[tfaber] 69265: [KMTESTS:CM] - Add a test for registry hive security descriptors - Ros-diffs

18 Sep 2015

Author: tfaber
Date: Fri Sep 18 11:06:11 2015
New Revision: 69265
URL: http://svn.reactos.org/svn/reactos?rev=69265&view=rev
Log:
[KMTESTS:CM]
- Add a test for registry hive security descriptors
Added:
    trunk/rostests/kmtests/ntos_cm/   (with props)
    trunk/rostests/kmtests/ntos_cm/CmSecurity.c   (with props)
Modified:
    trunk/rostests/kmtests/CMakeLists.txt
    trunk/rostests/kmtests/kmtest_drv/testlist.c
Modified: trunk/rostests/kmtests/CMakeLists.txt
URL: http://svn.reactos.org/svn/reactos/trunk/rostests/kmtests/CMakeLists.txt?rev...
==============================================================================

--- trunk/rostests/kmtests/CMakeLists.txt	[iso-8859-1] (original)
+++ trunk/rostests/kmtests/CMakeLists.txt	[iso-8859-1] Fri Sep 18 11:06:11 2015
@@ -35,6 +35,7 @@
     npfs/NpfsHelpers.c
     npfs/NpfsReadWrite.c
     npfs/NpfsVolumeInfo.c
+    ntos_cm/CmSecurity.c
     ntos_ex/ExCallback.c
     ntos_ex/ExDoubleList.c
     ntos_ex/ExFastMutex.c
Modified: trunk/rostests/kmtests/kmtest_drv/testlist.c
URL: http://svn.reactos.org/svn/reactos/trunk/rostests/kmtests/kmtest_drv/testlis...
==============================================================================
--- trunk/rostests/kmtests/kmtest_drv/testlist.c	[iso-8859-1] (original)
+++ trunk/rostests/kmtests/kmtest_drv/testlist.c	[iso-8859-1] Fri Sep 18 11:06:11 2015
@@ -7,6 +7,7 @@
#include <kmt_test.h>
+KMT_TESTFUNC Test_CmSecurity;
 KMT_TESTFUNC Test_Example;
 KMT_TESTFUNC Test_ExCallback;
 KMT_TESTFUNC Test_ExDoubleList;
@@ -68,6 +69,7 @@
const KMT_TEST TestList[] =
 {
+    { "CmSecurity",                         Test_CmSecurity },
     { "ExCallback",                         Test_ExCallback },
     { "ExDoubleList",                       Test_ExDoubleList },
     { "ExFastMutex",                        Test_ExFastMutex },
Propchange: trunk/rostests/kmtests/ntos_cm/
------------------------------------------------------------------------------
--- bugtraq:logregex	(added)
+++ bugtraq:logregex	Fri Sep 18 11:06:11 2015
@@ -0,0 +1,2 @@
+([Ii]ssue|[Bb]ug)s? #?(\d+)(,? ?#?(\d+))*(,? ?(and |or )?#?(\d+))?
+(\d+)
Propchange: trunk/rostests/kmtests/ntos_cm/
------------------------------------------------------------------------------
    bugtraq:message = See issue #%BUGID% for more details.
Propchange: trunk/rostests/kmtests/ntos_cm/
------------------------------------------------------------------------------
    bugtraq:url = http://www.reactos.org/bugzilla/show_bug.cgi?id=%BUGID%
Propchange: trunk/rostests/kmtests/ntos_cm/
------------------------------------------------------------------------------
    tsvn:logminsize = 10
Added: trunk/rostests/kmtests/ntos_cm/CmSecurity.c
URL: http://svn.reactos.org/svn/reactos/trunk/rostests/kmtests/ntos_cm/CmSecurity...
==============================================================================
--- trunk/rostests/kmtests/ntos_cm/CmSecurity.c	(added)
+++ trunk/rostests/kmtests/ntos_cm/CmSecurity.c	[iso-8859-1] Fri Sep 18 11:06:11 2015
@@ -0,0 +1,260 @@
+/*
+ * PROJECT:         ReactOS kernel-mode tests
+ * LICENSE:         LGPLv2+ - See COPYING.LIB in the top level directory
+ * PURPOSE:         Kernel-Mode Test Suite NPFS security test
+ * PROGRAMMER:      Thomas Faber thomas.faber@reactos.org
+ */
+
+#include <kmt_test.h>
+#include "../ntos_se/se.h"
+
+#define CheckKeySecurity(name, AceCount, ...) CheckKeySecurity_(name, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
+#define CheckKeySecurity_(name, AceCount, file, line, ...) CheckKeySecurity__(name, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
+static
+VOID
+CheckKeySecurity__(
+    _In_ PCWSTR KeyName,
+    _In_ ULONG AceCount,
+    _In_ PCSTR FileAndLine,
+    ...)
+{
+    NTSTATUS Status;
+    UNICODE_STRING KeyNameString;
+    OBJECT_ATTRIBUTES ObjectAttributes;
+    HANDLE KeyHandle;
+    PSECURITY_DESCRIPTOR SecurityDescriptor;
+    ULONG SecurityDescriptorSize;
+    PSID Owner;
+    PSID Group;
+    PACL Dacl;
+    PACL Sacl;
+    BOOLEAN Present;
+    BOOLEAN Defaulted;
+    va_list Arguments;
+
+    RtlInitUnicodeString(&KeyNameString, KeyName);
+    InitializeObjectAttributes(&ObjectAttributes,
+                               &KeyNameString,
+                               OBJ_KERNEL_HANDLE,
+                               NULL,
+                               NULL);
+    Status = ZwOpenKey(&KeyHandle,
+                       READ_CONTROL | ACCESS_SYSTEM_SECURITY,
+                       &ObjectAttributes);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+    if (skip(NT_SUCCESS(Status), "No key (%ls)\n", KeyName))
+    {
+        return;
+    }
+
+    Status = ZwQuerySecurityObject(KeyHandle,
+                                   OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
+                                   NULL,
+                                   0,
+                                   &SecurityDescriptorSize);
+    ok_eq_hex(Status, STATUS_BUFFER_TOO_SMALL);
+    if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", KeyName))
+    {
+        ObCloseHandle(KeyHandle, KernelMode);
+        return;
+    }
+
+    SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
+                                               SecurityDescriptorSize,
+                                               'dSmK');
+    ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
+    if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", KeyName))
+    {
+        ObCloseHandle(KeyHandle, KernelMode);
+        return;
+    }
+
+    Status = ZwQuerySecurityObject(KeyHandle,
