[KMTESTS:CM]
authorThomas Faber <thomas.faber@reactos.org>
Fri, 18 Sep 2015 11:06:11 +0000 (11:06 +0000)
committerThomas Faber <thomas.faber@reactos.org>
Fri, 18 Sep 2015 11:06:11 +0000 (11:06 +0000)
- Add a test for registry hive security descriptors

svn path=/trunk/; revision=69265

rostests/kmtests/CMakeLists.txt
rostests/kmtests/kmtest_drv/testlist.c
rostests/kmtests/ntos_cm/CmSecurity.c [new file with mode: 0644]

index b423908..2093302 100644 (file)
@@ -35,6 +35,7 @@ list(APPEND KMTEST_DRV_SOURCE
     npfs/NpfsHelpers.c
     npfs/NpfsReadWrite.c
     npfs/NpfsVolumeInfo.c
+    ntos_cm/CmSecurity.c
     ntos_ex/ExCallback.c
     ntos_ex/ExDoubleList.c
     ntos_ex/ExFastMutex.c
index 415df0e..b97b659 100644 (file)
@@ -7,6 +7,7 @@
 
 #include <kmt_test.h>
 
+KMT_TESTFUNC Test_CmSecurity;
 KMT_TESTFUNC Test_Example;
 KMT_TESTFUNC Test_ExCallback;
 KMT_TESTFUNC Test_ExDoubleList;
@@ -68,6 +69,7 @@ KMT_TESTFUNC Test_ZwMapViewOfSection;
 
