[tfaber] 72976: [KMTESTS:OB] - Add a test for the NT directory structure's ACLs CORE-9184
17 Oct
2016
17 Oct
'16
9:28 a.m.
Author: tfaber
Date: Mon Oct 17 09:28:15 2016
New Revision: 72976
URL: http://svn.reactos.org/svn/reactos?rev=72976&view=rev
Log:
[KMTESTS:OB]
- Add a test for the NT directory structure's ACLs
CORE-9184
Added:
trunk/rostests/kmtests/ntos_ob/ObSecurity.c (with props)
Modified:
trunk/rostests/kmtests/CMakeLists.txt
trunk/rostests/kmtests/kmtest_drv/testlist.c
Modified: trunk/rostests/kmtests/CMakeLists.txt
URL:
http://svn.reactos.org/svn/reactos/trunk/rostests/kmtests/CMakeLists.txt?re…
==============================================================================
--- trunk/rostests/kmtests/CMakeLists.txt [iso-8859-1] (original)
+++ trunk/rostests/kmtests/CMakeLists.txt [iso-8859-1] Mon Oct 17 09:28:15 2016
@@ -79,6 +79,7 @@
ntos_mm/ZwMapViewOfSection.c
ntos_ob/ObHandle.c
ntos_ob/ObReference.c
+ ntos_ob/ObSecurity.c
ntos_ob/ObSymbolicLink.c
ntos_ob/ObType.c
ntos_ob/ObTypes.c
Modified: trunk/rostests/kmtests/kmtest_drv/testlist.c
URL:
http://svn.reactos.org/svn/reactos/trunk/rostests/kmtests/kmtest_drv/testli…
==============================================================================
--- trunk/rostests/kmtests/kmtest_drv/testlist.c [iso-8859-1] (original)
+++ trunk/rostests/kmtests/kmtest_drv/testlist.c [iso-8859-1] Mon Oct 17 09:28:15 2016
@@ -54,6 +54,7 @@
KMT_TESTFUNC Test_NpfsVolumeInfo;
KMT_TESTFUNC Test_ObHandle;
KMT_TESTFUNC Test_ObReference;
+KMT_TESTFUNC Test_ObSecurity;
KMT_TESTFUNC Test_ObSymbolicLink;
KMT_TESTFUNC Test_ObType;
KMT_TESTFUNC Test_ObTypeClean;
@@ -124,6 +125,7 @@
{ "NpfsVolumeInfo", Test_NpfsVolumeInfo },
{ "ObHandle", Test_ObHandle },
{ "ObReference", Test_ObReference },
+ { "ObSecurity", Test_ObSecurity },
{ "ObSymbolicLink", Test_ObSymbolicLink },
{ "ObType", Test_ObType },
{ "-ObTypeClean", Test_ObTypeClean },
Added: trunk/rostests/kmtests/ntos_ob/ObSecurity.c
URL:
http://svn.reactos.org/svn/reactos/trunk/rostests/kmtests/ntos_ob/ObSecurit…
==============================================================================
--- trunk/rostests/kmtests/ntos_ob/ObSecurity.c (added)
+++ trunk/rostests/kmtests/ntos_ob/ObSecurity.c [iso-8859-1] Mon Oct 17 09:28:15 2016
@@ -0,0 +1,196 @@
+/*
+ * PROJECT: ReactOS kernel-mode tests
+ * LICENSE: LGPLv2.1+ - See COPYING.LIB in the top level directory
+ * PURPOSE: Kernel-Mode Test Suite object security test
+ * PROGRAMMER: Thomas Faber <thomas.faber(a)reactos.org>
+ */
+
+#include <kmt_test.h>
+#include "../ntos_se/se.h"
+
+#define CheckDirectorySecurityWithOwnerAndGroup(name, Owner, Group, AceCount, ...)
CheckDirectorySecurity_(name, Owner, Group, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
+#define CheckDirectorySecurity(name, AceCount, ...) CheckDirectorySecurity_(name,
SeExports->SeAliasAdminsSid, SeExports->SeLocalSystemSid, AceCount, __FILE__,
__LINE__, ##__VA_ARGS__)
+#define CheckDirectorySecurity_(name, Owner, Group, AceCount, file, line, ...)
CheckDirectorySecurity__(name, Owner, Group, AceCount, file ":"
KMT_STRINGIZE(line), ##__VA_ARGS__)
+static
+VOID
+CheckDirectorySecurity__(
+ _In_ PCWSTR DirectoryName,
+ _In_ PSID ExpectedOwner,
+ _In_ PSID ExpectedGroup,
+ _In_ ULONG AceCount,
+ _In_ PCSTR FileAndLine,
+ ...)
