From e611b132f9b8abe35b362e5870b74bce94a1e58e Mon Sep 17 00:00:00 2001 From: Adam Date: Sat, 16 May 2020 20:51:50 -0700 Subject: initial commit --- private/ntos/se/ctaccess.c | 1267 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1267 insertions(+) create mode 100644 private/ntos/se/ctaccess.c (limited to 'private/ntos/se/ctaccess.c') diff --git a/private/ntos/se/ctaccess.c b/private/ntos/se/ctaccess.c new file mode 100644 index 000000000..014acc4bd --- /dev/null +++ b/private/ntos/se/ctaccess.c @@ -0,0 +1,1267 @@ +/*++ + +Copyright (c) 1989 Microsoft Corporation + +Module Name: + + ctaccess.c + +Abstract: + + Common access validation test routines + + These routines are used in both kernel and user mode tests. + + This test assumes the security runtime library routines are + functioning correctly. + + +Author: + + Robert Reichel (robertre) 12/14/90 + +Environment: + + Test of access validation routines + +Revision History: + + v1: robertre + Created + +--*/ + +#include "tsecomm.c" // Mode dependent macros and routines. + + + +// +// Define the local macros and procedure for this module +// + +// +// Return a pointer to the first Ace in an Acl (even if the Acl is empty). +// +// PACE_HEADER +// FirstAce ( +// IN PACL Acl +// ); +// + +#define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL))) + +// +// Return a pointer to the next Ace in a sequence (even if the input +// Ace is the one in the sequence). +// +// PACE_HEADER +// NextAce ( +// IN PACE_HEADER Ace +// ); +// + +#define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize)) + +VOID +DumpAcl ( + IN PACL Acl + ); + +//////////////////////////////////////////////////////////////// +// // +// Module wide variables // +// // +//////////////////////////////////////////////////////////////// + +#define DEFAULT_DACL_LENGTH (1024L) +#define GROUP_IDS_LENGTH (1024L) +#define NEW_GROUP_STATE_LENGTH (1024L) +#define PRIVILEGES_LENGTH (128L) +#define TOO_BIG_ACL_SIZE (2048L) + +// +// definitions related to TokenWithGroups +// + +#define FLINTSTONE_INDEX (0L) +#define CHILD_INDEX (1L) +#define NEANDERTHOL_INDEX (2L) +#define WORLD_INDEX (3L) +#define GROUP_COUNT (4L) + + +// +// Definitions related to TokenWithPrivileges +// + +#define UNSOLICITED_INDEX (0L) +#define SECURITY_INDEX (1L) +#define PRIVILEGE_COUNT (2L) + +// +// Access types +// + +#define SET_WIDGET_COLOR 0x00000001 +#define SET_WIDGET_SIZE 0x00000002 +#define GET_WIDGET_COLOR 0x00000004 +#define GET_WIDGET_SIZE 0x00000008 +#define START_WIDGET 0x00000010 +#define STOP_WIDGET 0x00000020 +#define GIVE_WIDGET 0x00000040 +#define TAKE_WIDGET 0x00000080 + + + NTSTATUS Status; + + HANDLE SimpleToken; + HANDLE TokenWithGroups; + HANDLE TokenWithDefaultOwner; + HANDLE TokenWithPrivileges; + HANDLE TokenWithDefaultDacl; + + HANDLE Token; + HANDLE ImpersonationToken; + + HANDLE PrimaryToken; + + HANDLE AnonymousToken; + + OBJECT_ATTRIBUTES PrimaryTokenAttributes; + PSECURITY_DESCRIPTOR PrimarySecurityDescriptor; + SECURITY_QUALITY_OF_SERVICE PrimarySecurityQos; + + OBJECT_ATTRIBUTES ImpersonationTokenAttributes; + PSECURITY_DESCRIPTOR ImpersonationSecurityDescriptor; + SECURITY_QUALITY_OF_SERVICE ImpersonationSecurityQos; + + OBJECT_ATTRIBUTES AnonymousTokenAttributes; + PSECURITY_DESCRIPTOR AnonymousSecurityDescriptor; + SECURITY_QUALITY_OF_SERVICE AnonymousSecurityQos; + + ULONG DisabledGroupAttributes; + ULONG OptionalGroupAttributes; + ULONG NormalGroupAttributes; + ULONG OwnerGroupAttributes; + + ULONG LengthAvailable; + ULONG CurrentLength; + + + TIME_FIELDS TempTimeFields = {3000, 1, 1, 1, 1, 1, 1, 1}; + LARGE_INTEGER