/*++ Copyright (c) 1989 Microsoft Corporation Module Name: ctsertl.c Abstract: Common security RTL test routines. These routines are used in both the kernel and user mode RTL tests. Author: Jim Kelly (JimK) 23-Mar-1990 Environment: Test of security. Revision History: --*/ #include "tsecomm.c" //////////////////////////////////////////////////////////////// // // // Test routines // // // //////////////////////////////////////////////////////////////// BOOLEAN TestSeSid() { #define TARGET_SID_ARRAY_LENGTH 1024 typedef struct _TALT_SID1 { ULONG Value[3]; } TALT_SID1; typedef TALT_SID1 *PTALT_SID1; NTSTATUS Status; PVOID Ignore; PSID TFredSid; PSID TBarneySid; PSID TWilmaSid; PSID TWilmaSubSid; PSID TNoSubSid; PSID TTempSid; PSID_AND_ATTRIBUTES SourceArray; PSID_AND_ATTRIBUTES TargetArray; ULONG TargetLength; ULONG OriginalTargetLength; ULONG NormalGroupAttributes; ULONG OwnerGroupAttributes; // Temporary Hack ... NormalGroupAttributes = 7; OwnerGroupAttributes = 15; // End Temporary Hack... TFredSid = (PSID)TstAllocatePool( PagedPool, 256 ); TBarneySid = (PSID)TstAllocatePool( PagedPool, 256 ); TWilmaSid = (PSID)TstAllocatePool( PagedPool, 256 ); TWilmaSubSid = (PSID)TstAllocatePool( PagedPool, 256 ); TNoSubSid = (PSID)TstAllocatePool( PagedPool, 256 ); TTempSid = (PSID)TstAllocatePool( PagedPool, 256 ); // // Valid SID structure test // if (!RtlValidSid( TFredSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, TFredSid\n"); return FALSE; } if (!RtlValidSid( TBarneySid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, TBarneySid\n"); return FALSE; } if (!RtlValidSid( TWilmaSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, TWilmaSid\n"); return FALSE; } if (!RtlValidSid( TWilmaSubSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, TWilmaSubSid\n"); return FALSE; } if (!RtlValidSid( TNoSubSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, TNoSubSid\n"); return FALSE; } // // Equal SIDs Test // if (RtlEqualSid( TFredSid, TBarneySid )) { DbgPrint("*Se** Failure: RtlEqualSid, TFredSid - TBarneySid\n"); DbgPrint("**** Failed **** \n"); return FALSE; } if (!RtlEqualSid( TFredSid, TFredSid )) { DbgPrint("*Se** Failure: RtlEqualSid, TFredSid - TFredSid\n"); return FALSE; } if (RtlEqualSid( TWilmaSid, TWilmaSubSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlEqualSid, TWilmaSid - TWilmaSubSid\n"); return FALSE; } if (RtlEqualSid( TWilmaSid, TNoSubSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlEqualSid, TWilmaSid - TNoSubSid\n"); return FALSE; } // // Length Required test // if (RtlLengthRequiredSid( 0 ) != 8) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthRequiredSid, 0 SubAuthorities\n"); return FALSE; } if (RtlLengthRequiredSid( 1 ) != 12) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthRequiredSid, 1 SubAuthorities\n"); return FALSE; } if (RtlLengthRequiredSid( 2 ) != 16) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthRequiredSid, 2 SubAuthorities\n"); return FALSE; } // // Length of SID test // if (SeLengthSid( TNoSubSid ) != 8) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: SeLengthSid, TNoSubSid\n"); return FALSE; } if (SeLengthSid( TFredSid ) != 12) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: SeLengthSid, TFredSid\n"); return FALSE; } if (SeLengthSid( TWilmaSubSid ) != 16) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: SeLengthSid, TWilmaSubSid\n"); return FALSE; } // // Copy SID Test // if (NT_SUCCESS(RtlCopySid( 7, TTempSid, TNoSubSid ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid, insufficient TNoSubSid\n"); return FALSE; } if (!NT_SUCCESS(RtlCopySid( 