summaryrefslogtreecommitdiffstats
path: root/private/ntos/se/ctaccess.c
diff options
context:
space:
mode:
authorAdam <you@example.com>2020-05-17 05:51:50 +0200
committerAdam <you@example.com>2020-05-17 05:51:50 +0200
commite611b132f9b8abe35b362e5870b74bce94a1e58e (patch)
treea5781d2ec0e085eeca33cf350cf878f2efea6fe5 /private/ntos/se/ctaccess.c
downloadNT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.gz
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.bz2
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.lz
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.xz
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.tar.zst
NT4.0-e611b132f9b8abe35b362e5870b74bce94a1e58e.zip
Diffstat (limited to '')
-rw-r--r--private/ntos/se/ctaccess.c1267
1 files changed, 1267 insertions, 0 deletions
diff --git a/private/ntos/se/ctaccess.c b/private/ntos/se/ctaccess.c
new file mode 100644
index 000000000..014acc4bd
--- /dev/null
+++ b/private/ntos/se/ctaccess.c
@@ -0,0 +1,1267 @@
+/*++
+
+Copyright (c) 1989 Microsoft Corporation
+
+Module Name:
+
+ ctaccess.c
+
+Abstract:
+
+ Common access validation test routines
+
+ These routines are used in both kernel and user mode tests.
+
+ This test assumes the security runtime library routines are
+ functioning correctly.
+
+
+Author:
+
+ Robert Reichel (robertre) 12/14/90
+
+Environment:
+
+ Test of access validation routines
+
+Revision History:
+
+ v1: robertre
+ Created
+
+--*/
+
+#include "tsecomm.c" // Mode dependent macros and routines.
+
+
+
+//
+// Define the local macros and procedure for this module
+//
+
+//
+// Return a pointer to the first Ace in an Acl (even if the Acl is empty).
+//
+// PACE_HEADER
+// FirstAce (
+// IN PACL Acl
+// );
+//
+
+#define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
+
+//
+// Return a pointer to the next Ace in a sequence (even if the input
+// Ace is the one in the sequence).
+//
+// PACE_HEADER
+// NextAce (
+// IN PACE_HEADER Ace
+// );
+//
+
+#define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
+
+VOID
+DumpAcl (
+ IN PACL Acl
+ );
+
+////////////////////////////////////////////////////////////////
+// //
+// Module wide variables //
+// //
+////////////////////////////////////////////////////////////////
+
+#define DEFAULT_DACL_LENGTH (1024L)
+#define GROUP_IDS_LENGTH (1024L)
+#define NEW_GROUP_STATE_LENGTH (1024L)
+#define PRIVILEGES_LENGTH (128L)
+#define TOO_BIG_ACL_SIZE (2048L)
+
+//
+// definitions related to TokenWithGroups
+//
+
+#define FLINTSTONE_INDEX (0L)
+#define CHILD_INDEX (1L)
+#define NEANDERTHOL_INDEX (2L)
+#define WORLD_INDEX (3L)
+#define GROUP_COUNT (4L)
+
+
+//
+// Definitions related to TokenWithPrivileges
+//
+
+#define UNSOLICITED_INDEX (0L)
+#define SECURITY_INDEX (1L)
+#define PRIVILEGE_COUNT (2L)
+
+//
+// Access types
+//
+
+#define SET_WIDGET_COLOR 0x00000001
+#define SET_WIDGET_SIZE 0x00000002
+#define GET_WIDGET_COLOR 0x00000004
+#define GET_WIDGET_SIZE 0x00000008
+#define START_WIDGET 0x00000010
+#define STOP_WIDGET 0x00000020
+#define GIVE_WIDGET 0x00000040
+#define TAKE_WIDGET 0x00000080
+
+
+ NTSTATUS Status;
+
+ HANDLE SimpleToken;
+ HANDLE TokenWithGroups;
+ HANDLE TokenWithDefaultOwner;
+ HANDLE TokenWithPrivileges;
+ HANDLE TokenWithDefaultDacl;
+
+ HANDLE Token;
+ HANDLE ImpersonationToken;
+
+ HANDLE PrimaryToken;
+
+ HANDLE AnonymousToken;
+
+ OBJECT_ATTRIBUTES PrimaryTokenAttributes;
+ PSECURITY_DESCRIPTOR PrimarySecurityDescriptor;