+                                   OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
+                                   SecurityDescriptor,
+                                   SecurityDescriptorSize,
+                                   &SecurityDescriptorSize);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+    if (NT_SUCCESS(Status))
+    {
+        Owner = NULL;
+        Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
+                                               &Owner,
+                                               &Defaulted);
+        CheckSid(Owner, NO_SIZE, SeExports->SeAliasAdminsSid);
+        ok(Defaulted == FALSE, "Owner defaulted for %ls\n", KeyName);
+
+        Group = NULL;
+        Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor,
+                                               &Group,
+                                               &Defaulted);
+        CheckSid(Group, NO_SIZE, SeExports->SeLocalSystemSid);
+        ok(Defaulted == FALSE, "Group defaulted for %ls\n", KeyName);
+
+        Dacl = NULL;
+        Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
+                                              &Present,
+                                              &Dacl,
+                                              &Defaulted);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        ok(Present == TRUE, "DACL not present for %ls\n", KeyName);
+        ok(Defaulted == FALSE, "DACL defaulted for %ls\n", KeyName);
+        va_start(Arguments, FileAndLine);
+        VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
+        va_end(Arguments);
+
+        Sacl = NULL;
+        Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor,
+                                              &Present,
+                                              &Sacl,
+                                              &Defaulted);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        ok(Present == FALSE, "SACL present for %ls\n", KeyName);
+        ok(Defaulted == FALSE, "SACL defaulted for %ls\n", KeyName);
+        ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, KeyName);
+    }
+    ExFreePoolWithTag(SecurityDescriptor, 'dSmK');
+    ObCloseHandle(KeyHandle, KernelMode);
+}
+
+START_TEST(CmSecurity)
+{
+    SID_IDENTIFIER_AUTHORITY NtSidAuthority = {SECURITY_NT_AUTHORITY};
+    PSID TerminalServerSid;
+
+    TerminalServerSid = ExAllocatePoolWithTag(PagedPool,
+                                              RtlLengthRequiredSid(1),
+                                              'iSmK');
+    if (TerminalServerSid != NULL)
+    {
+        RtlInitializeSid(TerminalServerSid, &NtSidAuthority, 1);
+        *RtlSubAuthoritySid(TerminalServerSid, 0) = SECURITY_TERMINAL_SERVER_RID;
+    }
+    CheckKeySecurity(L"\REGISTRY",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\REGISTRY\MACHINE",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\REGISTRY\MACHINE\HARDWARE",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\REGISTRY\MACHINE\SAM",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\REGISTRY\MACHINE\SECURITY",
+                     2, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, WRITE_DAC | READ_CONTROL);
+
+    CheckKeySecurity(L"\REGISTRY\MACHINE\SOFTWARE",
+                    12, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ | KEY_WRITE | DELETE,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ | GENERIC_WRITE | DELETE,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, TerminalServerSid,               KEY_READ | KEY_WRITE | DELETE,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, TerminalServerSid,               GENERIC_READ | GENERIC_WRITE | DELETE);
+
+    CheckKeySecurity(L"\REGISTRY\MACHINE\SYSTEM",
+                    10, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL);
+
+    CheckKeySecurity(L"\REGISTRY\USER",
+                     4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid,       KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid,  KEY_READ);
+
+    CheckKeySecurity(L"\REGISTRY\USER\.DEFAULT",
+                    10, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL);
+
+    CheckKeySecurity(L"\REGISTRY\USER\S-1-5-18",
+                    10, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasUsersSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid,      GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasPowerUsersSid, KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid,    GENERIC_ALL);
+
+    CheckKeySecurity(L"\REGISTRY\USER\S-1-5-20",
+                     8, ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeNetworkServiceSid,  KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeLocalSystemSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeAliasAdminsSid,     KEY_ALL_ACCESS,
+                        ACCESS_ALLOWED_ACE_TYPE,                     0, SeExports->SeRestrictedSid,      KEY_READ,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeNetworkServiceSid,  GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeLocalSystemSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeAliasAdminsSid,     GENERIC_ALL,
+                        ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
+                                                 CONTAINER_INHERIT_ACE |
+                                                 OBJECT_INHERIT_ACE,    SeExports->SeRestrictedSid,      GENERIC_READ);
+
+    if (TerminalServerSid != NULL)
+    {
+        ExFreePoolWithTag(TerminalServerSid, 'iSmK');
+    }
+}
Propchange: trunk/rostests/kmtests/ntos_cm/CmSecurity.c
------------------------------------------------------------------------------
    svn:eol-style = native

    