NoExpiration; + + LUID DummyAuthenticationId; + LUID SystemAuthenticationId = SYSTEM_LUID; + + TOKEN_SOURCE TestSource = {"SE: TEST", 0}; + + PSID Owner; + PSID Group; + PACL Dacl; + + PSID TempOwner; + PSID TempGroup; + PACL TempDacl; + + + + + +//////////////////////////////////////////////////////////////// +// // +// Initialization Routine // +// // +//////////////////////////////////////////////////////////////// + +BOOLEAN +TestTokenInitialize() +{ + + TSeVariableInitialization(); // Initialize global variables + + + DisabledGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT); + + OptionalGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT | + SE_GROUP_ENABLED + ); + NormalGroupAttributes = (SE_GROUP_MANDATORY | + SE_GROUP_ENABLED_BY_DEFAULT | + SE_GROUP_ENABLED + ); + OwnerGroupAttributes = (SE_GROUP_MANDATORY | + SE_GROUP_ENABLED_BY_DEFAULT | + SE_GROUP_ENABLED | + SE_GROUP_OWNER + ); + + + PrimarySecurityDescriptor = + (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); + + InitializeObjectAttributes( + &PrimaryTokenAttributes, + NULL, + OBJ_INHERIT, + NULL, + NULL + ); + + + ImpersonationSecurityDescriptor = + (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); + + ImpersonationSecurityQos.Length = (ULONG)sizeof(SECURITY_QUALITY_OF_SERVICE); + ImpersonationSecurityQos.ImpersonationLevel = SecurityImpersonation; + ImpersonationSecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; + ImpersonationSecurityQos.EffectiveOnly = FALSE; + + InitializeObjectAttributes( + &ImpersonationTokenAttributes, + NULL, + OBJ_INHERIT, + NULL, + NULL + ); + ImpersonationTokenAttributes.SecurityQualityOfService = + &ImpersonationSecurityQos; + + + AnonymousSecurityDescriptor = + (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); + + AnonymousSecurityQos.Length = (ULONG)sizeof(SECURITY_QUALITY_OF_SERVICE); + AnonymousSecurityQos.ImpersonationLevel = SecurityAnonymous; + AnonymousSecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; + AnonymousSecurityQos.EffectiveOnly = FALSE; + + InitializeObjectAttributes( + &AnonymousTokenAttributes, + NULL, + OBJ_INHERIT, + NULL, + NULL + ); + AnonymousTokenAttributes.SecurityQualityOfService = + &AnonymousSecurityQos; + + + // + // Build an ACL for use. + // + + Dacl = (PACL)TstAllocatePool( PagedPool, 256 ); + + Dacl->AclRevision=ACL_REVISION; + Dacl->Sbz1=0; + Dacl->Sbz2=0; + Dacl->AclSize=256; + Dacl->AceCount=0; + + + // + // Set up expiration times + // + + TempTimeFields.Year = 3000; + TempTimeFields.Month = 1; + TempTimeFields.Day = 1; + TempTimeFields.Hour = 1; + TempTimeFields.Minute = 1; + TempTimeFields.Second = 1; + TempTimeFields.Milliseconds = 1; + TempTimeFields.Weekday = 1; + + RtlTimeFieldsToTime( &TempTimeFields, &NoExpiration ); + + + // + // Use a dummy authentication ID for a while. + // + + DummyAuthenticationId = FredLuid; + + + // + // Use a token source specific to security test + // + + NtAllocateLocallyUniqueId( &(TestSource.SourceIdentifier) ); + + DbgPrint("Done.\n"); + + return TRUE; +} + + +BOOLEAN +CreateDAclToken() +{ + + BOOLEAN CompletionStatus = TRUE; + + TOKEN_USER UserId; + TOKEN_PRIMARY_GROUP PrimaryGroup; + PTOKEN_GROUPS GroupIds; + PTOKEN_PRIVILEGES Privileges; + TOKEN_DEFAULT_DACL DefaultDacl; + TOKEN_OWNER Owner; + + PSECURITY_DESCRIPTOR Widget1SecurityDescriptor; + + NTSTATUS AccessStatus; + + ACCESS_MASK GrantedAccess; + + PACCESS_ALLOWED_ACE AllowBarneySetColor; + PACCESS_ALLOWED_ACE AllowFredSetColor; + + PACCESS_DENIED_ACE DenyPebblesSetColor; + + PACCESS_ALLOWED_ACE AllowPebblesSetColor; + PACCESS_DENIED_ACE DenyFredSetColor; + PACCESS_ALLOWED_ACE