https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f529033555bdfe7fb090e…
commit f529033555bdfe7fb090e8f21f1191187b21706b
Author: Pierre Schweitzer <pierre(a)reactos.org>
AuthorDate: Thu Jun 20 08:53:27 2019 +0200
Commit: Pierre Schweitzer <pierre(a)reactos.org>
CommitDate: Sun Jun 30 23:07:54 2019 +0200
[KMTESTS:OB] Add support for LUID mappings being disabled in ObSecurity tests
CORE-16114
---
modules/rostests/kmtests/include/kmt_platform.h | 1 +
modules/rostests/kmtests/ntos_ob/ObSecurity.c | 52 ++++++++++++++++++++-----
2 files changed, 44 insertions(+), 9 deletions(-)
diff --git a/modules/rostests/kmtests/include/kmt_platform.h
b/modules/rostests/kmtests/include/kmt_platform.h
index 4895bf25a31..2cdc9b655c8 100644
--- a/modules/rostests/kmtests/include/kmt_platform.h
+++ b/modules/rostests/kmtests/include/kmt_platform.h
@@ -24,6 +24,7 @@
#include <ndk/kefuncs.h>
#include <ndk/mmfuncs.h>
#include <ndk/obfuncs.h>
+#include <ndk/psfuncs.h>
#include <ndk/sefuncs.h>
#include <ntstrsafe.h>
#if defined KMT_FILTER_DRIVER
diff --git a/modules/rostests/kmtests/ntos_ob/ObSecurity.c
b/modules/rostests/kmtests/ntos_ob/ObSecurity.c
index 4ac9478074a..55f5a0fe4cb 100644
--- a/modules/rostests/kmtests/ntos_ob/ObSecurity.c
+++ b/modules/rostests/kmtests/ntos_ob/ObSecurity.c
@@ -124,18 +124,52 @@ CheckDirectorySecurity__(
START_TEST(ObSecurity)
{
+ NTSTATUS Status;
+ /* Assume yes, that's the default on W2K3 */
+ ULONG LUIDMappingsEnabled = 1, ReturnLength;
+
#define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE |
DIRECTORY_QUERY
#define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY
| DIRECTORY_CREATE_OBJECT
- CheckDirectorySecurityWithOwnerAndGroup(L"\\??",
SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
- 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
- OBJECT_INHERIT_ACE,
SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
- ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
- OBJECT_INHERIT_ACE,
SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
- ACCESS_ALLOWED_ACE_TYPE, 0,
SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
- ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
- CONTAINER_INHERIT_ACE |
- OBJECT_INHERIT_ACE,
SeExports->SeCreatorOwnerSid,GENERIC_ALL);
+ /* Check if LUID device maps are enabled */
+ Status = ZwQueryInformationProcess(NtCurrentProcess(),
+ ProcessLUIDDeviceMapsEnabled,
+ &LUIDMappingsEnabled,
+ sizeof(LUIDMappingsEnabled),
+ &ReturnLength);
+ ok(NT_SUCCESS(Status), "NtQueryInformationProcess failed: 0x%x\n",
Status);
+
+ trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled);
+ if (LUIDMappingsEnabled != 0)
+ {
+ CheckDirectorySecurityWithOwnerAndGroup(L"\\??",
SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
+ 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0,
SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeCreatorOwnerSid,GENERIC_ALL);
+ }
+ else
+ {
+ CheckDirectorySecurityWithOwnerAndGroup(L"\\??",
SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
+ 6, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
+ ACCESS_ALLOWED_ACE_TYPE, 0,
SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeWorldSid, GENERIC_EXECUTE,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeAliasAdminsSid,GENERIC_ALL,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeLocalSystemSid,GENERIC_ALL,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeCreatorOwnerSid,GENERIC_ALL);
+ }
CheckDirectorySecurity(L"\\",
4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_READ,