+ SECURITY_QUALITY_OF_SERVICE PrimarySecurityQos;
+
+ OBJECT_ATTRIBUTES ImpersonationTokenAttributes;
+ PSECURITY_DESCRIPTOR ImpersonationSecurityDescriptor;
+ SECURITY_QUALITY_OF_SERVICE ImpersonationSecurityQos;
+
+ OBJECT_ATTRIBUTES AnonymousTokenAttributes;
+ PSECURITY_DESCRIPTOR AnonymousSecurityDescriptor;
+ SECURITY_QUALITY_OF_SERVICE AnonymousSecurityQos;
+
+ ULONG DisabledGroupAttributes;
+ ULONG OptionalGroupAttributes;
+ ULONG NormalGroupAttributes;
+ ULONG OwnerGroupAttributes;
+
+ ULONG LengthAvailable;
+ ULONG CurrentLength;
+
+
+ TIME_FIELDS TempTimeFields = {3000, 1, 1, 1, 1, 1, 1, 1};
+ LARGE_INTEGER NoExpiration;
+
+ LUID DummyAuthenticationId;
+ LUID SystemAuthenticationId = SYSTEM_LUID;
+
+ TOKEN_SOURCE TestSource = {"SE: TEST", 0};
+
+ PSID Owner;
+ PSID Group;
+ PACL Dacl;
+
+ PSID TempOwner;
+ PSID TempGroup;
+ PACL TempDacl;
+
+
+
+
+
+////////////////////////////////////////////////////////////////
+// //
+// Initialization Routine //
+// //
+////////////////////////////////////////////////////////////////
+
+BOOLEAN
+TestTokenInitialize()
+{
+
+ TSeVariableInitialization(); // Initialize global variables
+
+
+ DisabledGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT);
+
+ OptionalGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT |
+ SE_GROUP_ENABLED
+ );
+ NormalGroupAttributes = (SE_GROUP_MANDATORY |
+ SE_GROUP_ENABLED_BY_DEFAULT |
+ SE_GROUP_ENABLED
+ );
+ OwnerGroupAttributes = (SE_GROUP_MANDATORY |
+ SE_GROUP_ENABLED_BY_DEFAULT |
+ SE_GROUP_ENABLED |
+ SE_GROUP_OWNER
+ );
+
+
+ PrimarySecurityDescriptor =
+ (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 );
+
+ InitializeObjectAttributes(
+ &PrimaryTokenAttributes,
+ NULL,
+ OBJ_INHERIT,
+ NULL,
+ NULL
+ );
+
+
+ ImpersonationSecurityDescriptor =
+ (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 );
+
+ ImpersonationSecurityQos.Length = (ULONG)sizeof(SECURITY_QUALITY_OF_SERVICE);
+ ImpersonationSecurityQos.ImpersonationLevel = SecurityImpersonation;
+ ImpersonationSecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
+ ImpersonationSecurityQos.EffectiveOnly = FALSE;
+
+ InitializeObjectAttributes(
+ &ImpersonationTokenAttributes,
+ NULL,
+ OBJ_INHERIT,
+ NULL,
+ NULL
+ );
+ ImpersonationTokenAttributes.SecurityQualityOfService =
+ &ImpersonationSecurityQos;
+
+
+ AnonymousSecurityDescriptor =
+ (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 );
+
+ AnonymousSecurityQos.Length = (ULONG)sizeof(SECURITY_QUALITY_OF_SERVICE);
+ AnonymousSecurityQos.ImpersonationLevel = SecurityAnonymous;
+ AnonymousSecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
+ AnonymousSecurityQos.EffectiveOnly = FALSE;
+
+ InitializeObjectAttributes(
+ &AnonymousTokenAttributes,
+ NULL,
+ OBJ_INHERIT,
+ NULL,
+ NULL
+ );
+ AnonymousTokenAttributes.SecurityQualityOfService =
+ &AnonymousSecurityQos;
+
+
+ //
+ // Build an ACL for use.
+ //
+
+ Dacl = (PACL)TstAllocatePool( PagedPool, 256 );
+
+ Dacl->AclRevision=ACL_REVISION;
+ Dacl->Sbz1=0;
+ Dacl->Sbz2=0;
+ Dacl->AclSize=256;
+ Dacl->AceCount=0;
+
+
+ //
+ // Set up expiration times
+ //
+
+ TempTimeFields.Year = 3000;
+ TempTimeFields.Month = 1;
+ TempTimeFields.Day = 1;
+ TempTimeFields.Hour = 1;
+ TempTimeFields.Minute = 1;
+ TempTimeFields.Second = 1;
+ TempTimeFields.Milliseconds = 1;
+ TempTimeFields.Weekday = 1;
+
+ RtlTimeFieldsToTime( &TempTimeFields, &NoExpiration );
+
+
+ //
+ // Use a dummy authentication ID for a while.