AllowBarneySetSize; + PACCESS_ALLOWED_ACE AllowPebblesSetSize; + + PACCESS_ALLOWED_ACE AllowPebblesGetColor; + PACCESS_ALLOWED_ACE AllowPebblesGetSize; + + USHORT AllowBarneySetColorLength; + USHORT AllowFredSetColorLength; + USHORT DenyPebblesSetColorLength; + + USHORT AllowPebblesSetColorLength; + USHORT DenyFredSetColorLength; + USHORT AllowBarneySetSizeLength; + USHORT AllowPebblesSetSizeLength; + + USHORT AllowPebblesGetColorLength; + USHORT AllowPebblesGetSizeLength; + + + DbgPrint("\n"); + + GroupIds = (PTOKEN_GROUPS)TstAllocatePool( PagedPool, + GROUP_IDS_LENGTH + ); + + Privileges = (PTOKEN_PRIVILEGES)TstAllocatePool( PagedPool, + PRIVILEGES_LENGTH + ); + + DefaultDacl.DefaultDacl = (PACL)TstAllocatePool( PagedPool, + DEFAULT_DACL_LENGTH + ); + + + // + // Create a token with default DACL + // + + DbgPrint("Se: Create Token With Default Dacl ... "); + + GroupIds->GroupCount = GROUP_COUNT; + + GroupIds->Groups[FLINTSTONE_INDEX].Sid = FlintstoneSid; + GroupIds->Groups[CHILD_INDEX].Sid = ChildSid; + GroupIds->Groups[NEANDERTHOL_INDEX].Sid = NeandertholSid; + GroupIds->Groups[WORLD_INDEX].Sid = WorldSid; + + GroupIds->Groups[FLINTSTONE_INDEX].Attributes = OwnerGroupAttributes; + GroupIds->Groups[CHILD_INDEX].Attributes = OptionalGroupAttributes; + GroupIds->Groups[NEANDERTHOL_INDEX].Attributes = OptionalGroupAttributes; + GroupIds->Groups[WORLD_INDEX].Attributes = NormalGroupAttributes; + + UserId.User.Sid = PebblesSid; + UserId.User.Attributes = 0; + + Owner.Owner = FlintstoneSid; + + Privileges->PrivilegeCount = PRIVILEGE_COUNT; + + Privileges->Privileges[UNSOLICITED_INDEX].Luid = UnsolicitedInputPrivilege; + Privileges->Privileges[SECURITY_INDEX].Luid = SecurityPrivilege; + Privileges->Privileges[UNSOLICITED_INDEX].Attributes = 0; + Privileges->Privileges[SECURITY_INDEX].Attributes = 0; + + PrimaryGroup.PrimaryGroup = FlintstoneSid; + + Status = RtlCreateAcl( DefaultDacl.DefaultDacl, DEFAULT_DACL_LENGTH, ACL_REVISION); + + ASSERT(NT_SUCCESS(Status) ); + + Status = NtCreateToken( + &PrimaryToken, // Handle + (TOKEN_ALL_ACCESS), // DesiredAccess + &PrimaryTokenAttributes, // ObjectAttributes + TokenPrimary, // TokenType + &DummyAuthenticationId, // Authentication LUID + &NoExpiration, // Expiration Time + &UserId, // Owner ID + GroupIds, // Group IDs + Privileges, // Privileges + &Owner, // Owner + &PrimaryGroup, // Primary Group + &DefaultDacl, // Default Dacl + &TestSource // TokenSource + ); + + if (NT_SUCCESS(Status)) { + DbgPrint("Succeeded.\n"); + } else { + DbgPrint("********** Failed ************\n"); + DbgPrint("Status is: 0x%lx \n", Status); + CompletionStatus = FALSE; + } + + ASSERT(NT_SUCCESS(Status)); + + + + // + // Create an impersonation token, Impersonation level = Impersonation + // + + DbgPrint("Se: Create an impersonation token ... "); + + GroupIds->GroupCount = GROUP_COUNT; + + GroupIds->Groups[FLINTSTONE_INDEX].Sid = FlintstoneSid; + GroupIds->Groups[CHILD_INDEX].Sid = ChildSid; + GroupIds->Groups[NEANDERTHOL_INDEX].Sid = NeandertholSid; + GroupIds->Groups[WORLD_INDEX].Sid = WorldSid; + + GroupIds->Groups[FLINTSTONE_INDEX].Attributes = OwnerGroupAttributes; + GroupIds->Groups[CHILD_INDEX].Attributes = OptionalGroupAttributes; + GroupIds->Groups[NEANDERTHOL_INDEX].Attributes = OptionalGroupAttributes; + GroupIds->Groups[WORLD_INDEX].Attributes = NormalGroupAttributes; + + UserId.User.Sid = PebblesSid; + UserId.User.Attributes = 0; + + Owner.Owner = FlintstoneSid; + + Privileges->PrivilegeCount = PRIVILEGE_COUNT; + + Privileges->Privileges[UNSOLICITED_INDEX].Luid = UnsolicitedInputPrivilege; + Privileges->Privileges[SECURITY_INDEX].Luid = SecurityPrivilege; + Privileges->Privileges[UNSOLICITED_INDEX].Attributes = 0; + Privileges->Privileges[SECURITY_INDEX].Attributes = 0; + + PrimaryGroup.PrimaryGroup = FlintstoneSid; + + Status = RtlCreateAcl( DefaultDacl.DefaultDacl, DEFAULT_DACL_LENGTH, ACL_REVISION); + + ASSERT(NT_SUCCESS(Status) ); + + Status = NtCreateToken( + &ImpersonationToken, // Handle + (TOKEN_ALL_ACCESS), // DesiredAccess + &ImpersonationTokenAttributes, // ObjectAttributes + TokenImpersonation, // TokenType + &DummyAuthenticationId, // Authentication LUID + &NoExpiration, // Expiration Time + &UserId, // Owner ID + GroupIds, // Group IDs + Privileges, // Privileges + &Owner, // Owner + &PrimaryGroup, // Primary Group + &DefaultDacl, // Default Dacl + &TestSource // TokenSource + ); + + if (NT_SUCCESS(Status)) { + DbgPrint("Succeeded.\n"); + } else { + DbgPrint("********** Failed ************\n"); + DbgPrint("Status is: 0x%lx \n", Status); + CompletionStatus = FALSE; + } + + ASSERT(NT_SUCCESS(Status)); + +// +// Attach tokens to process +// + + NtSetInformationProcess( + NtCurrentProcess(), + ProcessAccessToken, + &PrimaryToken, + sizeof( PHANDLE )); + + + NtSetInformationThread( + NtCurrentThread(), + ThreadImpersonationToken, + &ImpersonationToken, + sizeof( PHANDLE )); + + + +// Create some ACEs + +// AllowBarneySetColor + + AllowBarneySetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( BarneySid )); + + AllowBarneySetColor = (PVOID) TstAllocatePool ( PagedPool, AllowBarneySetColorLength ); + + AllowBarneySetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowBarneySetColor->Header.AceSize = AllowBarneySetColorLength; + AllowBarneySetColor->Header.AceFlags = 0; + + AllowBarneySetColor->Mask = SET_WIDGET_COLOR; + + RtlCopySid( + SeLengthSid( BarneySid ), + &(AllowBarneySetColor->SidStart), + BarneySid ); + + +// DenyPebblesSetColor + + DenyPebblesSetColorLength = (USHORT)(sizeof( ACCESS_DENIED_ACE ) - sizeof( ULONG ) + + SeLengthSid( BarneySid )); + + DenyPebblesSetColor = (PVOID) TstAllocatePool ( PagedPool, DenyPebblesSetColorLength ); + + DenyPebblesSetColor->Header.AceType = ACCESS_DENIED_ACE_TYPE; + DenyPebblesSetColor->Header.AceSize = DenyPebblesSetColorLength; + DenyPebblesSetColor->Header.AceFlags = 0; + + DenyPebblesSetColor->Mask = SET_WIDGET_COLOR; + + RtlCopySid( + SeLengthSid( PebblesSid ), + &(DenyPebblesSetColor->SidStart), + PebblesSid ); + + +// AllowFredSetColor + + AllowFredSetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( FredSid )); + + AllowFredSetColor = (PVOID) TstAllocatePool ( PagedPool, AllowFredSetColorLength ); + + AllowFredSetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowFredSetColor->Header.AceSize = AllowFredSetColorLength; + AllowFredSetColor->Header.AceFlags = 0; + + AllowFredSetColor->Mask = SET_WIDGET_COLOR; + + RtlCopySid( + SeLengthSid( FredSid ), + &(AllowFredSetColor->SidStart), + FredSid ); + + + + +// AllowPebblesSetColor + + + AllowPebblesSetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( PebblesSid )); + + AllowPebblesSetColor = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesSetColorLength ); + + AllowPebblesSetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowPebblesSetColor->Header.AceSize = AllowPebblesSetColorLength; + AllowPebblesSetColor->Header.AceFlags = 0; + + AllowPebblesSetColor->Mask = SET_WIDGET_COLOR; + + RtlCopySid( + SeLengthSid( PebblesSid ), + &(AllowPebblesSetColor->SidStart), + PebblesSid ); + + +// DenyFredSetColor + + DenyFredSetColorLength = (USHORT)(sizeof( ACCESS_DENIED_ACE ) - sizeof( ULONG ) + + SeLengthSid( FredSid )); + + DenyFredSetColor = (PVOID) TstAllocatePool ( PagedPool, DenyFredSetColorLength ); + + DenyFredSetColor->Header.AceType = ACCESS_DENIED_ACE_TYPE; + DenyFredSetColor->Header.AceSize = DenyFredSetColorLength; + DenyFredSetColor->Header.AceFlags = 0; + + DenyFredSetColor->Mask = SET_WIDGET_COLOR; + + RtlCopySid( + SeLengthSid( FredSid ), + &(DenyFredSetColor->SidStart), + FredSid ); + +// AllowBarneySetSize + + AllowBarneySetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( BarneySid )); + + AllowBarneySetSize = (PVOID) TstAllocatePool ( PagedPool, AllowBarneySetSizeLength ); + + AllowBarneySetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowBarneySetSize->Header.AceSize = AllowBarneySetSizeLength; + AllowBarneySetSize->Header.AceFlags = 0; + + AllowBarneySetSize->Mask = SET_WIDGET_SIZE; + + RtlCopySid( + SeLengthSid( BarneySid ), + &(AllowBarneySetSize->SidStart), + BarneySid ); + +// AllowPebblesSetSize + + AllowPebblesSetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( PebblesSid )); + + AllowPebblesSetSize = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesSetSizeLength ); + + AllowPebblesSetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowPebblesSetSize->Header.AceSize = AllowPebblesSetSizeLength; + AllowPebblesSetSize->Header.AceFlags = 0; + + AllowPebblesSetSize->Mask = SET_WIDGET_SIZE; + + RtlCopySid( + SeLengthSid( PebblesSid ), + &(AllowPebblesSetSize->SidStart), + PebblesSid ); + + +// AllowPebblesGetSize + + AllowPebblesGetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( PebblesSid )); + + AllowPebblesGetSize = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesGetSizeLength ); + + AllowPebblesGetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowPebblesGetSize->Header.AceSize = AllowPebblesGetSizeLength; + AllowPebblesGetSize->Header.AceFlags = 0; + + AllowPebblesGetSize->Mask = SET_WIDGET_SIZE; + + RtlCopySid( + SeLengthSid( PebblesSid ), + &(AllowPebblesGetSize->SidStart), + PebblesSid ); + + +// AllowPebblesGetColor + + AllowPebblesGetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + + SeLengthSid( PebblesSid )); + + AllowPebblesGetColor = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesGetColorLength ); + + AllowPebblesGetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + AllowPebblesGetColor->Header.AceSize = AllowPebblesGetColorLength; + AllowPebblesGetColor->Header.AceFlags = 0; + + AllowPebblesGetColor->Mask = SET_WIDGET_COLOR; + + RtlCopySid( + SeLengthSid( PebblesSid ), + &(AllowPebblesGetColor->SidStart), + PebblesSid ); + +// +// Create some ACLs that we can put into a Security Descriptor +// + DbgBreakPoint(); + +// +// Dacl +// +// +----------------+ +----------------+ +----------------+ +// | 1st ACE | | 2nd ACE | | 3rd ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessDenied | | AccessAllowed | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | FRED | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// + + Dacl = (PACL) TstAllocatePool ( PagedPool, 2048 ); + + RtlCreateAcl( Dacl, 2048, ACL_REVISION); + + + RtlAddAce ( Dacl, + ACL_REVISION, + 0, + AllowBarneySetColor, + AllowBarneySetColorLength ); + + RtlAddAce ( Dacl, + ACL_REVISION, + 1, + DenyPebblesSetColor, + DenyPebblesSetColorLength ); + + RtlAddAce ( Dacl, + ACL_REVISION, + 2, + DenyFredSetColor, + AllowFredSetColorLength ); + + DumpAcl (Dacl); + + + + + +// Create a security descriptor +// +// Owner = Pebbles +// Group = Flintstone +// Dacl = Dacl +// Sacl = NULL +// + + Widget1SecurityDescriptor = + (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); + + RtlCreateSecurityDescriptor( Widget1SecurityDescriptor, + 