7 Nov
2021
7 Nov
'21
1:20 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=aaa20942087ccb42011bd…
commit aaa20942087ccb42011bd62312921e1c0970346c
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Tue Oct 19 11:39:06 2021 +0200
Commit: George Bișoc <george.bisoc(a)reactos.org>
CommitDate: Sun Nov 7 14:14:19 2021 +0100
[KMTESTS:SE] Implement SeFilterToken testcase
---
modules/rostests/kmtests/CMakeLists.txt | 1 +
modules/rostests/kmtests/kmtest_drv/testlist.c | 2 +
.../rostests/kmtests/ntos_se/SeTokenFiltering.c | 113 +++++++++++++++++++++
3 files changed, 116 insertions(+)
diff --git a/modules/rostests/kmtests/CMakeLists.txt
b/modules/rostests/kmtests/CMakeLists.txt
index 3898b37a6ba..4bfeb361b3c 100644
--- a/modules/rostests/kmtests/CMakeLists.txt
+++ b/modules/rostests/kmtests/CMakeLists.txt
@@ -98,6 +98,7 @@ list(APPEND KMTEST_DRV_SOURCE
ntos_se/SeInheritance.c
ntos_se/SeLogonSession.c
ntos_se/SeQueryInfoToken.c
+ ntos_se/SeTokenFiltering.c
rtl/RtlIsValidOemCharacter.c
rtl/RtlRangeList.c
${COMMON_SOURCE}
diff --git a/modules/rostests/kmtests/kmtest_drv/testlist.c
b/modules/rostests/kmtests/kmtest_drv/testlist.c
index d486c2e3351..36bec00ae0e 100644
--- a/modules/rostests/kmtests/kmtest_drv/testlist.c
+++ b/modules/rostests/kmtests/kmtest_drv/testlist.c
@@ -66,6 +66,7 @@ KMT_TESTFUNC Test_PsNotify;
KMT_TESTFUNC Test_SeInheritance;
KMT_TESTFUNC Test_SeLogonSession;
KMT_TESTFUNC Test_SeQueryInfoToken;
+KMT_TESTFUNC Test_SeTokenFiltering;
KMT_TESTFUNC Test_RtlAvlTree;
KMT_TESTFUNC Test_RtlException;
KMT_TESTFUNC Test_RtlIntSafe;
@@ -155,6 +156,7 @@ const KMT_TEST TestList[] =
{ "SeInheritance", Test_SeInheritance },
{ "SeLogonSession", Test_SeLogonSession },
{ "SeQueryInfoToken", Test_SeQueryInfoToken },
+ { "SeTokenFiltering", Test_SeTokenFiltering },
{ "ZwAllocateVirtualMemory", Test_ZwAllocateVirtualMemory },
{ "ZwCreateSection", Test_ZwCreateSection },
{ "ZwMapViewOfSection", Test_ZwMapViewOfSection },
diff --git a/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c
b/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c
new file mode 100644
index 00000000000..6f819dead74
--- /dev/null
+++ b/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c
@@ -0,0 +1,113 @@
+/*
+ * PROJECT: ReactOS kernel-mode tests
+ * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
+ * PURPOSE: Kernel mode tests for token filtering implementation
+ * COPYRIGHT: Copyright 2021 George Bișoc <george.bisoc(a)reactos.org>
+ */
+
+#include <kmt_test.h>
+#include <ntifs.h>
+
+static
+VOID
+FilterToken(VOID)
+{
+ NTSTATUS Status;
+ PSECURITY_SUBJECT_CONTEXT SubjectContext;
+ PACCESS_TOKEN Token, FilteredToken;
+ TOKEN_GROUPS SidsToDisable, RestrictedGroups;
+ TOKEN_PRIVILEGES Privilege;
+
+ /* Capture the subject context and token for tests */
+ SubjectContext = ExAllocatePool(PagedPool, sizeof(SECURITY_SUBJECT_CONTEXT));
+ if (SubjectContext == NULL)
+ {
+ trace("Failed to allocate memory pool for the subject context!\n");
+ return;
+ }
+
+ SeCaptureSubjectContext(SubjectContext);
+ SeLockSubjectContext(SubjectContext);
+ Token = SeQuerySubjectContextToken(SubjectContext);
+ ok(Token != NULL, "Token mustn't be NULL...\n");
+
+ /* Delete a privilege */
+ Privilege.PrivilegeCount = 1;
+ Privilege.Privileges[0].Attributes = 0;
+ Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege;
+
+ Status = SeFilterToken(Token,
+ 0,
+ NULL,
+ &Privilege,
+ NULL,
+ &FilteredToken);
+ ok_irql(PASSIVE_LEVEL);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+
+ /* Disable all the privileges */
+ Status = SeFilterToken(Token,
+ DISABLE_MAX_PRIVILEGE,
+ NULL,
+ NULL,
+ NULL,
+ &FilteredToken);
+ ok_irql(PASSIVE_LEVEL);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+
+ /* Disable a SID */
+ SidsToDisable.GroupCount = 1;
+ SidsToDisable.Groups[0].Attributes = 0;
+ SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
+
+ Status = SeFilterToken(Token,
+ 0,
+ &SidsToDisable,
+ NULL,
+ NULL,
+ &FilteredToken);
+ ok_irql(PASSIVE_LEVEL);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+
+ /*
+ * Add a restricted SID but we're going to fail...
+ * Because no attributes must be within restricted
+ * SIDs.
+ */
+ RestrictedGroups.GroupCount = 1;
+ RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
+ RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
+
+ Status = SeFilterToken(Token,
+ 0,
+ NULL,
+ NULL,
+ &RestrictedGroups,
+ &FilteredToken);
+ ok_irql(PASSIVE_LEVEL);
+ ok_eq_hex(Status, STATUS_INVALID_PARAMETER);
+
+ /* Add a restricted SID now */
+ RestrictedGroups.GroupCount = 1;
+ RestrictedGroups.Groups[0].Attributes = 0;
+ RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
+
+ Status = SeFilterToken(Token,
+ 0,
+ NULL,
+ NULL,
+ &RestrictedGroups,
+ &FilteredToken);
+ ok_irql(PASSIVE_LEVEL);
+ ok_eq_hex(Status, STATUS_SUCCESS);
+
+ /* We're done */
+ SeUnlockSubjectContext(SubjectContext);
+ if (SubjectContext)
+ ExFreePool(SubjectContext);
+}
+
+START_TEST(SeTokenFiltering)
+{
+ FilterToken();
+}
1103
days inactive
1103
days old
0 comments
1 participants
participants (1)
-
George Bișoc