test: ctaccess.c Source File

00001 /*++ 00002 00003 Copyright (c) 1989 Microsoft Corporation 00004 00005 Module Name: 00006 00007 ctaccess.c 00008 00009 Abstract: 00010 00011 Common access validation test routines 00012 00013 These routines are used in both kernel and user mode tests. 00014 00015 This test assumes the security runtime library routines are 00016 functioning correctly. 00017 00018 00019 Author: 00020 00021 Robert Reichel (robertre) 12/14/90 00022 00023 Environment: 00024 00025 Test of access validation routines 00026 00027 Revision History: 00028 00029 v1: robertre 00030 Created 00031 00032 --*/ 00033 00034 #include "tsecomm.c" // Mode dependent macros and routines. 00035 00036 00037 00038 // 00039 // Define the local macros and procedure for this module 00040 // 00041 00042 // 00043 // Return a pointer to the first Ace in an Acl (even if the Acl is empty). 00044 // 00045 // PACE_HEADER 00046 // FirstAce ( 00047 // IN PACL Acl 00048 // ); 00049 // 00050 00051 #define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL))) 00052 00053 // 00054 // Return a pointer to the next Ace in a sequence (even if the input 00055 // Ace is the one in the sequence). 00056 // 00057 // PACE_HEADER 00058 // NextAce ( 00059 // IN PACE_HEADER Ace 00060 // ); 00061 // 00062 00063 #define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize)) 00064 00065 VOID 00066 DumpAcl ( 00067 IN PACL Acl 00068 ); 00069 00071 // // 00072 // Module wide variables // 00073 // // 00075 00076 #define DEFAULT_DACL_LENGTH (1024L) 00077 #define GROUP_IDS_LENGTH (1024L) 00078 #define NEW_GROUP_STATE_LENGTH (1024L) 00079 #define PRIVILEGES_LENGTH (128L) 00080 #define TOO_BIG_ACL_SIZE (2048L) 00081 00082 // 00083 // definitions related to TokenWithGroups 00084 // 00085 00086 #define FLINTSTONE_INDEX (0L) 00087 #define CHILD_INDEX (1L) 00088 #define NEANDERTHOL_INDEX (2L) 00089 #define WORLD_INDEX (3L) 00090 #define GROUP_COUNT (4L) 00091 00092 00093 // 00094 // Definitions related to TokenWithPrivileges 00095 // 00096 00097 #define UNSOLICITED_INDEX (0L) 00098 #define SECURITY_INDEX (1L) 00099 #define PRIVILEGE_COUNT (2L) 00100 00101 // 00102 // Access types 00103 // 00104 00105 #define SET_WIDGET_COLOR 0x00000001 00106 #define SET_WIDGET_SIZE 0x00000002 00107 #define GET_WIDGET_COLOR 0x00000004 00108 #define GET_WIDGET_SIZE 0x00000008 00109 #define START_WIDGET 0x00000010 00110 #define STOP_WIDGET 0x00000020 00111 #define GIVE_WIDGET 0x00000040 00112 #define TAKE_WIDGET 0x00000080 00113 00114 00115 NTSTATUS Status; 00116 00117 HANDLE SimpleToken; 00118 HANDLE TokenWithGroups; 00119 HANDLE TokenWithDefaultOwner; 00120 HANDLE TokenWithPrivileges; 00121 HANDLE TokenWithDefaultDacl; 00122 00123 HANDLE Token; 00124 HANDLE ImpersonationToken; 00125 00126 HANDLE PrimaryToken; 00127 00128 HANDLE AnonymousToken; 00129 00130 OBJECT_ATTRIBUTES PrimaryTokenAttributes; 00131 PSECURITY_DESCRIPTOR PrimarySecurityDescriptor; 00132 SECURITY_QUALITY_OF_SERVICE PrimarySecurityQos; 00133 00134 OBJECT_ATTRIBUTES ImpersonationTokenAttributes; 00135 PSECURITY_DESCRIPTOR ImpersonationSecurityDescriptor; 00136 SECURITY_QUALITY_OF_SERVICE ImpersonationSecurityQos; 00137 00138 OBJECT_ATTRIBUTES AnonymousTokenAttributes; 00139 PSECURITY_DESCRIPTOR AnonymousSecurityDescriptor; 00140 