256, TTempSid, TNoSubSid ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid, TNoSubSid\n"); return FALSE; } if (!RtlEqualSid( TTempSid, TNoSubSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid compare, TNoSubSid\n"); return FALSE; } if (NT_SUCCESS(RtlCopySid( 11, TTempSid, TBarneySid ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid, insufficient TBarneySid\n"); return FALSE; } if (!NT_SUCCESS(RtlCopySid( 256, TTempSid, TBarneySid ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid, TBarneySid\n"); return FALSE; } if (!RtlEqualSid( TTempSid, TBarneySid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid compare, TBarneySid\n"); return FALSE; } if (NT_SUCCESS(RtlCopySid( 15, TTempSid, TWilmaSubSid ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid, insufficient TWilmaSubSid\n"); return FALSE; } if (!NT_SUCCESS(RtlCopySid( 256, TTempSid, TWilmaSubSid ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid, TNoSubSid\n"); return FALSE; } if (!RtlEqualSid( TTempSid, TWilmaSubSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCopySid compare, TWilmaSubSid\n"); return FALSE; } // // Validate all the tsevars SIDs // // // Bedrock SIDs // if (!RtlValidSid( BedrockDomainSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, BedrockDomainSid\n"); return FALSE; } if (!RtlValidSid( FredSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, FredSid\n"); return FALSE; } if (!RtlValidSid( WilmaSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, WilmaSid\n"); return FALSE; } if (!RtlValidSid( PebblesSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, PebblesSid\n"); return FALSE; } if (!RtlValidSid( DinoSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, DinoSid\n"); return FALSE; } if (!RtlValidSid( BarneySid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, BarneySid\n"); return FALSE; } if (!RtlValidSid( BettySid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, BettySid\n"); return FALSE; } if (!RtlValidSid( BambamSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, BambamSid\n"); return FALSE; } if (!RtlValidSid( FlintstoneSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, FlintstoneSid\n"); return FALSE; } if (!RtlValidSid( RubbleSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, RubbleSid\n"); return FALSE; } if (!RtlValidSid( AdultSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, AdultSid\n"); return FALSE; } if (!RtlValidSid( ChildSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, ChildSid\n"); return FALSE; } if (!RtlValidSid( NeandertholSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, NeandertholSid\n"); return FALSE; } // // Well known SIDs // if (!RtlValidSid( NullSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, NullSid\n"); return FALSE; } if (!RtlValidSid( WorldSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, WorldSid\n"); return FALSE; } if (!RtlValidSid( LocalSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, CreatorSid\n"); return FALSE; } if (!RtlValidSid( NtAuthoritySid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, NtAuthoritySid\n"); return FALSE; } if (!RtlValidSid( DialupSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, DialupSid\n"); return FALSE; } if (!RtlValidSid( NetworkSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, NetworkSid\n"); return FALSE; } if (!RtlValidSid( BatchSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, BatchSid\n"); return FALSE; } if (!RtlValidSid( InteractiveSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, InteractiveSid\n"); return FALSE; } if (!RtlValidSid( LocalManagerSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, LocalManagerSid\n"); return FALSE; } if (!RtlValidSid( LocalGuestSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, LocalGuestSid\n"); return FALSE; } if (!RtlValidSid( LocalSystemSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, LocalSystemSid\n"); return FALSE; } if (!RtlValidSid( LocalAdminSid )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSid, LocalAdminSid\n"); return FALSE; } // // Test SidAndAttributesArray copy routine // SourceArray = (PSID_AND_ATTRIBUTES)TstAllocatePool( PagedPool, 100 ); TargetArray = (PSID_AND_ATTRIBUTES)TstAllocatePool( PagedPool, TARGET_SID_ARRAY_LENGTH ); TargetLength = TARGET_SID_ARRAY_LENGTH - (5 * sizeof(PSID_AND_ATTRIBUTES)); OriginalTargetLength = TargetLength; SourceArray[0].Sid = &PebblesSid; SourceArray[0].Attributes = 0; SourceArray[1].Sid = &FlintstoneSid; SourceArray[1].Attributes = OwnerGroupAttributes; SourceArray[2].Sid = &ChildSid; SourceArray[2].Attributes = NormalGroupAttributes; SourceArray[3].Sid = &NeandertholSid; SourceArray[3].Attributes = NormalGroupAttributes; SourceArray[4].Sid = &WorldSid; SourceArray[4].Attributes = NormalGroupAttributes; Status = RtlCopySidAndAttributesArray( 0, SourceArray, TargetLength, TargetArray, &(TargetArray[5]), &(PSID)Ignore, &TargetLength ); if (!NT_SUCCESS(Status) || TargetLength != OriginalTargetLength ) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtLCopySidAndAttributesArray, Zero length.\n"); return FALSE; } Status = RtlCopySidAndAttributesArray( 1, SourceArray, 1, // too short buffer TargetArray, &(TargetArray[1]), &(PSID)Ignore, &TargetLength ); if (NT_SUCCESS(Status)) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtLCopySidAndAttributesArray,\n"); DbgPrint("*Se** Buffer Too Short Test.\n"); return FALSE; } TargetLength = TARGET_SID_ARRAY_LENGTH - (5 * sizeof(PSID_AND_ATTRIBUTES)); OriginalTargetLength = TargetLength; Status = RtlCopySidAndAttributesArray( 5, SourceArray, TargetLength, TargetArray, &(TargetArray[5]), &(PSID)Ignore, &TargetLength ); if (!NT_SUCCESS(Status) || !RtlEqualSid( SourceArray[0].Sid, TargetArray[0].Sid ) || !RtlEqualSid( SourceArray[1].Sid, TargetArray[1].Sid ) || !RtlEqualSid( SourceArray[2].Sid, TargetArray[2].Sid ) || !RtlEqualSid( SourceArray[3].Sid, TargetArray[3].Sid ) || !RtlEqualSid( SourceArray[4].Sid, TargetArray[4].Sid ) || ( SourceArray[0].Attributes != TargetArray[0].Attributes ) || ( SourceArray[1].Attributes != TargetArray[1].Attributes ) || ( SourceArray[2].Attributes != TargetArray[2].Attributes ) || ( SourceArray[3].Attributes != TargetArray[3].Attributes ) || ( SourceArray[4].Attributes != TargetArray[4].Attributes ) ) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtLCopySidAndAttributesArray,\n"); DbgPrint("*Se** Valid copy of 5 SIDs test.\n"); return FALSE; } return TRUE; } BOOLEAN TestSeSecurityDescriptor() { NTSTATUS Status; PSECURITY_DESCRIPTOR TFredDescriptor; PSECURITY_DESCRIPTOR TBarneyDescriptor; PSECURITY_DESCRIPTOR TWilmaDescriptor; PSECURITY_DESCRIPTOR TTempDescriptor; SECURITY_DESCRIPTOR_CONTROL Control; ULONG Revision; PACL TDacl; BOOLEAN TDaclPresent; BOOLEAN TDaclDefaulted; PACL TSacl; BOOLEAN TSaclPresent; BOOLEAN TSaclDefaulted; PSID TOwner; BOOLEAN TOwnerDefaulted; PSID TGroup; BOOLEAN TGroupDefaulted; PSID TFredSid; PSID TBarneySid; PSID TWilmaSid; PSID TWilmaSubSid; PSID TNoSubSid; PSID TTempSid; TFredDescriptor = (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); TBarneyDescriptor = (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); TWilmaDescriptor = (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); TTempDescriptor = (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); TFredSid = (PSID)TstAllocatePool( PagedPool, 256 ); TBarneySid = (PSID)TstAllocatePool( PagedPool, 256 ); TWilmaSid = (PSID)TstAllocatePool( PagedPool, 256 ); TWilmaSubSid = (PSID)TstAllocatePool( PagedPool, 256 ); TNoSubSid = (PSID)TstAllocatePool( PagedPool, 256 ); TTempSid = (PSID)TstAllocatePool( PagedPool, 256 ); // // Build an ACL or two for use. TDacl = (PACL)TstAllocatePool( PagedPool, 256 ); TSacl = (PACL)TstAllocatePool( PagedPool, 256 ); TDacl->AclRevision=TSacl->AclRevision=ACL_REVISION; TDacl->Sbz1=TSacl->Sbz1=0; TDacl->Sbz2=TSacl->Sbz2=0; TDacl->AclSize=256; TSacl->AclSize=8; TDacl->AceCount=TSacl->AceCount=0; // // Create Security Descriptor test // if (NT_SUCCESS(RtlCreateSecurityDescriptor( TTempDescriptor, 0 ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCreateSecurityDescriptor, Rev=0\n"); return FALSE; } if (NT_SUCCESS(RtlCreateSecurityDescriptor( TTempDescriptor, 2 ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCreateSecurityDescriptor, Rev=2\n"); return FALSE; } if (!NT_SUCCESS(RtlCreateSecurityDescriptor( TTempDescriptor, 1 ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlCreateSecurityDescriptor, Rev=1\n"); return FALSE; } #ifdef NOT_YET_DEBUGGED // // Make sure fields have been set properly // if (!NT_SUCCESS(RtlGetControlSecurityDescriptor( TTempDescriptor, &Control, &Revision))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetControlSecurityDescriptor\n"); DbgPrint("*Se** Call failed. Status = 0x%lx\n", Status); return FALSE; } if ( (Control != 0) || (Revision != 1) ) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetControlSecurityDescriptor\n"); DbgPrint("*Se** Bad Control or Revision value. \n"); DbgPrint("*Se** Status = 0x%lx\n", Status); DbgPrint("*Se** Returned Revision = 0x%lx\n",Revision ); DbgPrint("*Se** Returned Control = 0x%lx\n", (ULONG)Control); return FALSE; } #else DBG_UNREFERENCED_LOCAL_VARIABLE( Status ); DBG_UNREFERENCED_LOCAL_VARIABLE( Revision ); DBG_UNREFERENCED_LOCAL_VARIABLE( Control ); #endif //NOT_YET_DEFINED if (!NT_SUCCESS(RtlGetDaclSecurityDescriptor( TTempDescriptor, &TDaclPresent, &TDacl, &TDaclDefaulted))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetDaclSecurityDescriptor, Empty\n"); return FALSE; } if (TDaclPresent) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetDaclSecurityDescriptor, Empty-TDaclPresent\n"); return FALSE; } if (!NT_SUCCESS(RtlGetSaclSecurityDescriptor( TTempDescriptor, &TSaclPresent, &TSacl, &TSaclDefaulted))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetSaclSecurityDescriptor, Empty\n"); return FALSE; } if (TSaclPresent) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetSaclSecurityDescriptor, Empty-TSaclPresent\n"); return FALSE; } if (!NT_SUCCESS(RtlGetOwnerSecurityDescriptor( TTempDescriptor, &TOwner, &TOwnerDefaulted))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetOwnerSecurityDescriptor, Empty\n"); return FALSE; } if (TOwner != NULL) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetOwnerSecurityDescriptor, Empty-TOwner\n"); return FALSE; } if (!NT_SUCCESS(RtlGetGroupSecurityDescriptor( TTempDescriptor, &TGroup, &TGroupDefaulted))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetGroupSecurityDescriptor, Empty\n"); return FALSE; } if (TGroup != NULL) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlGetGroupSecurityDescriptor, Empty-TGroup\n"); return FALSE; } // // Valid Security Descriptor test // ((SECURITY_DESCRIPTOR *)TTempDescriptor)->Revision=0; if (RtlValidSecurityDescriptor( TTempDescriptor )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSecurityDescriptor, Rev=0\n"); return FALSE; } ((SECURITY_DESCRIPTOR *)TTempDescriptor)->Revision=1; if (!RtlValidSecurityDescriptor( TTempDescriptor )) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlValidSecurityDescriptor, Empty\n"); return FALSE; } // // Length test // if (RtlLengthSecurityDescriptor( TTempDescriptor ) != 20) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthSecurityDescriptor, Empty\n"); return FALSE; } // // Add in an owner // if (!NT_SUCCESS(RtlSetOwnerSecurityDescriptor( TTempDescriptor, TWilmaSid, FALSE ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlSetOwnerSecurityDescriptor, TWilmaSid\n"); return FALSE; } if (RtlLengthSecurityDescriptor( TTempDescriptor ) != 32) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthSecurityDescriptor, Wilma Owner\n"); return FALSE; } // // Add in a Dacl // if (!NT_SUCCESS(RtlSetDaclSecurityDescriptor( TTempDescriptor, TRUE, TDacl, FALSE ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlSetDaclSecurityDescriptor, TDacl\n"); return FALSE; } if (RtlLengthSecurityDescriptor( TTempDescriptor ) != 40) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthSecurityDescriptor, TDacl Dacl\n"); return FALSE; } // // Add in a Sacl // if (!NT_SUCCESS(RtlSetSaclSecurityDescriptor( TTempDescriptor, TRUE, TSacl, FALSE ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlSetSaclSecurityDescriptor, TSacl\n"); return FALSE; } if (RtlLengthSecurityDescriptor( TTempDescriptor ) != 48) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthSecurityDescriptor, TSacl Sacl\n"); return FALSE; } // // Add in a Group (with 2 sub-authorities) // if (!NT_SUCCESS(RtlSetGroupSecurityDescriptor( TTempDescriptor, TWilmaSubSid, FALSE ))) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlSetGroupSecurityDescriptor, TWilmaSubSid\n"); return FALSE; } if (RtlLengthSecurityDescriptor( TTempDescriptor ) != 64) { DbgPrint("**** Failed **** \n"); DbgPrint("*Se** Failure: RtlLengthSecurityDescriptor, WilmaSub Group\n"); return FALSE; } return TRUE; } BOOLEAN TestSeAccessMask() { return TRUE; } VOID DumpAclSizeInfo(PACL_SIZE_INFORMATION AclSizeInfo) { DbgPrint("\n"); DbgPrint("Acl size info:\n"); DbgPrint("AceCount = %d\n",AclSizeInfo->AceCount); DbgPrint("AclBytesInUse = %d\n",AclSizeInfo->AclBytesInUse); DbgPrint("AclBytesFree = %d\n",AclSizeInfo->AclBytesFree); return; } #define NUM_ACE 6 typedef struct _SIMPLE_ACE { ACE_HEADER Header; ACCESS_MASK Mask; SID Sid; } SIMPLE_ACE, *PSIMPLE_ACE; BOOLEAN TestSeAclRtl() { PACL TDacl; NTSTATUS Status; ACL_REVISION_INFORMATION AclInformation; ACL_REVISION_INFORMATION AclInformationOut; ACL_SIZE_INFORMATION AclSizeInfo; PVOID AceList; PVOID Ace; ULONG AceSize; // // Define the Dead domain // // Dead Domain S-1-54399-23-18-02 // Bobby S-1-54399-23-18-02-2 // Jerry S-1-54399-23-18-02-3 // Phil S-1-54399-23-18-02-4 // Kreutzman S-1-54399-23-18-02-5 // Brent S-1-54399-23-18-02-6 // Micky S-1-54399-23-18-02-7 // #define DEAD_AUTHORITY {0,0,0,0,212,127} #define DEAD_SUBAUTHORITY_0 0x00000017L #define DEAD_SUBAUTHORITY_1 0x00000012L #define DEAD_SUBAUTHORITY_2 0x00000002L #define BOBBY_RID 0x00000002 #define JERRY_RID 0x00000003 #define PHIL_RID 0x00000004 #define KREUTZMAN_RID 0x00000005 #define BRENT_RID 0x00000006 #define MICKY_RID 0x00000007 PSID DeadDomainSid; PSID BobbySid; PSID JerrySid; PSID PhilSid; PSID KreutzmanSid; PSID BrentSid; PSID MickySid; ULONG SidWithZeroSubAuthorities; ULONG SidWithOneSubAuthority; ULONG