1 ); + + + RtlSetOwnerSecurityDescriptor( Widget1SecurityDescriptor, + PebblesSid, + FALSE ); + + RtlSetGroupSecurityDescriptor( Widget1SecurityDescriptor, + FlintstoneSid, + FALSE ); + + RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, + TRUE, + Dacl, + FALSE ); + + RtlSetSaclSecurityDescriptor( Widget1SecurityDescriptor, + FALSE, + NULL, + NULL ); + +// See if Pebbles is allowed SET_WIDGET_COLOR (should be denied) + + Status = NtAccessCheck( Widget1SecurityDescriptor, + PrimaryToken, + (ACCESS_MASK) SET_WIDGET_COLOR, + &GrantedAccess, + &AccessStatus ); + +// DbgBreakPoint(); + + ASSERT(NT_SUCCESS(Status)); + + ASSERT(!NT_SUCCESS(AccessStatus)); + + ASSERT(GrantedAccess == NULL); + + +// Update Dacl to be the following: +// +// Dacl2 +// +// +----------------+ +----------------+ +----------------+ +// | 1st ACE | | 2nd ACE | | 3rd ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | | AccessDenied | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | FRED | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// + +// Delete 2nd Ace + + RtlDeleteAce (Dacl, 1); + + RtlAddAce ( Dacl, + ACL_REVISION, + 1, + AllowPebblesSetColor, + AllowPebblesSetColorLength ); + + RtlDeleteAce ( Dacl, 2 ); + + RtlAddAce ( Dacl, + ACL_REVISION, + 1, + DenyFredSetColor, + DenyFredSetColorLength ); + + + + +// Change the security descriptor to use updated Dacl +// +// Owner = Pebbles +// Group = Flintstone +// Dacl = Dacl2 +// Sacl = NULL +// + + RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, + TRUE, + Dacl, + FALSE ); + +// See if Pebbles is allowed SET_WIDGET_COLOR (should be permitted) + + Status = NtAccessCheck( Widget1SecurityDescriptor, + PrimaryToken, + (ACCESS_MASK) SET_WIDGET_COLOR, + &GrantedAccess, + &AccessStatus ); + + + ASSERT(NT_SUCCESS(Status)); + + ASSERT(NT_SUCCESS(AccessStatus)); + + ASSERT(GrantedAccess == (ACCESS_MASK)SET_WIDGET_COLOR); + +// +// Dacl3 +// +// +----------------+ +----------------+ +----------------+ +// | 1st ACE | | 2nd ACE | | 3rd ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | | AccessDenied | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | FRED | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// +// +----------------+ +----------------+ +// | 4th ACE | | 5th ACE | +// +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | +// +----------------+ +----------------+ +// | BARNEY | | PEBBLES | +// +----------------+ +----------------+ +// | SetWidgeSize | | SetWidgeSize | +// +----------------+ +----------------+ +// + + + RtlAddAce ( Dacl, + ACL_REVISION, + MAXULONG, + AllowBarneySetSize, + AllowBarneySetSizeLength ); + + RtlAddAce ( Dacl, + ACL_REVISION, + MAXULONG, + AllowPebblesSetSize, + AllowPebblesSetSizeLength ); + +// Change the security descriptor to use Dacl3 +// +// Owner = Pebbles +// Group = Flintstone +// Dacl = Dacl3 +// Sacl = NULL +// + + RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, + TRUE, + Dacl, + FALSE ); + +// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize +// and SetWidgetColor + + Status = NtAccessCheck( Widget1SecurityDescriptor, + PrimaryToken, + (ACCESS_MASK) MAXIMUM_ALLOWED, + &GrantedAccess, + &AccessStatus ); + + + ASSERT(NT_SUCCESS(Status)); + + ASSERT(NT_SUCCESS(AccessStatus)); + + ASSERT(GrantedAccess == (ACCESS_MASK) (SET_WIDGET_COLOR | SET_WIDGET_SIZE)); + + +// +// Dacl4 +// +// +----------------+ +----------------+ +----------------+ +// | 1st ACE | | 2nd ACE | | 3rd ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | | AccessDenied | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | FRED | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// +// +----------------+ +----------------+ +----------------+ +// | 4th ACE | | 5th ACE | | 6th ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | | AccessDenied | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | PEBBLES | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeSize | | SetWidgeSize | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// + + RtlAddAce ( Dacl, + ACL_REVISION, + MAXULONG, + DenyPebblesSetColor, + DenyPebblesSetColorLength ); + + RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, + TRUE, + Dacl, + FALSE ); + +// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize +// and SetWidgetColor + + Status = NtAccessCheck( Widget1SecurityDescriptor, + PrimaryToken, + (ACCESS_MASK) MAXIMUM_ALLOWED, + &GrantedAccess, + &AccessStatus ); + + + ASSERT(NT_SUCCESS(Status)); + + ASSERT(NT_SUCCESS(AccessStatus)); + + ASSERT(GrantedAccess == (ACCESS_MASK) (SET_WIDGET_COLOR | SET_WIDGET_SIZE)); + + +// +// Dacl5 +// +// +----------------+ +----------------+ +----------------+ +// | 1st ACE | | 2nd ACE | | 3rd ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessDenied | | AccessDenied | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | FRED | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// +// +----------------+ +----------------+ +----------------+ +// | 4th ACE | | 5th ACE | | 6th ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | | AccessAllowed | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | PEBBLES | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeSize | | SetWidgeSize | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// + + RtlDeleteAce (Dacl, 1); + + RtlAddAce ( Dacl, + ACL_REVISION, + 1, + DenyPebblesSetColor, + DenyPebblesSetColorLength ); + + RtlDeleteAce (Dacl, 5); + + RtlAddAce ( Dacl, + ACL_REVISION, + MAXULONG, + AllowPebblesSetColor, + AllowPebblesSetColorLength ); + + + DumpAcl ( Dacl ); + + RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, + TRUE, + Dacl, + FALSE ); + +// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize + + Status = NtAccessCheck( Widget1SecurityDescriptor, + PrimaryToken, + (ACCESS_MASK) MAXIMUM_ALLOWED, + &GrantedAccess, + &AccessStatus ); + + + ASSERT(NT_SUCCESS(Status)); + + ASSERT(NT_SUCCESS(AccessStatus)); + + ASSERT(GrantedAccess == (ACCESS_MASK) SET_WIDGET_SIZE); + + +// +// Dacl6 +// +// +----------------+ +----------------+ +----------------+ +// | 1st ACE | | 2nd ACE | | 3rd ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessDenied | | AccessDenied | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | FRED | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// +// +----------------+ +----------------+ +----------------+ +// | 4th ACE | | 5th ACE | | 6th ACE | +// +----------------+ +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | | AccessAllowed | +// +----------------+ +----------------+ +----------------+ +// | BARNEY | | PEBBLES | | PEBBLES | +// +----------------+ +----------------+ +----------------+ +// | SetWidgeSize | | SetWidgeSize | | SetWidgeColor | +// +----------------+ +----------------+ +----------------+ +// +// +----------------+ +----------------+ +// | 7th ACE | | 8th ACE | +// +----------------+ +----------------+ +// | AccessAllowed | | AccessAllowed | +// +----------------+ +----------------+ +// | PEBBLES | | PEBBLES | +// +----------------+ +----------------+ +// | GetWidgeSize | | GetWidgeColor | +// +----------------+ +----------------+ +// + + RtlAddAce ( Dacl, + ACL_REVISION, + MAXULONG, + AllowPebblesGetSize, + AllowPebblesGetSizeLength ); + + RtlAddAce ( Dacl, + ACL_REVISION, + MAXULONG, + AllowPebblesGetColor, + AllowPebblesGetColorLength ); + + DumpAcl ( Dacl ); + + RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, + TRUE, + Dacl, + FALSE ); + +// Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize + + Status = NtAccessCheck( Widget1SecurityDescriptor, + PrimaryToken, + (ACCESS_MASK) MAXIMUM_ALLOWED, + &GrantedAccess, + &AccessStatus ); + + + ASSERT(NT_SUCCESS(Status)); + + ASSERT(NT_SUCCESS(AccessStatus)); + + ASSERT(GrantedAccess == (ACCESS_MASK) SET_WIDGET_SIZE); + + + + return(TRUE); + + +} + + +///////////////////////////////////////////////////////////////////// +// // +// // +// Main test entry point // +// // +// // +///////////////////////////////////////////////////////////////////// + + +BOOLEAN +CTAccess() +{ + + BOOLEAN Result = TRUE; + + if (!TSeVariableInitialization()) { + DbgPrint("Se: Failed to initialize global test variables.\n"); + return FALSE; + } + + DbgPrint("Se: Initialization..."); + TestTokenInitialize(); + CreateDAclToken(); + +} + + +// +// Debug support routine +// + + +typedef struct _STANDARD_ACE { + ACE_HEADER Header; + ACCESS_MASK Mask; + PSID Sid; +} STANDARD_ACE; +typedef STANDARD_ACE *PSTANDARD_ACE; + + + +VOID +DumpAcl ( + IN PACL Acl + ) + +/*++ + +Routine Description: + + This routine dumps via (DbgPrint) an Acl for debug purposes. It is + specialized to dump standard aces. + +Arguments: + + Acl - Supplies the Acl to dump + +Return Value: + + None + +--*/ + + +{ + ULONG i; + PSTANDARD_ACE Ace; + + DbgPrint("DumpAcl @ %8lx", Acl); + + // + // Check if the Acl is null + // + + if (Acl == NULL) { + + return; + + } + + // + // Dump the Acl header + // + + DbgPrint(" Revision: %02x", Acl->AclRevision); + DbgPrint(" Size: %04x", Acl->AclSize); + DbgPrint(" AceCount: %04x\n", Acl->AceCount); + + // + // Now for each Ace we want do dump it + // + + for (i = 0, Ace = FirstAce(Acl); + i < Acl->AceCount; + i++, Ace = NextAce(Ace) ) { + + // + // print out the ace header + // + + DbgPrint(" AceHeader: %08lx ", *(PULONG)Ace); + + // + // special case on the standard ace types + // + + if ((Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) || + (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) || + (Ace->Header.AceType == SYSTEM_AUDIT_ACE_TYPE) || + (Ace->Header.AceType == SYSTEM_ALARM_ACE_TYPE)) { + + // + // The following array is indexed by ace types and must + // follow the allowed, denied, audit, alarm seqeuence + // + + static PCHAR AceTypes[] = { "Access Allowed", + "Access Denied ", + "System Audit ", + "System Alarm " + }; + + DbgPrint(AceTypes[Ace->Header.AceType]); + DbgPrint("\nAccess Mask: %08lx ", Ace->Mask); + + } else { + + DbgPrint("Unknown Ace Type\n"); + + } + + DbgPrint("\n"); + + DbgPrint("AceSize = %d\n",Ace->Header.AceSize); + DbgPrint("Ace Flags = "); + if (Ace->Header.AceFlags & OBJECT_INHERIT_ACE) { + DbgPrint("OBJECT_INHERIT_ACE\n"); + DbgPrint(" "); + } + if (Ace->Header.AceFlags & CONTAINER_INHERIT_ACE) { + DbgPrint("CONTAINER_INHERIT_ACE\n"); + DbgPrint(" "); + } + + if (Ace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE) { + DbgPrint("NO_PROPAGATE_INHERIT_ACE\n"); + DbgPrint(" "); + } + + if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) { + DbgPrint("INHERIT_ONLY_ACE\n"); + DbgPrint(" "); + } + + + if (Ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) { + DbgPrint("SUCCESSFUL_ACCESS_ACE_FLAG\n"); + DbgPrint(" "); + } + + if (Ace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG) { + DbgPrint("FAILED_ACCESS_ACE_FLAG\n"); + DbgPrint(" "); + } + + DbgPrint("\n"); + + + } + +} -- cgit v1.2.3