+{
+ NTSTATUS Status;
+ UNICODE_STRING DirectoryNameString;
+ OBJECT_ATTRIBUTES ObjectAttributes;
+ HANDLE DirectoryHandle;
+ PSECURITY_DESCRIPTOR SecurityDescriptor;
+ ULONG SecurityDescriptorSize;
+ PSID Owner;
+ PSID Group;
+ PACL Dacl;
+ PACL Sacl;
+ BOOLEAN Present;
+ BOOLEAN Defaulted;
+ va_list Arguments;
+
+ RtlInitUnicodeString(&DirectoryNameString, DirectoryName);
+ InitializeObjectAttributes(&ObjectAttributes,
+ &DirectoryNameString,
+ OBJ_KERNEL_HANDLE,
+ NULL,
+ NULL);
+ Status = ZwOpenDirectoryObject(&DirectoryHandle,
+ READ_CONTROL | ACCESS_SYSTEM_SECURITY,
+ &ObjectAttributes);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+ if (skip(NT_SUCCESS(Status), "No directory (%ls)\n", DirectoryName))
+ {
+ return;
+ }
+
+ Status = ZwQuerySecurityObject(DirectoryHandle,
+ OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
+ NULL,
+ 0,
+ &SecurityDescriptorSize);
+ ok_eq_hex(Status, STATUS_BUFFER_TOO_SMALL);
+ if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n",
DirectoryName))
+ {
+ ObCloseHandle(DirectoryHandle, KernelMode);
+ return;
+ }
+
+ SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
+ SecurityDescriptorSize,
+ 'dSmK');
+ ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n",
SecurityDescriptorSize);
+ if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n",
DirectoryName))
+ {
+ ObCloseHandle(DirectoryHandle, KernelMode);
+ return;
+ }
+
+ Status = ZwQuerySecurityObject(DirectoryHandle,
+ OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
+ SecurityDescriptor,
+ SecurityDescriptorSize,
+ &SecurityDescriptorSize);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+ if (NT_SUCCESS(Status))
+ {
+ Owner = NULL;
+ Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
+ &Owner,
+ &Defaulted);
+ if (ExpectedOwner)
+ CheckSid__(Owner, NO_SIZE, ExpectedOwner, FileAndLine);
+ ok(Defaulted == FALSE, "Owner defaulted for %ls\n", DirectoryName);
+
+ Group = NULL;
+ Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor,
+ &Group,
+ &Defaulted);
+ if (ExpectedGroup)
+ CheckSid__(Group, NO_SIZE, ExpectedGroup, FileAndLine);
+ ok(Defaulted == FALSE, "Group defaulted for %ls\n", DirectoryName);
+
+ Dacl = NULL;
+ Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
+ &Present,
+ &Dacl,
+ &Defaulted);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+ ok(Present == TRUE, "DACL not present for %ls\n", DirectoryName);
+ ok(Defaulted == FALSE, "DACL defaulted for %ls\n", DirectoryName);
+ va_start(Arguments, FileAndLine);
+ VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
+ va_end(Arguments);
+
+ Sacl = NULL;
+ Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor,
+ &Present,
+ &Sacl,
+ &Defaulted);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+ ok(Present == FALSE, "SACL present for %ls\n", DirectoryName);
+ ok(Defaulted == FALSE, "SACL defaulted for %ls\n", DirectoryName);
+ ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, DirectoryName);
+ }
+ ExFreePoolWithTag(SecurityDescriptor, 'dSmK');
+ ObCloseHandle(DirectoryHandle, KernelMode);
+}
+
+START_TEST(ObSecurity)
+{
+#define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE |
DIRECTORY_QUERY
+#define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY
| DIRECTORY_CREATE_OBJECT
+
+ CheckDirectorySecurityWithOwnerAndGroup(L"\\??",
SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users"
+ 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0,
SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeCreatorOwnerSid,GENERIC_ALL);
+
+ CheckDirectorySecurity(L"\\",
+ 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid,
DIRECTORY_GENERIC_READ);
+
+ CheckDirectorySecurity(L"\\ArcName",
+ 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid,
DIRECTORY_GENERIC_READ);
+
+ CheckDirectorySecurity(L"\\BaseNamedObjects",
+ 3, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_WRITE | DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid,
DIRECTORY_TRAVERSE);
+
+ CheckDirectorySecurity(L"\\Callback",
+ 3, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_ALL_ACCESS);
+
+ CheckDirectorySecurity(L"\\Device",
+ 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid,
DIRECTORY_GENERIC_READ);
+
+ CheckDirectorySecurity(L"\\Driver",
+ 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_GENERIC_READ);
+
+ CheckDirectorySecurity(L"\\GLOBAL??",
+ 6, ACCESS_ALLOWED_ACE_TYPE, 0,
SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0,
SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeWorldSid, GENERIC_EXECUTE,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeAliasAdminsSid, GENERIC_ALL,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeLocalSystemSid, GENERIC_ALL,
+ ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+ CONTAINER_INHERIT_ACE |
+ OBJECT_INHERIT_ACE,
SeExports->SeCreatorOwnerSid,GENERIC_ALL);
+
+ CheckDirectorySecurity(L"\\KernelObjects",
+ 3, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid,
DIRECTORY_GENERIC_READ,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS);
+
+ CheckDirectorySecurity(L"\\ObjectTypes",
+ 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,
DIRECTORY_ALL_ACCESS,
+ ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,
DIRECTORY_GENERIC_READ);
+}
Propchange: trunk/rostests/kmtests/ntos_ob/ObSecurity.c
------------------------------------------------------------------------------
svn:eol-style = native
2992
days inactive
2992
days old
0 comments
1 participants
participants (1)
-
tfaber@svn.reactos.org