+ //
+
+ DummyAuthenticationId = FredLuid;
+
+
+ //
+ // Use a token source specific to security test
+ //
+
+ NtAllocateLocallyUniqueId( &(TestSource.SourceIdentifier) );
+
+ DbgPrint("Done.\n");
+
+ return TRUE;
+}
+
+
+BOOLEAN
+CreateDAclToken()
+{
+
+ BOOLEAN CompletionStatus = TRUE;
+
+ TOKEN_USER UserId;
+ TOKEN_PRIMARY_GROUP PrimaryGroup;
+ PTOKEN_GROUPS GroupIds;
+ PTOKEN_PRIVILEGES Privileges;
+ TOKEN_DEFAULT_DACL DefaultDacl;
+ TOKEN_OWNER Owner;
+
+ PSECURITY_DESCRIPTOR Widget1SecurityDescriptor;
+
+ NTSTATUS AccessStatus;
+
+ ACCESS_MASK GrantedAccess;
+
+ PACCESS_ALLOWED_ACE AllowBarneySetColor;
+ PACCESS_ALLOWED_ACE AllowFredSetColor;
+
+ PACCESS_DENIED_ACE DenyPebblesSetColor;
+
+ PACCESS_ALLOWED_ACE AllowPebblesSetColor;
+ PACCESS_DENIED_ACE DenyFredSetColor;
+ PACCESS_ALLOWED_ACE AllowBarneySetSize;
+ PACCESS_ALLOWED_ACE AllowPebblesSetSize;
+
+ PACCESS_ALLOWED_ACE AllowPebblesGetColor;
+ PACCESS_ALLOWED_ACE AllowPebblesGetSize;
+
+ USHORT AllowBarneySetColorLength;
+ USHORT AllowFredSetColorLength;
+ USHORT DenyPebblesSetColorLength;
+
+ USHORT AllowPebblesSetColorLength;
+ USHORT DenyFredSetColorLength;
+ USHORT AllowBarneySetSizeLength;
+ USHORT AllowPebblesSetSizeLength;
+
+ USHORT AllowPebblesGetColorLength;
+ USHORT AllowPebblesGetSizeLength;
+
+
+ DbgPrint("\n");
+
+ GroupIds = (PTOKEN_GROUPS)TstAllocatePool( PagedPool,
+ GROUP_IDS_LENGTH
+ );
+
+ Privileges = (PTOKEN_PRIVILEGES)TstAllocatePool( PagedPool,
+ PRIVILEGES_LENGTH
+ );
+
+ DefaultDacl.DefaultDacl = (PACL)TstAllocatePool( PagedPool,
+ DEFAULT_DACL_LENGTH
+ );
+
+
+ //
+ // Create a token with default DACL
+ //
+
+ DbgPrint("Se: Create Token With Default Dacl ... ");
+
+ GroupIds->GroupCount = GROUP_COUNT;
+
+ GroupIds->Groups[FLINTSTONE_INDEX].Sid = FlintstoneSid;
+ GroupIds->Groups[CHILD_INDEX].Sid = ChildSid;
+ GroupIds->Groups[NEANDERTHOL_INDEX].Sid = NeandertholSid;
+ GroupIds->Groups[WORLD_INDEX].Sid = WorldSid;
+
+ GroupIds->Groups[FLINTSTONE_INDEX].Attributes = OwnerGroupAttributes;
+ GroupIds->Groups[CHILD_INDEX].Attributes = OptionalGroupAttributes;
+ GroupIds->Groups[NEANDERTHOL_INDEX].Attributes = OptionalGroupAttributes;
+ GroupIds->Groups[WORLD_INDEX].Attributes = NormalGroupAttributes;
+
+ UserId.User.Sid = PebblesSid;
+ UserId.User.Attributes = 0;
+
+ Owner.Owner = FlintstoneSid;
+
+ Privileges->PrivilegeCount = PRIVILEGE_COUNT;
+
+ Privileges->Privileges[UNSOLICITED_INDEX].Luid = UnsolicitedInputPrivilege;
+ Privileges->Privileges[SECURITY_INDEX].Luid = SecurityPrivilege;
+ Privileges->Privileges[UNSOLICITED_INDEX].Attributes = 0;
+ Privileges->Privileges[SECURITY_INDEX].Attributes = 0;
+
+ PrimaryGroup.PrimaryGroup = FlintstoneSid;
+
+ Status = RtlCreateAcl( DefaultDacl.DefaultDacl, DEFAULT_DACL_LENGTH, ACL_REVISION);
+
+ ASSERT(NT_SUCCESS(Status) );
+
+ Status = NtCreateToken(
+ &PrimaryToken, // Handle
+ (TOKEN_ALL_ACCESS), // DesiredAccess
+ &PrimaryTokenAttributes, // ObjectAttributes
+ TokenPrimary, // TokenType
+ &DummyAuthenticationId, // Authentication LUID
+ &NoExpiration, // Expiration Time
+ &UserId, // Owner ID
+ GroupIds, // Group IDs
+ Privileges, // Privileges
+ &Owner, // Owner
+ &PrimaryGroup, // Primary Group
+ &DefaultDacl, // Default Dacl
+ &TestSource // TokenSource
+ );
+
+ if (NT_SUCCESS(Status)) {
+ DbgPrint("Succeeded.\n");
+ } else {
+ DbgPrint("********** Failed ************\n");
+ DbgPrint("Status is: 0x%lx \n", Status);
+ CompletionStatus = FALSE;
+ }
+
+ ASSERT(NT_SUCCESS(Status));
+
+
+
+ //
+ // Create an impersonation token, Impersonation level = Impersonation
+ //
+
+ DbgPrint("Se: Create an impersonation token ... ");
+
+ GroupIds->GroupCount = GROUP_COUNT;
+
+ GroupIds->Groups[FLINTSTONE_INDEX].Sid = FlintstoneSid;
+ GroupIds->Groups[CHILD_INDEX].Sid = ChildSid;