SidWithThreeSubAuthorities; ULONG SidWithFourSubAuthorities; SID_IDENTIFIER_AUTHORITY DeadAuthority = DEAD_AUTHORITY; // // The following SID sizes need to be allocated // SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 ); SidWithOneSubAuthority = RtlLengthRequiredSid( 1 ); SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 ); SidWithFourSubAuthorities = RtlLengthRequiredSid( 4 ); DeadDomainSid = (PSID)TstAllocatePool(PagedPool,SidWithThreeSubAuthorities); BobbySid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities); JerrySid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities); PhilSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities); KreutzmanSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities); BrentSid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities); MickySid = (PSID)TstAllocatePool(PagedPool,SidWithFourSubAuthorities); RtlInitializeSid( DeadDomainSid, &DeadAuthority, 3 ); *(RtlSubAuthoritySid( DeadDomainSid, 0)) = DEAD_SUBAUTHORITY_0; *(RtlSubAuthoritySid( DeadDomainSid, 1)) = DEAD_SUBAUTHORITY_1; *(RtlSubAuthoritySid( DeadDomainSid, 2)) = DEAD_SUBAUTHORITY_2; RtlCopySid( SidWithFourSubAuthorities, BobbySid, DeadDomainSid); *(RtlSubAuthorityCountSid( BobbySid )) += 1; *(RtlSubAuthoritySid( BobbySid, 3)) = BOBBY_RID; RtlCopySid( SidWithFourSubAuthorities, JerrySid, DeadDomainSid); *(RtlSubAuthorityCountSid( JerrySid )) += 1; *(RtlSubAuthoritySid( JerrySid, 3)) = JERRY_RID; RtlCopySid( SidWithFourSubAuthorities, PhilSid, DeadDomainSid); *(RtlSubAuthorityCountSid( PhilSid )) += 1; *(RtlSubAuthoritySid( PhilSid, 3)) = PHIL_RID; RtlCopySid( SidWithFourSubAuthorities, KreutzmanSid, DeadDomainSid); *(RtlSubAuthorityCountSid( KreutzmanSid )) += 1; *(RtlSubAuthoritySid( KreutzmanSid, 3)) = KREUTZMAN_RID; RtlCopySid( SidWithFourSubAuthorities, BrentSid, DeadDomainSid); *(RtlSubAuthorityCountSid( BrentSid )) += 1; *(RtlSubAuthoritySid( BrentSid, 3)) = BRENT_RID; RtlCopySid( SidWithFourSubAuthorities, MickySid, DeadDomainSid); *(RtlSubAuthorityCountSid( MickySid )) += 1; *(RtlSubAuthoritySid( MickySid, 3)) = MICKY_RID; TDacl = (PACL)TstAllocatePool( PagedPool, 256 ); //DbgBreakPoint(); if (!NT_SUCCESS(Status = RtlCreateAcl( TDacl, 256, ACL_REVISION ))) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlCreateAcl returned %X \n",Status); return(FALSE); } //DbgBreakPoint(); if (!NT_SUCCESS( Status = RtlValidAcl( TDacl ) )) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlValidAcl returned %X \n",Status); return(FALSE); } //DbgBreakPoint(); AclInformation.AclRevision = ACL_REVISION; if (!NT_SUCCESS( Status = RtlSetInformationAcl( TDacl, &AclInformation, sizeof(AclInformation), AclRevisionInformation ) )) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlSetInformation returned %X \n",Status); return(FALSE); } if (!NT_SUCCESS( Status = RtlQueryInformationAcl( TDacl, (PVOID)&AclInformationOut, sizeof(AclInformationOut), AclRevisionInformation ) )) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlQueryInformation returned %X during revision query \n",Status); return(FALSE); } if (AclInformationOut.AclRevision != ACL_REVISION) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlQueryInformation returned incorrect revision \n"); return(FALSE); } if (!NT_SUCCESS( Status = RtlQueryInformationAcl( TDacl, (PVOID)&AclSizeInfo, sizeof(AclSizeInfo), AclSizeInformation ) )) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlQueryInformation returned %X during size query \n",Status); return(FALSE); } // DumpAclSizeInfo(&AclSizeInfo); AceSize = 6 * SidWithFourSubAuthorities + 1 * SidWithThreeSubAuthorities + 7 * (sizeof( ACE_HEADER ) + sizeof( ACCESS_MASK )); AceList = (PVOID)TstAllocatePool(PagedPool, AceSize); Ace = AceList; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithThreeSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithThreeSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,DeadDomainSid); (ULONG)Ace += ((PSIMPLE_ACE)Ace)->Header.AceSize; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithFourSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithFourSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,BobbySid); (ULONG)Ace += ((PSIMPLE_ACE)Ace)->Header.AceSize; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithFourSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithFourSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,JerrySid); (ULONG)Ace += ((PSIMPLE_ACE)Ace)->Header.AceSize; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithFourSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithFourSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,PhilSid); (ULONG)Ace += ((PSIMPLE_ACE)Ace)->Header.AceSize; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithFourSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithFourSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,KreutzmanSid); (ULONG)Ace += ((PSIMPLE_ACE)Ace)->Header.AceSize; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithFourSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithFourSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,BrentSid); (ULONG)Ace += ((PSIMPLE_ACE)Ace)->Header.AceSize; ((PSIMPLE_ACE)Ace)->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; ((PSIMPLE_ACE)Ace)->Header.AceSize = (USHORT)SidWithFourSubAuthorities + (USHORT)sizeof(ACE_HEADER) + (USHORT)sizeof( ACCESS_MASK ); ((PSIMPLE_ACE)Ace)->Header.AceFlags = OBJECT_INHERIT_ACE; ((PSIMPLE_ACE)Ace)->Mask = DELETE; RtlCopySid(SidWithFourSubAuthorities,&((PSIMPLE_ACE)Ace)->Sid,MickySid); //DbgBreakPoint(); RtlAddAce(TDacl, ACL_REVISION, 0, AceList, AceSize); if (!NT_SUCCESS( Status = RtlQueryInformationAcl( TDacl, (PVOID)&AclSizeInfo, sizeof(AclSizeInfo), AclSizeInformation ) )) { DbgPrint("**** Failed **** \n"); DbgPrint("RtlQueryInformation returned %X during size query \n",Status); return(FALSE); } #if 0 RtlDumpAcl(TDacl); #endif RtlGetAce( TDacl, 5, &Ace ); if ( !RtlEqualSid( &((PSIMPLE_ACE)Ace)->Sid, BrentSid) ) { DbgPrint("\n **** Failed **** \n"); DbgPrint("RtlGetAce returned wrong Ace\n"); return(FALSE); } if (!NT_SUCCESS(RtlDeleteAce (TDacl, 5))) { DbgPrint("\n **** Failed **** \n"); DbgPrint("RtlDeleteAce failed\n"); return(FALSE); } #if 0 RtlDumpAcl(TDacl); #endif return(TRUE); } BOOLEAN TestSeRtl() { BOOLEAN Result = TRUE; DbgPrint("Se: Global Variable Initialization... "); if (TSeVariableInitialization()) { DbgPrint("Succeeded.\n"); } else { Result = FALSE; } DbgPrint("Se: SID test... "); if (TestSeSid()) { DbgPrint("Succeeded.\n"); } else { Result = FALSE; } DbgPrint("Se: SECURITY_DESCRIPTOR test... "); if (TestSeSecurityDescriptor()) { DbgPrint("Succeeded.\n"); } else { Result = FALSE; } DbgPrint("Se: ACCESS_MASK test... "); if (TestSeAccessMask()) { DbgPrint("Succeeded.\n"); } else { Result = FALSE; } DbgPrint("Se: ACL test... "); if (TestSeAclRtl()) { DbgPrint("Succeeded.\n"); } else { Result = FALSE; } DbgPrint("\n"); DbgPrint("\n"); DbgPrint(" ********************\n"); DbgPrint(" ** **\n"); if (Result = TRUE) { DbgPrint(" ** Test Succeeded **\n"); } else { DbgPrint(" ** Test Failed **\n"); } DbgPrint(" ** **\n"); DbgPrint(" ********************\n"); DbgPrint("\n"); DbgPrint("\n"); return Result; }