SECURITY_QUALITY_OF_SERVICE AnonymousSecurityQos; 00141 00142 ULONG DisabledGroupAttributes; 00143 ULONG OptionalGroupAttributes; 00144 ULONG NormalGroupAttributes; 00145 ULONG OwnerGroupAttributes; 00146 00147 ULONG LengthAvailable; 00148 ULONG CurrentLength; 00149 00150 00151 TIME_FIELDS TempTimeFields = {3000, 1, 1, 1, 1, 1, 1, 1}; 00152 LARGE_INTEGER NoExpiration; 00153 00154 LUID DummyAuthenticationId; 00155 LUID SystemAuthenticationId = SYSTEM_LUID; 00156 00157 TOKEN_SOURCE TestSource = {"SE: TEST", 0}; 00158 00159 PSID Owner; 00160 PSID Group; 00161 PACL Dacl; 00162 00163 PSID TempOwner; 00164 PSID TempGroup; 00165 PACL TempDacl; 00166 00167 00168 00169 00170 00172 // // 00173 // Initialization Routine // 00174 // // 00176 00177 BOOLEAN 00178 TestTokenInitialize() 00179 { 00180 00181 TSeVariableInitialization(); // Initialize global variables 00182 00183 00184 DisabledGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT); 00185 00186 OptionalGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT | 00187 SE_GROUP_ENABLED 00188 ); 00189 NormalGroupAttributes = (SE_GROUP_MANDATORY | 00190 SE_GROUP_ENABLED_BY_DEFAULT | 00191 SE_GROUP_ENABLED 00192 ); 00193 OwnerGroupAttributes = (SE_GROUP_MANDATORY | 00194 SE_GROUP_ENABLED_BY_DEFAULT | 00195 SE_GROUP_ENABLED | 00196 SE_GROUP_OWNER 00197 ); 00198 00199 00200 PrimarySecurityDescriptor = 00201 (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); 00202 00203 InitializeObjectAttributes( 00204 &PrimaryTokenAttributes, 00205 NULL, 00206 OBJ_INHERIT, 00207 NULL, 00208 NULL 00209 ); 00210 00211 00212 ImpersonationSecurityDescriptor = 00213 (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); 00214 00215 ImpersonationSecurityQos.Length = (ULONG)sizeof(SECURITY_QUALITY_OF_SERVICE); 00216 ImpersonationSecurityQos.ImpersonationLevel = SecurityImpersonation; 00217 ImpersonationSecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; 00218 ImpersonationSecurityQos.EffectiveOnly = FALSE; 00219 00220 InitializeObjectAttributes( 00221 &ImpersonationTokenAttributes, 00222 NULL, 00223 OBJ_INHERIT, 00224 NULL, 00225 NULL 00226 ); 00227 ImpersonationTokenAttributes.SecurityQualityOfService = 00228 &ImpersonationSecurityQos; 00229 00230 00231 AnonymousSecurityDescriptor = 00232 (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); 00233 00234 AnonymousSecurityQos.Length = (ULONG)sizeof(SECURITY_QUALITY_OF_SERVICE); 00235 AnonymousSecurityQos.ImpersonationLevel = SecurityAnonymous; 00236 AnonymousSecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; 00237 AnonymousSecurityQos.EffectiveOnly = FALSE; 00238 00239 InitializeObjectAttributes( 00240 &AnonymousTokenAttributes, 00241 NULL, 00242 OBJ_INHERIT, 00243 NULL, 00244 NULL 00245 ); 00246 AnonymousTokenAttributes.SecurityQualityOfService = 00247 &AnonymousSecurityQos; 00248 00249 00250 // 00251 // Build an ACL for use. 00252 // 00253 00254 Dacl = (PACL)TstAllocatePool( PagedPool, 256 ); 00255 00256 Dacl->AclRevision=ACL_REVISION; 00257 Dacl->Sbz1=0; 00258 Dacl->Sbz2=0; 00259 Dacl->AclSize=256; 00260 Dacl->AceCount=0; 00261 00262 00263 // 00264 // Set up expiration times 00265 // 00266 00267 TempTimeFields.Year = 3000; 00268 TempTimeFields.Month = 1; 00269 TempTimeFields.Day = 1; 00270 TempTimeFields.Hour = 1; 00271 TempTimeFields.Minute = 1; 00272 TempTimeFields.Second = 1; 00273 TempTimeFields.Milliseconds = 1; 00274 TempTimeFields.Weekday = 1; 00275 00276 RtlTimeFieldsToTime( &TempTimeFields, &NoExpiration ); 00277 00278 00279 // 00280 // Use a dummy authentication ID for a while. 