+ GroupIds->Groups[NEANDERTHOL_INDEX].Sid = NeandertholSid;
+ GroupIds->Groups[WORLD_INDEX].Sid = WorldSid;
+
+ GroupIds->Groups[FLINTSTONE_INDEX].Attributes = OwnerGroupAttributes;
+ GroupIds->Groups[CHILD_INDEX].Attributes = OptionalGroupAttributes;
+ GroupIds->Groups[NEANDERTHOL_INDEX].Attributes = OptionalGroupAttributes;
+ GroupIds->Groups[WORLD_INDEX].Attributes = NormalGroupAttributes;
+
+ UserId.User.Sid = PebblesSid;
+ UserId.User.Attributes = 0;
+
+ Owner.Owner = FlintstoneSid;
+
+ Privileges->PrivilegeCount = PRIVILEGE_COUNT;
+
+ Privileges->Privileges[UNSOLICITED_INDEX].Luid = UnsolicitedInputPrivilege;
+ Privileges->Privileges[SECURITY_INDEX].Luid = SecurityPrivilege;
+ Privileges->Privileges[UNSOLICITED_INDEX].Attributes = 0;
+ Privileges->Privileges[SECURITY_INDEX].Attributes = 0;
+
+ PrimaryGroup.PrimaryGroup = FlintstoneSid;
+
+ Status = RtlCreateAcl( DefaultDacl.DefaultDacl, DEFAULT_DACL_LENGTH, ACL_REVISION);
+
+ ASSERT(NT_SUCCESS(Status) );
+
+ Status = NtCreateToken(
+ &ImpersonationToken, // Handle
+ (TOKEN_ALL_ACCESS), // DesiredAccess
+ &ImpersonationTokenAttributes, // ObjectAttributes
+ TokenImpersonation, // TokenType
+ &DummyAuthenticationId, // Authentication LUID
+ &NoExpiration, // Expiration Time
+ &UserId, // Owner ID
+ GroupIds, // Group IDs
+ Privileges, // Privileges
+ &Owner, // Owner
+ &PrimaryGroup, // Primary Group
+ &DefaultDacl, // Default Dacl
+ &TestSource // TokenSource
+ );
+
+ if (NT_SUCCESS(Status)) {
+ DbgPrint("Succeeded.\n");
+ } else {
+ DbgPrint("********** Failed ************\n");
+ DbgPrint("Status is: 0x%lx \n", Status);
+ CompletionStatus = FALSE;
+ }
+
+ ASSERT(NT_SUCCESS(Status));
+
+//
+// Attach tokens to process
+//
+
+ NtSetInformationProcess(
+ NtCurrentProcess(),
+ ProcessAccessToken,
+ &PrimaryToken,
+ sizeof( PHANDLE ));
+
+
+ NtSetInformationThread(
+ NtCurrentThread(),
+ ThreadImpersonationToken,
+ &ImpersonationToken,
+ sizeof( PHANDLE ));
+
+
+
+// Create some ACEs
+
+// AllowBarneySetColor
+
+ AllowBarneySetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( BarneySid ));
+
+ AllowBarneySetColor = (PVOID) TstAllocatePool ( PagedPool, AllowBarneySetColorLength );
+
+ AllowBarneySetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowBarneySetColor->Header.AceSize = AllowBarneySetColorLength;
+ AllowBarneySetColor->Header.AceFlags = 0;
+
+ AllowBarneySetColor->Mask = SET_WIDGET_COLOR;
+
+ RtlCopySid(
+ SeLengthSid( BarneySid ),
+ &(AllowBarneySetColor->SidStart),
+ BarneySid );
+
+
+// DenyPebblesSetColor
+
+ DenyPebblesSetColorLength = (USHORT)(sizeof( ACCESS_DENIED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( BarneySid ));
+
+ DenyPebblesSetColor = (PVOID) TstAllocatePool ( PagedPool, DenyPebblesSetColorLength );
+
+ DenyPebblesSetColor->Header.AceType = ACCESS_DENIED_ACE_TYPE;
+ DenyPebblesSetColor->Header.AceSize = DenyPebblesSetColorLength;
+ DenyPebblesSetColor->Header.AceFlags = 0;
+
+ DenyPebblesSetColor->Mask = SET_WIDGET_COLOR;
+
+ RtlCopySid(
+ SeLengthSid( PebblesSid ),
+ &(DenyPebblesSetColor->SidStart),
+ PebblesSid );
+
+
+// AllowFredSetColor
+
+ AllowFredSetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( FredSid ));
+
+ AllowFredSetColor = (PVOID) TstAllocatePool ( PagedPool, AllowFredSetColorLength );
+
+ AllowFredSetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowFredSetColor->Header.AceSize = AllowFredSetColorLength;
+ AllowFredSetColor->Header.AceFlags = 0;
+
+ AllowFredSetColor->Mask = SET_WIDGET_COLOR;
+
+ RtlCopySid(
+ SeLengthSid( FredSid ),
+ &(AllowFredSetColor->SidStart),
+ FredSid );
+
+
+
+
+// AllowPebblesSetColor
+
+
+ AllowPebblesSetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( PebblesSid ));
+
+ AllowPebblesSetColor = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesSetColorLength );
+
+ AllowPebblesSetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowPebblesSetColor->Header.AceSize = AllowPebblesSetColorLength;
+ AllowPebblesSetColor->Header.AceFlags = 0;
+
+ AllowPebblesSetColor->Mask = SET_WIDGET_COLOR;
+
+ RtlCopySid(
+ SeLengthSid( PebblesSid ),
+ &(AllowPebblesSetColor->SidStart),
+ PebblesSid );
+
+
+// DenyFredSetColor
+
+ DenyFredSetColorLength = (USHORT)(sizeof( ACCESS_DENIED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( FredSid ));
+
+ DenyFredSetColor = (PVOID) TstAllocatePool ( PagedPool, DenyFredSetColorLength );
+
+ DenyFredSetColor->Header.AceType = ACCESS_DENIED_ACE_TYPE;
+ DenyFredSetColor->Header.AceSize = DenyFredSetColorLength;
+ DenyFredSetColor->Header.AceFlags = 0;
+
+ DenyFredSetColor->Mask = SET_WIDGET_COLOR;
+
+ RtlCopySid(
+ SeLengthSid( FredSid ),
+ &(DenyFredSetColor->SidStart),
+ FredSid );
+
+// AllowBarneySetSize
+
+ AllowBarneySetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( BarneySid ));
+
+ AllowBarneySetSize = (PVOID) TstAllocatePool ( PagedPool, AllowBarneySetSizeLength );
+
+ AllowBarneySetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowBarneySetSize->Header.AceSize = AllowBarneySetSizeLength;
+ AllowBarneySetSize->Header.AceFlags = 0;
+
+ AllowBarneySetSize->Mask = SET_WIDGET_SIZE;
+
+ RtlCopySid(
+ SeLengthSid( BarneySid ),
+ &(AllowBarneySetSize->SidStart),
+ BarneySid );
+
+// AllowPebblesSetSize
+
+ AllowPebblesSetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( PebblesSid ));
+
+ AllowPebblesSetSize = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesSetSizeLength );
+
+ AllowPebblesSetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowPebblesSetSize->Header.AceSize = AllowPebblesSetSizeLength;
+ AllowPebblesSetSize->Header.AceFlags = 0;
+
+ AllowPebblesSetSize->Mask = SET_WIDGET_SIZE;
+
+ RtlCopySid(
+ SeLengthSid( PebblesSid ),
+ &(AllowPebblesSetSize->SidStart),
+ PebblesSid );
+
+
+// AllowPebblesGetSize
+
+ AllowPebblesGetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( PebblesSid ));
+
+ AllowPebblesGetSize = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesGetSizeLength );
+
+ AllowPebblesGetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowPebblesGetSize->Header.AceSize = AllowPebblesGetSizeLength;
+ AllowPebblesGetSize->Header.AceFlags = 0;
+
+ AllowPebblesGetSize->Mask = SET_WIDGET_SIZE;
+
+ RtlCopySid(
+ SeLengthSid( PebblesSid ),
+ &(AllowPebblesGetSize->SidStart),
+ PebblesSid );
+
+
+// AllowPebblesGetColor
+
+ AllowPebblesGetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) +
+ SeLengthSid( PebblesSid ));
+
+ AllowPebblesGetColor = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesGetColorLength );
+
+ AllowPebblesGetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+ AllowPebblesGetColor->Header.AceSize = AllowPebblesGetColorLength;
+ AllowPebblesGetColor->Header.AceFlags = 0;
+
+ AllowPebblesGetColor->Mask = SET_WIDGET_COLOR;
+
+ RtlCopySid(
+ SeLengthSid( PebblesSid ),
+ &(AllowPebblesGetColor->SidStart),
+ PebblesSid );
+
+//
+// Create some ACLs that we can put into a Security Descriptor
+//
+ DbgBreakPoint();
+
+//
+// Dacl
+//
+// +----------------+ +----------------+ +----------------+
+// | 1st ACE | | 2nd ACE | | 3rd ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessDenied | | AccessAllowed |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | FRED |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+
+ Dacl = (PACL) TstAllocatePool ( PagedPool, 2048 );
+
+ RtlCreateAcl( Dacl, 2048, ACL_REVISION);
+
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ 0,
+ AllowBarneySetColor,
+ AllowBarneySetColorLength );
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ 1,
+ DenyPebblesSetColor,
+ DenyPebblesSetColorLength );
