetExplicitEntriesFromAclW(void)
+{
+ static const WCHAR wszCurrentUser[] = { 'C','U','R','R','E','N','T','_','U','S','E','R','\0'};
+ SID_IDENTIFIER_AUTHORITY SIDAuthWorld = { SECURITY_WORLD_SID_AUTHORITY };
+ SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
+ PSID everyone_sid = NULL, users_sid = NULL;
+ EXPLICIT_ACCESSW access;
+ EXPLICIT_ACCESSW *access2;
+ PACL new_acl, old_acl = NULL;
+ ULONG count;
+ DWORD res;
+
+ if (!pGetExplicitEntriesFromAclW)
+ {
+ win_skip("GetExplicitEntriesFromAclW is not available\n");
+ return;
+ }
+
+ if (!pSetEntriesInAclW)
+ {
+ win_skip("SetEntriesInAclW is not available\n");
+ return;
+ }
+
+ old_acl = HeapAlloc(GetProcessHeap(), 0, 256);
+ res = InitializeAcl(old_acl, 256, ACL_REVISION);
+ if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
+ {
+ win_skip("ACLs not implemented - skipping tests\n");
+ HeapFree(GetProcessHeap(), 0, old_acl);
+ return;
+ }
+ ok(res, "InitializeAcl failed with error %d\n", GetLastError());
+
+ res = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid);
+ ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+
+ res = AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &users_sid);
+ ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+
+ res = AddAccessAllowedAce(old_acl, ACL_REVISION, KEY_READ, users_sid);
+ ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(old_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 1, "Expected count == 1, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_READ, "Expected KEY_READ, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ ok(EqualSid(access2[0].Trustee.ptstrName, users_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+
+ access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+ access.Trustee.pMultipleTrustee = NULL;
+
+ access.grfAccessPermissions = KEY_WRITE;
+ access.grfAccessMode = GRANT_ACCESS;
+ access.grfInheritance = NO_INHERITANCE;
+ access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+ access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ access.Trustee.ptstrName = everyone_sid;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
+ "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+ LocalFree(new_acl);
+
+ access.Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
+ "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ ok(EqualSid(access2[0].Trustee.ptstrName, everyone_sid), "Expected equal SIDs\n");
+ LocalFree(access2);
+ LocalFree(new_acl);
+
+ access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
+ access.Trustee.ptstrName = (LPWSTR)wszCurrentUser;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = NULL;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 2, "Expected count == 2, got %d\n", count);
+ ok(access2[0].grfAccessMode == GRANT_ACCESS, "Expected GRANT_ACCESS, got %d\n", access2[0].grfAccessMode);
+ ok(access2[0].grfAccessPermissions == KEY_WRITE, "Expected KEY_WRITE, got %d\n", access2[0].grfAccessPermissions);
+ ok(access2[0].Trustee.TrusteeType == TRUSTEE_IS_UNKNOWN,
+ "Expected TRUSTEE_IS_UNKNOWN trustee type, got %d\n", access2[0].Trustee.TrusteeType);
+ ok(access2[0].Trustee.TrusteeForm == TRUSTEE_IS_SID, "Expected SID trustee, got %d\n", access2[0].Trustee.TrusteeForm);
+ ok(access2[0].grfInheritance == NO_INHERITANCE, "Expected NO_INHERITANCE, got %x\n", access2[0].grfInheritance);
+ LocalFree(access2);
+ LocalFree(new_acl);
+
+ access.grfAccessMode = REVOKE_ACCESS;
+ access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ access.Trustee.ptstrName = users_sid;
+ res = pSetEntriesInAclW(1, &access, old_acl, &new_acl);
+ ok(res == ERROR_SUCCESS, "SetEntriesInAclW failed: %u\n", res);
+ ok(new_acl != NULL, "returned acl was NULL\n");
+
+ access2 = (void *)0xdeadbeef;
+ res = pGetExplicitEntriesFromAclW(new_acl, &count, &access2);
+ ok(res == ERROR_SUCCESS, "GetExplicitEntriesFromAclW failed with error %d\n", GetLastError());
+ ok(count == 0, "Expected count == 0, got %d\n", count);
+ ok(access2 == NULL, "access2 was not NULL\n");
+ LocalFree(new_acl);
+
+ FreeSid(users_sid);
+ FreeSid(everyone_sid);
+ HeapFree(GetProcessHeap(), 0, old_acl);
+}
+