00281 // 00282 00283 DummyAuthenticationId = FredLuid; 00284 00285 00286 // 00287 // Use a token source specific to security test 00288 // 00289 00290 NtAllocateLocallyUniqueId( &(TestSource.SourceIdentifier) ); 00291 00292 DbgPrint("Done.\n"); 00293 00294 return TRUE; 00295 } 00296 00297 00298 BOOLEAN 00299 CreateDAclToken() 00300 { 00301 00302 BOOLEAN CompletionStatus = TRUE; 00303 00304 TOKEN_USER UserId; 00305 TOKEN_PRIMARY_GROUP PrimaryGroup; 00306 PTOKEN_GROUPS GroupIds; 00307 PTOKEN_PRIVILEGES Privileges; 00308 TOKEN_DEFAULT_DACL DefaultDacl; 00309 TOKEN_OWNER Owner; 00310 00311 PSECURITY_DESCRIPTOR Widget1SecurityDescriptor; 00312 00313 NTSTATUS AccessStatus; 00314 00315 ACCESS_MASK GrantedAccess; 00316 00317 PACCESS_ALLOWED_ACE AllowBarneySetColor; 00318 PACCESS_ALLOWED_ACE AllowFredSetColor; 00319 00320 PACCESS_DENIED_ACE DenyPebblesSetColor; 00321 00322 PACCESS_ALLOWED_ACE AllowPebblesSetColor; 00323 PACCESS_DENIED_ACE DenyFredSetColor; 00324 PACCESS_ALLOWED_ACE AllowBarneySetSize; 00325 PACCESS_ALLOWED_ACE AllowPebblesSetSize; 00326 00327 PACCESS_ALLOWED_ACE AllowPebblesGetColor; 00328 PACCESS_ALLOWED_ACE AllowPebblesGetSize; 00329 00330 USHORT AllowBarneySetColorLength; 00331 USHORT AllowFredSetColorLength; 00332 USHORT DenyPebblesSetColorLength; 00333 00334 USHORT AllowPebblesSetColorLength; 00335 USHORT DenyFredSetColorLength; 00336 USHORT AllowBarneySetSizeLength; 00337 USHORT AllowPebblesSetSizeLength; 00338 00339 USHORT AllowPebblesGetColorLength; 00340 USHORT AllowPebblesGetSizeLength; 00341 00342 00343 DbgPrint("\n"); 00344 00345 GroupIds = (PTOKEN_GROUPS)TstAllocatePool( PagedPool, 00346 GROUP_IDS_LENGTH 00347 ); 00348 00349 Privileges = (PTOKEN_PRIVILEGES)TstAllocatePool( PagedPool, 00350 PRIVILEGES_LENGTH 00351 ); 00352 00353 DefaultDacl.DefaultDacl = (PACL)TstAllocatePool( PagedPool, 00354 DEFAULT_DACL_LENGTH 00355 ); 00356 00357 00358 // 00359 // Create a token with default DACL 00360 // 00361 00362 DbgPrint("Se: Create Token With Default Dacl ... "); 00363 00364 GroupIds->GroupCount = GROUP_COUNT; 00365 00366 GroupIds->Groups[FLINTSTONE_INDEX].Sid = FlintstoneSid; 00367 GroupIds->Groups[CHILD_INDEX].Sid = ChildSid; 00368 GroupIds->Groups[NEANDERTHOL_INDEX].Sid = NeandertholSid; 00369 GroupIds->Groups[WORLD_INDEX].Sid = WorldSid; 00370 00371 GroupIds->Groups[FLINTSTONE_INDEX].Attributes = OwnerGroupAttributes; 00372 GroupIds->Groups[CHILD_INDEX].Attributes = OptionalGroupAttributes; 00373 GroupIds->Groups[NEANDERTHOL_INDEX].Attributes = OptionalGroupAttributes; 00374 GroupIds->Groups[WORLD_INDEX].Attributes = NormalGroupAttributes; 00375 00376 UserId.User.Sid = PebblesSid; 00377 UserId.User.Attributes = 0; 00378 00379 Owner.Owner = FlintstoneSid; 00380 00381 Privileges->PrivilegeCount = PRIVILEGE_COUNT; 00382 00383 Privileges->Privileges[UNSOLICITED_INDEX].Luid = UnsolicitedInputPrivilege; 00384 Privileges->Privileges[SECURITY_INDEX].Luid = SecurityPrivilege; 00385 Privileges->Privileges[UNSOLICITED_INDEX].Attributes = 0; 00386 Privileges->Privileges[SECURITY_INDEX].Attributes = 0; 00387 00388 