 const KMT_TEST TestList[] =
 {
+    { "CmSecurity",                         Test_CmSecurity },
     { "ExCallback",                         Test_ExCallback },
     { "ExDoubleList",                       Test_ExDoubleList },
     { "ExFastMutex",                        Test_ExFastMutex },
diff --git a/rostests/kmtests/ntos_cm/CmSecurity.c b/rostests/kmtests/ntos_cm/CmSecurity.c
new file mode 100644 (file)
index 0000000..a0c1f55
--- /dev/null
@@ -0,0 +1,260 @@
+/*
+ * PROJECT:         ReactOS kernel-mode tests
+ * LICENSE:         LGPLv2+ - See COPYING.LIB in the top level directory
+ * PURPOSE:         Kernel-Mode Test Suite NPFS security test
+ * PROGRAMMER:      Thomas Faber <thomas.faber@reactos.org>
+ */
+
+#include <kmt_test.h>
+#include "../ntos_se/se.h"
+
+#define CheckKeySecurity(name, AceCount, ...) CheckKeySecurity_(name, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
+#define CheckKeySecurity_(name, AceCount, file, line, ...) CheckKeySecurity__(name, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
+static
+VOID
+CheckKeySecurity__(
+    _In_ PCWSTR KeyName,
+    _In_ ULONG AceCount,
+    _In_ PCSTR FileAndLine,
+    ...)
+{
+    NTSTATUS Status;
+    UNICODE_STRING KeyNameString;
+    OBJECT_ATTRIBUTES ObjectAttributes;
+    HANDLE KeyHandle;
+    PSECURITY_DESCRIPTOR SecurityDescriptor;
+    ULONG SecurityDescriptorSize;
+    PSID Owner;
+    PSID Group;
+    PACL Dacl;
+    PACL Sacl;
+    BOOLEAN Present;
+    BOOLEAN Defaulted;
+    va_list Arguments;
+
+    RtlInitUnicodeString(&KeyNameString, KeyName);
+    InitializeObjectAttributes(&ObjectAttributes,
+                               &KeyNameString,
+                               OBJ_KERNEL_HANDLE,
+                               NULL,
+                               NULL);
+    Status = ZwOpenKey(&KeyHandle,
+                       READ_CONTROL | ACCESS_SYSTEM_SECURITY,
+                       &ObjectAttributes);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+    if (skip(NT_SUCCESS(Status), "No key (%ls)\n", KeyName))
+    {
+        return;
+    }
+
+    Status = ZwQuerySecurityObject(KeyHandle,
+                                   OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
+                                   NULL,
+                                   0,
+                                   &SecurityDescriptorSize);
+    ok_eq_hex(Status, STATUS_BUFFER_TOO_SMALL);
+    if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", KeyName))
+    {
+        ObCloseHandle(KeyHandle, KernelMode);
+        return;
+    }
+
+    SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
+                                               SecurityDescriptorSize,
+                                               'dSmK');
+    ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
+    if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", KeyName))
+    {
+        ObCloseHandle(KeyHandle, KernelMode);
+        return;
+    }
+
+    Status = ZwQuerySecurityObject(KeyHandle,
+                                   OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
+                                   SecurityDescriptor,
+                                   SecurityDescriptorSize,
+                                   &SecurityDescriptorSize);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+    if (NT_SUCCESS(Status))
+    {
+        Owner = NULL;
+        Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
+                                               &Owner,
+                                               &Defaulted);
+        CheckSid(Owner, NO_SIZE, SeExports->SeAliasAdminsSid);
+        ok(Defaulted == FALSE, "Owner defaulted for %ls\n", KeyName);
+
+        Group = NULL;
+        Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor,
+                                               &Group,
+                                               &Defaulted);
+        CheckSid(Group, NO_SIZE, SeExports->SeLocalSystemSid);
+        ok(Defaulted == FALSE, "Group defaulted for %ls\n", KeyName);
+
+        Dacl = NULL;
+        Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
+                                              &Present,
+                                              &Dacl,
+                                              &Defaulted);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        ok(Present == TRUE, "DACL not present for %ls\n", KeyName);
+        ok(Defaulted == FALSE, "DACL defaulted for %ls\n", KeyName);
+        va_start(Arguments, FileAndLine);
+        VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
+        va_end(Arguments);
+
+        Sacl = NULL;
+        Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor,
+                                              &Present,
+                                              &Sacl,
+                                              &Defaulted);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        ok(Present == FALSE, "SACL present for %ls\n", KeyName);
+        ok(Defaulted == FALSE, "SACL defaulted for %ls\n", KeyName);
+        ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, KeyName);
+    }
+    ExFreePoolWithTag(SecurityDescriptor, 'dSmK');
+    ObCloseHandle(KeyHandle, KernelMode);
+}
+
+START_TEST(CmSecurity)
+{
+    SID_IDENTIFIER_AUTHORITY NtSidAuthority = {SECURITY_NT_AUTHORITY};
+    PSID TerminalServerSid;
+
+    TerminalServerSid = ExAllocatePoolWithTag(PagedPool,
+                                              RtlLengthRequiredSid(1),
+                                              'iSmK');
+    if (TerminalServerSid != NULL)
+    {
+        RtlInitializeSid(TerminalServerSid, &NtSidAuthority, 1);
+        *RtlSubAuthoritySid(TerminalServerSid, 0) = SECURITY_TERMINAL_SERVER_RID;
+    }
+    CheckKeySecurity(L"\\REGISTRY",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\\REGISTRY\\MACHINE",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\\REGISTRY\\MACHINE\\HARDWARE",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SAM",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SECURITY",
+                     2, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, WRITE_DAC | READ_CONTROL);
+
+    CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SOFTWARE",
+                    12, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ | KEY_WRITE | DELETE,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ | GENERIC_WRITE | DELETE,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, TerminalServerSid,               KEY_READ | KEY_WRITE | DELETE,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, TerminalServerSid,               GENERIC_READ | GENERIC_WRITE | DELETE);
+
+    CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SYSTEM",
+                    10, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL);
+
+    CheckKeySecurity(L"\\REGISTRY\\USER",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\\REGISTRY\\USER\\.DEFAULT",
+                    10, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL);
+
+    CheckKeySecurity(L"\\REGISTRY\\USER\\S-1-5-18",
+                    10, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL);
+
+    CheckKeySecurity(L"\\REGISTRY\\USER\\S-1-5-20",
+                     8, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeNetworkServiceSid,  KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeRestrictedSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeNetworkServiceSid,  GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeRestrictedSid,      GENERIC_READ);
+
+    if (TerminalServerSid != NULL)
+    {
+        ExFreePoolWithTag(TerminalServerSid, 'iSmK');
+    }
+}