From: Pierre Schweitzer Date: Thu, 20 Jun 2019 06:53:27 +0000 (+0200) Subject: [KMTESTS:OB] Add support for LUID mappings being disabled in ObSecurity tests X-Git-Tag: 0.4.14-dev~637 X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=f529033555bdfe7fb090e8f21f1191187b21706b;ds=sidebyside [KMTESTS:OB] Add support for LUID mappings being disabled in ObSecurity tests CORE-16114 --- diff --git a/modules/rostests/kmtests/include/kmt_platform.h b/modules/rostests/kmtests/include/kmt_platform.h index 4895bf25a31..2cdc9b655c8 100644 --- a/modules/rostests/kmtests/include/kmt_platform.h +++ b/modules/rostests/kmtests/include/kmt_platform.h @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #if defined KMT_FILTER_DRIVER diff --git a/modules/rostests/kmtests/ntos_ob/ObSecurity.c b/modules/rostests/kmtests/ntos_ob/ObSecurity.c index 4ac9478074a..55f5a0fe4cb 100644 --- a/modules/rostests/kmtests/ntos_ob/ObSecurity.c +++ b/modules/rostests/kmtests/ntos_ob/ObSecurity.c @@ -124,18 +124,52 @@ CheckDirectorySecurity__( START_TEST(ObSecurity) { + NTSTATUS Status; + /* Assume yes, that's the default on W2K3 */ + ULONG LUIDMappingsEnabled = 1, ReturnLength; + #define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY #define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY | DIRECTORY_CREATE_OBJECT - CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users" - 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | - OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS, - ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | - OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, - ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, - ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | - CONTAINER_INHERIT_ACE | - OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL); + /* Check if LUID device maps are enabled */ + Status = ZwQueryInformationProcess(NtCurrentProcess(), + ProcessLUIDDeviceMapsEnabled, + &LUIDMappingsEnabled, + sizeof(LUIDMappingsEnabled), + &ReturnLength); + ok(NT_SUCCESS(Status), "NtQueryInformationProcess failed: 0x%x\n", Status); + + trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled); + if (LUIDMappingsEnabled != 0) + { + CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users" + 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL); + } + else + { + CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users" + 6, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeWorldSid, GENERIC_EXECUTE, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid,GENERIC_ALL, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid,GENERIC_ALL, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL); + } CheckDirectorySecurity(L"\\", 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,