PrimaryGroup.PrimaryGroup = FlintstoneSid; 00389 00390 Status = RtlCreateAcl( DefaultDacl.DefaultDacl, DEFAULT_DACL_LENGTH, ACL_REVISION); 00391 00392 ASSERT(NT_SUCCESS(Status) ); 00393 00394 Status = NtCreateToken( 00395 &PrimaryToken, // Handle 00396 (TOKEN_ALL_ACCESS), // DesiredAccess 00397 &PrimaryTokenAttributes, // ObjectAttributes 00398 TokenPrimary, // TokenType 00399 &DummyAuthenticationId, // Authentication LUID 00400 &NoExpiration, // Expiration Time 00401 &UserId, // Owner ID 00402 GroupIds, // Group IDs 00403 Privileges, // Privileges 00404 &Owner, // Owner 00405 &PrimaryGroup, // Primary Group 00406 &DefaultDacl, // Default Dacl 00407 &TestSource // TokenSource 00408 ); 00409 00410 if (NT_SUCCESS(Status)) { 00411 DbgPrint("Succeeded.\n"); 00412 } else { 00413 DbgPrint("********** Failed ************\n"); 00414 DbgPrint("Status is: 0x%lx \n", Status); 00415 CompletionStatus = FALSE; 00416 } 00417 00418 ASSERT(NT_SUCCESS(Status)); 00419 00420 00421 00422 // 00423 // Create an impersonation token, Impersonation level = Impersonation 00424 // 00425 00426 DbgPrint("Se: Create an impersonation token ... "); 00427 00428 GroupIds->GroupCount = GROUP_COUNT; 00429 00430 GroupIds->Groups[FLINTSTONE_INDEX].Sid = FlintstoneSid; 00431 GroupIds->Groups[CHILD_INDEX].Sid = ChildSid; 00432 GroupIds->Groups[NEANDERTHOL_INDEX].Sid = NeandertholSid; 00433 GroupIds->Groups[WORLD_INDEX].Sid = WorldSid; 00434 00435 GroupIds->Groups[FLINTSTONE_INDEX].Attributes = OwnerGroupAttributes; 00436 GroupIds->Groups[CHILD_INDEX].Attributes = OptionalGroupAttributes; 00437 GroupIds->Groups[NEANDERTHOL_INDEX].Attributes = OptionalGroupAttributes; 00438 GroupIds->Groups[WORLD_INDEX].Attributes = NormalGroupAttributes; 00439 00440 UserId.User.Sid = PebblesSid; 00441 UserId.User.Attributes = 0; 00442 00443 Owner.Owner = FlintstoneSid; 00444 00445 Privileges->PrivilegeCount = PRIVILEGE_COUNT; 00446 00447 Privileges->Privileges[UNSOLICITED_INDEX].Luid = UnsolicitedInputPrivilege; 00448 Privileges->Privileges[SECURITY_INDEX].Luid = SecurityPrivilege; 00449 Privileges->Privileges[UNSOLICITED_INDEX].Attributes = 0; 00450 Privileges->Privileges[SECURITY_INDEX].Attributes = 0; 00451 00452 PrimaryGroup.PrimaryGroup = FlintstoneSid; 00453 00454 Status = RtlCreateAcl( DefaultDacl.DefaultDacl, DEFAULT_DACL_LENGTH, ACL_REVISION); 00455 00456 ASSERT(NT_SUCCESS(Status) ); 00457 00458 Status = NtCreateToken( 00459 &ImpersonationToken, // Handle 00460 (TOKEN_ALL_ACCESS), // DesiredAccess 00461 &ImpersonationTokenAttributes, // ObjectAttributes 00462 TokenImpersonation, // TokenType 00463 &DummyAuthenticationId, // Authentication LUID 00464 &NoExpiration, // Expiration Time 00465 &UserId, // Owner ID 00466 GroupIds, // Group IDs 00467 Privileges, // Privileges 00468 &Owner, // Owner 00469 &PrimaryGroup, // Primary Group 00470 &DefaultDacl, // Default Dacl 00471 &TestSource // TokenSource 00472 ); 00473 00474 if (NT_SUCCESS(Status)) { 00475 DbgPrint("Succeeded.