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ 2,
+ DenyFredSetColor,
+ AllowFredSetColorLength );
+
+ DumpAcl (Dacl);
+
+
+
+
+
+// Create a security descriptor
+//
+// Owner = Pebbles
+// Group = Flintstone
+// Dacl = Dacl
+// Sacl = NULL
+//
+
+ Widget1SecurityDescriptor =
+ (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 );
+
+ RtlCreateSecurityDescriptor( Widget1SecurityDescriptor,
+ 1 );
+
+
+ RtlSetOwnerSecurityDescriptor( Widget1SecurityDescriptor,
+ PebblesSid,
+ FALSE );
+
+ RtlSetGroupSecurityDescriptor( Widget1SecurityDescriptor,
+ FlintstoneSid,
+ FALSE );
+
+ RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor,
+ TRUE,
+ Dacl,
+ FALSE );
+
+ RtlSetSaclSecurityDescriptor( Widget1SecurityDescriptor,
+ FALSE,
+ NULL,
+ NULL );
+
+// See if Pebbles is allowed SET_WIDGET_COLOR (should be denied)
+
+ Status = NtAccessCheck( Widget1SecurityDescriptor,
+ PrimaryToken,
+ (ACCESS_MASK) SET_WIDGET_COLOR,
+ &GrantedAccess,
+ &AccessStatus );
+
+// DbgBreakPoint();
+
+ ASSERT(NT_SUCCESS(Status));
+
+ ASSERT(!NT_SUCCESS(AccessStatus));
+
+ ASSERT(GrantedAccess == NULL);
+
+
+// Update Dacl to be the following:
+//
+// Dacl2
+//
+// +----------------+ +----------------+ +----------------+
+// | 1st ACE | | 2nd ACE | | 3rd ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed | | AccessDenied |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | FRED |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+
+// Delete 2nd Ace
+
+ RtlDeleteAce (Dacl, 1);
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ 1,
+ AllowPebblesSetColor,
+ AllowPebblesSetColorLength );
+
+ RtlDeleteAce ( Dacl, 2 );
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ 1,
+ DenyFredSetColor,
+ DenyFredSetColorLength );
+
+
+
+
+// Change the security descriptor to use updated Dacl
+//
+// Owner = Pebbles
+// Group = Flintstone
+// Dacl = Dacl2
+// Sacl = NULL
+//
+
+ RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor,
+ TRUE,
+ Dacl,
+ FALSE );
+
+// See if Pebbles is allowed SET_WIDGET_COLOR (should be permitted)
+
+ Status = NtAccessCheck( Widget1SecurityDescriptor,
+ PrimaryToken,
+ (ACCESS_MASK) SET_WIDGET_COLOR,
+ &GrantedAccess,
+ &AccessStatus );
+
+
+ ASSERT(NT_SUCCESS(Status));
+
+ ASSERT(NT_SUCCESS(AccessStatus));
+
+ ASSERT(GrantedAccess == (ACCESS_MASK)SET_WIDGET_COLOR);
+
+//
+// Dacl3
+//
+// +----------------+ +----------------+ +----------------+
+// | 1st ACE | | 2nd ACE | | 3rd ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed | | AccessDenied |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | FRED |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+// +----------------+ +----------------+
+// | 4th ACE | | 5th ACE |
+// +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed |
+// +----------------+ +----------------+
+// | BARNEY | | PEBBLES |
+// +----------------+ +----------------+
+// | SetWidgeSize | | SetWidgeSize |
+// +----------------+ +----------------+
+//
+
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ MAXULONG,
+ AllowBarneySetSize,
+ AllowBarneySetSizeLength );
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ MAXULONG,
+ AllowPebblesSetSize,
+ AllowPebblesSetSizeLength );
+
+// Change the security descriptor to use Dacl3
+//
+// Owner = Pebbles
+// Group = Flintstone
+// Dacl = Dacl3
+// Sacl = NULL
+//
+
+ RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor,
+ TRUE,
+ Dacl,
+ FALSE );
+
+// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize
+// and SetWidgetColor
+
+ Status = NtAccessCheck( Widget1SecurityDescriptor,
+ PrimaryToken,
+ (ACCESS_MASK) MAXIMUM_ALLOWED,
+ &GrantedAccess,
+ &AccessStatus );
+
+
+ ASSERT(NT_SUCCESS(Status));
+
+ ASSERT(NT_SUCCESS(AccessStatus));
+
+ ASSERT(GrantedAccess == (ACCESS_MASK) (SET_WIDGET_COLOR | SET_WIDGET_SIZE));