\n"); 00476 } else { 00477 DbgPrint("********** Failed ************\n"); 00478 DbgPrint("Status is: 0x%lx \n", Status); 00479 CompletionStatus = FALSE; 00480 } 00481 00482 ASSERT(NT_SUCCESS(Status)); 00483 00484 // 00485 // Attach tokens to process 00486 // 00487 00488 NtSetInformationProcess( 00489 NtCurrentProcess(), 00490 ProcessAccessToken, 00491 &PrimaryToken, 00492 sizeof( PHANDLE )); 00493 00494 00495 NtSetInformationThread( 00496 NtCurrentThread(), 00497 ThreadImpersonationToken, 00498 &ImpersonationToken, 00499 sizeof( PHANDLE )); 00500 00501 00502 00503 // Create some ACEs 00504 00505 // AllowBarneySetColor 00506 00507 AllowBarneySetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00508 SeLengthSid( BarneySid )); 00509 00510 AllowBarneySetColor = (PVOID) TstAllocatePool ( PagedPool, AllowBarneySetColorLength ); 00511 00512 AllowBarneySetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00513 AllowBarneySetColor->Header.AceSize = AllowBarneySetColorLength; 00514 AllowBarneySetColor->Header.AceFlags = 0; 00515 00516 AllowBarneySetColor->Mask = SET_WIDGET_COLOR; 00517 00518 RtlCopySid( 00519 SeLengthSid( BarneySid ), 00520 &(AllowBarneySetColor->SidStart), 00521 BarneySid ); 00522 00523 00524 // DenyPebblesSetColor 00525 00526 DenyPebblesSetColorLength = (USHORT)(sizeof( ACCESS_DENIED_ACE ) - sizeof( ULONG ) + 00527 SeLengthSid( BarneySid )); 00528 00529 DenyPebblesSetColor = (PVOID) TstAllocatePool ( PagedPool, DenyPebblesSetColorLength ); 00530 00531 DenyPebblesSetColor->Header.AceType = ACCESS_DENIED_ACE_TYPE; 00532 DenyPebblesSetColor->Header.AceSize = DenyPebblesSetColorLength; 00533 DenyPebblesSetColor->Header.AceFlags = 0; 00534 00535 DenyPebblesSetColor->Mask = SET_WIDGET_COLOR; 00536 00537 RtlCopySid( 00538 SeLengthSid( PebblesSid ), 00539 &(DenyPebblesSetColor->SidStart), 00540 PebblesSid ); 00541 00542 00543 // AllowFredSetColor 00544 00545 AllowFredSetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00546 SeLengthSid( FredSid )); 00547 00548 AllowFredSetColor = (PVOID) TstAllocatePool ( PagedPool, AllowFredSetColorLength ); 00549 00550 AllowFredSetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00551 AllowFredSetColor->Header.AceSize = AllowFredSetColorLength; 00552 AllowFredSetColor->Header.AceFlags = 0; 00553 00554 AllowFredSetColor->Mask = SET_WIDGET_COLOR; 00555 00556 RtlCopySid( 00557 SeLengthSid( FredSid ), 00558 &(AllowFredSetColor->SidStart), 00559 FredSid ); 00560 00561 00562 00563 00564 // AllowPebblesSetColor 00565 00566 00567 AllowPebblesSetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00568 SeLengthSid( PebblesSid )); 00569 00570 AllowPebblesSetColor = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesSetColorLength ); 00571 00572 AllowPebblesSetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00573 AllowPebblesSetColor->Header.AceSize = AllowPebblesSetColorLength; 00574 AllowPebblesSetColor->Header.AceFlags = 0; 00575 00576 AllowPebblesSetColor->Mask = SET_WIDGET_COLOR; 00577 00578 RtlCopySid( 00579 SeLengthSid( PebblesSid ), 00580 &(AllowPebblesSetColor->SidStart), 00581 PebblesSid ); 00582 00583 00584 // DenyFredSetColor 00585 00586 DenyFredSetColorLength = (USHORT)(sizeof( ACCESS_DENIED_ACE ) - sizeof( ULONG ) + 00587 SeLengthSid( FredSid )); 00588 00589 DenyFredSetColor = (PVOID) TstAllocatePool ( PagedPool, DenyFredSetColorLength ); 00590 00591 DenyFredSetColor->Header.AceType = ACCESS_DENIED_ACE_TYPE; 00592 DenyFredSetColor->Header.AceSize = DenyFredSetColorLength; 00593 DenyFredSetColor->Header.AceFlags = 0; 00594 00595 DenyFredSetColor->Mask = SET_WIDGET_COLOR; 00596 00597 RtlCopySid( 00598 