+
+
+//
+// Dacl4
+//
+// +----------------+ +----------------+ +----------------+
+// | 1st ACE | | 2nd ACE | | 3rd ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed | | AccessDenied |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | FRED |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+// +----------------+ +----------------+ +----------------+
+// | 4th ACE | | 5th ACE | | 6th ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed | | AccessDenied |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | PEBBLES |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeSize | | SetWidgeSize | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ MAXULONG,
+ DenyPebblesSetColor,
+ DenyPebblesSetColorLength );
+
+ RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor,
+ TRUE,
+ Dacl,
+ FALSE );
+
+// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize
+// and SetWidgetColor
+
+ Status = NtAccessCheck( Widget1SecurityDescriptor,
+ PrimaryToken,
+ (ACCESS_MASK) MAXIMUM_ALLOWED,
+ &GrantedAccess,
+ &AccessStatus );
+
+
+ ASSERT(NT_SUCCESS(Status));
+
+ ASSERT(NT_SUCCESS(AccessStatus));
+
+ ASSERT(GrantedAccess == (ACCESS_MASK) (SET_WIDGET_COLOR | SET_WIDGET_SIZE));
+
+
+//
+// Dacl5
+//
+// +----------------+ +----------------+ +----------------+
+// | 1st ACE | | 2nd ACE | | 3rd ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessDenied | | AccessDenied |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | FRED |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+// +----------------+ +----------------+ +----------------+
+// | 4th ACE | | 5th ACE | | 6th ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed | | AccessAllowed |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | PEBBLES |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeSize | | SetWidgeSize | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+
+ RtlDeleteAce (Dacl, 1);
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ 1,
+ DenyPebblesSetColor,
+ DenyPebblesSetColorLength );
+
+ RtlDeleteAce (Dacl, 5);
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ MAXULONG,
+ AllowPebblesSetColor,
+ AllowPebblesSetColorLength );
+
+
+ DumpAcl ( Dacl );
+
+ RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor,
+ TRUE,
+ Dacl,
+ FALSE );
+
+// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize
+
+ Status = NtAccessCheck( Widget1SecurityDescriptor,
+ PrimaryToken,
+ (ACCESS_MASK) MAXIMUM_ALLOWED,
+ &GrantedAccess,
+ &AccessStatus );
+
+
+ ASSERT(NT_SUCCESS(Status));
+
+ ASSERT(NT_SUCCESS(AccessStatus));
+
+ ASSERT(GrantedAccess == (ACCESS_MASK) SET_WIDGET_SIZE);
+
+
+//
+// Dacl6
+//
+// +----------------+ +----------------+ +----------------+
+// | 1st ACE | | 2nd ACE | | 3rd ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessDenied | | AccessDenied |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | FRED |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+// +----------------+ +----------------+ +----------------+
+// | 4th ACE | | 5th ACE | | 6th ACE |
+// +----------------+ +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed | | AccessAllowed |
+// +----------------+ +----------------+ +----------------+
+// | BARNEY | | PEBBLES | | PEBBLES |
+// +----------------+ +----------------+ +----------------+
+// | SetWidgeSize | | SetWidgeSize | | SetWidgeColor |
+// +----------------+ +----------------+ +----------------+
+//
+// +----------------+ +----------------+
+// | 7th ACE | | 8th ACE |
+// +----------------+ +----------------+
+// | AccessAllowed | | AccessAllowed |
+// +----------------+ +----------------+
+// | PEBBLES | | PEBBLES |
+// +----------------+ +----------------+
+// | GetWidgeSize | | GetWidgeColor |
+// +----------------+ +----------------+
+//
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ MAXULONG,
+ AllowPebblesGetSize,
+ AllowPebblesGetSizeLength );
+
+ RtlAddAce ( Dacl,
+ ACL_REVISION,
+ MAXULONG,
+ AllowPebblesGetColor,
+ AllowPebblesGetColorLength );
+
+ DumpAcl ( Dacl );
+
+ RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor,
+ TRUE,
+ Dacl,
+ FALSE );
+
+// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize
+
+ Status = NtAccessCheck( Widget1SecurityDescriptor,
+ PrimaryToken,
+ (ACCESS_MASK) MAXIMUM_ALLOWED,
+ &GrantedAccess,
+ &AccessStatus );
+
+
+ ASSERT(NT_SUCCESS(Status));
+
+ ASSERT(NT_SUCCESS(AccessStatus));
+
+ ASSERT(GrantedAccess == (ACCESS_MASK) SET_WIDGET_SIZE);
+
+
+
+ return(TRUE);
+
+
+}
+
+
+/////////////////////////////////////////////////////////////////////
+// //
+// //
+// Main test entry point //
+// //
+// //
+/////////////////////////////////////////////////////////////////////
+
+
+BOOLEAN
+CTAccess()
+{
+
+ BOOLEAN Result = TRUE;
+
+ if (!TSeVariableInitialization()) {
+ DbgPrint("Se: Failed to initialize global test variables.\n");
+ return FALSE;
+ }
+
+ DbgPrint("Se: Initialization...");
+ TestTokenInitialize();
+ CreateDAclToken();
+
+}
+
+
+//
+// Debug support routine
+//
+
+
+typedef struct _STANDARD_ACE {
+ ACE_HEADER Header;
+ ACCESS_MASK Mask;
+ PSID Sid;
+} STANDARD_ACE;
+typedef STANDARD_ACE *PSTANDARD_ACE;
+
+
+
+VOID
+DumpAcl (
+ IN PACL Acl
+ )
+
+/*++
+
+Routine Description:
+
+ This routine dumps via (DbgPrint) an Acl for debug purposes. It is
+ specialized to dump standard aces.
+
+Arguments:
+
+ Acl - Supplies the Acl to dump
+
+Return Value:
+
+ None
+
+--*/
+
+
+{
+ ULONG i;
+ PSTANDARD_ACE Ace;
+
+ DbgPrint("DumpAcl @ %8lx", Acl);
+
+ //
+ // Check if the Acl is null
+ //
+
+ if (Acl == NULL) {
+
+ return;
+
+ }
+
+ //
+ // Dump the Acl header
+ //
+
+ DbgPrint(" Revision: %02x", Acl->AclRevision);
+ DbgPrint(" Size: %04x", Acl->AclSize);
+ DbgPrint(" AceCount: %04x\n", Acl->AceCount);
+
+ //
+ // Now for each Ace we want do dump it
+ //
+
+ for (i = 0, Ace = FirstAce(Acl);
+ i < Acl->AceCount;
+ i++, Ace = NextAce(Ace) ) {
+
+ //
+ // print out the ace header
+ //
+
+ DbgPrint(" AceHeader: %08lx ", *(PULONG)Ace);
+
+ //
+ // special case on the standard ace types
+ //
+
+ if ((Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) ||
+ (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) ||
+ (Ace->Header.AceType == SYSTEM_AUDIT_ACE_TYPE) ||
+ (Ace->Header.AceType == SYSTEM_ALARM_ACE_TYPE)) {
+
+ //
+ // The following array is indexed by ace types and must
+ // follow the allowed, denied, audit, alarm seqeuence
+ //
+
+ static PCHAR AceTypes[] = { "Access Allowed",
+ "Access Denied ",
+ "System Audit ",
+ "System Alarm "
+ };
+
+ DbgPrint(AceTypes[Ace->Header.AceType]);
+ DbgPrint("\nAccess Mask: %08lx ", Ace->Mask);
+
+ } else {
+
+ DbgPrint("Unknown Ace Type\n");
+
+ }
+
+ DbgPrint("\n");
+
+ DbgPrint("AceSize = %d\n",Ace->Header.AceSize);
+ DbgPrint("Ace Flags = ");
+ if (Ace->Header.AceFlags & OBJECT_INHERIT_ACE) {
+ DbgPrint("OBJECT_INHERIT_ACE\n");
+ DbgPrint(" ");
+ }
+ if (Ace->Header.AceFlags & CONTAINER_INHERIT_ACE) {
+ DbgPrint("CONTAINER_INHERIT_ACE\n");
+ DbgPrint(" ");
+ }
+
+ if (Ace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE) {
+ DbgPrint("NO_PROPAGATE_INHERIT_ACE\n");
+ DbgPrint(" ");
+ }
+
+ if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) {
+ DbgPrint("INHERIT_ONLY_ACE\n");
+ DbgPrint(" ");
+ }
+
+
+ if (Ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) {
+ DbgPrint("SUCCESSFUL_ACCESS_ACE_FLAG\n");
+ DbgPrint(" ");
+ }
+
+ if (Ace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG) {
+ DbgPrint("FAILED_ACCESS_ACE_FLAG\n");
+ DbgPrint(" ");
+ }
+
+ DbgPrint("\n");
+
+
+ }
+
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 07:10:03 +0200