SeLengthSid( FredSid ), 00599 &(DenyFredSetColor->SidStart), 00600 FredSid ); 00601 00602 // AllowBarneySetSize 00603 00604 AllowBarneySetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00605 SeLengthSid( BarneySid )); 00606 00607 AllowBarneySetSize = (PVOID) TstAllocatePool ( PagedPool, AllowBarneySetSizeLength ); 00608 00609 AllowBarneySetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00610 AllowBarneySetSize->Header.AceSize = AllowBarneySetSizeLength; 00611 AllowBarneySetSize->Header.AceFlags = 0; 00612 00613 AllowBarneySetSize->Mask = SET_WIDGET_SIZE; 00614 00615 RtlCopySid( 00616 SeLengthSid( BarneySid ), 00617 &(AllowBarneySetSize->SidStart), 00618 BarneySid ); 00619 00620 // AllowPebblesSetSize 00621 00622 AllowPebblesSetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00623 SeLengthSid( PebblesSid )); 00624 00625 AllowPebblesSetSize = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesSetSizeLength ); 00626 00627 AllowPebblesSetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00628 AllowPebblesSetSize->Header.AceSize = AllowPebblesSetSizeLength; 00629 AllowPebblesSetSize->Header.AceFlags = 0; 00630 00631 AllowPebblesSetSize->Mask = SET_WIDGET_SIZE; 00632 00633 RtlCopySid( 00634 SeLengthSid( PebblesSid ), 00635 &(AllowPebblesSetSize->SidStart), 00636 PebblesSid ); 00637 00638 00639 // AllowPebblesGetSize 00640 00641 AllowPebblesGetSizeLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00642 SeLengthSid( PebblesSid )); 00643 00644 AllowPebblesGetSize = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesGetSizeLength ); 00645 00646 AllowPebblesGetSize->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00647 AllowPebblesGetSize->Header.AceSize = AllowPebblesGetSizeLength; 00648 AllowPebblesGetSize->Header.AceFlags = 0; 00649 00650 AllowPebblesGetSize->Mask = SET_WIDGET_SIZE; 00651 00652 RtlCopySid( 00653 SeLengthSid( PebblesSid ), 00654 &(AllowPebblesGetSize->SidStart), 00655 PebblesSid ); 00656 00657 00658 // AllowPebblesGetColor 00659 00660 AllowPebblesGetColorLength = (USHORT)(sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ) + 00661 SeLengthSid( PebblesSid )); 00662 00663 AllowPebblesGetColor = (PVOID) TstAllocatePool ( PagedPool, AllowPebblesGetColorLength ); 00664 00665 AllowPebblesGetColor->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; 00666 AllowPebblesGetColor->Header.AceSize = AllowPebblesGetColorLength; 00667 AllowPebblesGetColor->Header.AceFlags = 0; 00668 00669 AllowPebblesGetColor->Mask = SET_WIDGET_COLOR; 00670 00671 RtlCopySid( 00672 SeLengthSid( PebblesSid ), 00673 &(AllowPebblesGetColor->SidStart), 00674 PebblesSid ); 00675 00676 // 00677 // Create some ACLs that we can put into a Security Descriptor 00678 // 00679 DbgBreakPoint(); 00680 00681 // 00682 // Dacl 00683 // 00684 // +----------------+ +----------------+ +----------------+ 00685 // | 1st ACE | | 2nd ACE | | 3rd ACE | 00686 // +----------------+ +----------------+ +----------------+ 00687 // | AccessAllowed | | AccessDenied | | AccessAllowed | 00688 // +----------------+ +----------------+ +----------------+ 00689 // | BARNEY | | PEBBLES | | FRED | 00690 // +----------------+ +----------------+ +----------------+ 00691 // | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | 00692 // +----------------+ +----------------+ +----------------+ 00693 // 00694 00695 Dacl = (PACL) TstAllocatePool ( PagedPool, 2048 ); 00696 00697 RtlCreateAcl( Dacl, 2048, ACL_REVISION); 00698 00699 00700 RtlAddAce ( Dacl, 00701 ACL_REVISION, 00702 0, 00703 AllowBarneySetColor, 00704 AllowBarneySetColorLength ); 00705 00706 RtlAddAce ( Dacl, 00707 ACL_REVISION, 00708 1, 00709 DenyPebblesSetColor, 00710 DenyPebblesSetColorLength ); 00711 00712 RtlAddAce ( Dacl, 00713 ACL_REVISION, 00714 2, 00715 DenyFredSetColor, 00716 AllowFredSetColorLength ); 00717 00718 DumpAcl (Dacl); 00719 00720 00721 00722 00723 00724 // Create a security descriptor 00725 // 00726 // Owner = Pebbles 00727 // Group = Flintstone 00728 // Dacl = Dacl 00729 // Sacl = NULL 00730 // 00731 00732 Widget1SecurityDescriptor = 00733 (PSECURITY_DESCRIPTOR)TstAllocatePool( PagedPool, 1024 ); 00734 00735 RtlCreateSecurityDescriptor( Widget1SecurityDescriptor, 00736 1 ); 00737 00738 00739 RtlSetOwnerSecurityDescriptor( Widget1SecurityDescriptor, 00740 PebblesSid, 00741 FALSE ); 00742 00743 RtlSetGroupSecurityDescriptor( Widget1SecurityDescriptor, 00744 FlintstoneSid, 00745 FALSE ); 00746 00747 RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, 00748 TRUE, 00749 Dacl, 00750 FALSE ); 00751 00752 RtlSetSaclSecurityDescriptor( Widget1SecurityDescriptor, 00753 FALSE, 00754 NULL, 00755 NULL ); 00756 00757 // See if Pebbles is allowed SET_WIDGET_COLOR (should be denied) 00758 00759 Status = NtAccessCheck( Widget1SecurityDescriptor, 00760 PrimaryToken, 00761 (ACCESS_MASK) SET_WIDGET_COLOR, 00762 &GrantedAccess, 00763 &AccessStatus ); 00764 00765 // DbgBreakPoint(); 00766 00767 ASSERT(NT_SUCCESS(Status)); 00768 00769 ASSERT(!NT_SUCCESS(AccessStatus)); 00770 00771 ASSERT(GrantedAccess == NULL); 00772 00773 00774 // Update Dacl to be the following: 00775 // 00776 // Dacl2 00777 // 00778 // +----------------+ +----------------+ +----------------+ 00779 // | 1st ACE | | 2nd ACE | | 3rd ACE | 00780 // +----------------+ +----------------+ +----------------+ 00781 // | AccessAllowed | | AccessAllowed | | AccessDenied | 00782 // +----------------+ +----------------+ +----------------+ 00783 // | BARNEY | | PEBBLES | | FRED | 00784 // +----------------+ +----------------+ +----------------+ 00785 // | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | 00786 // +----------------+ +----------------+ +----------------+ 00787 // 00788 00789 // Delete 2nd Ace 00790 00791 RtlDeleteAce (Dacl, 1); 00792 00793 RtlAddAce ( Dacl, 00794 ACL_REVISION, 00795 1, 00796 AllowPebblesSetColor, 00797 AllowPebblesSetColorLength ); 00798 00799 RtlDeleteAce ( Dacl, 2 ); 00800 00801 RtlAddAce ( Dacl, 00802 ACL_REVISION, 00803 1, 00804 DenyFredSetColor, 00805 DenyFredSetColorLength ); 00806 00807 00808 00809 00810 // Change the security descriptor to use updated Dacl 00811 // 00812 // Owner = Pebbles 00813 // Group = Flintstone 00814 // Dacl = Dacl2 00815 // Sacl = NULL 00816 // 00817 00818 RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, 00819 TRUE, 00820 Dacl, 00821 FALSE ); 00822 00823 // See if Pebbles is allowed SET_WIDGET_COLOR (should be permitted) 00824 00825 Status = NtAccessCheck( Widget1SecurityDescriptor, 00826 PrimaryToken, 00827 (ACCESS_MASK) SET_WIDGET_COLOR, 00828 &GrantedAccess, 00829 &AccessStatus ); 00830 00831 00832 ASSERT(NT_SUCCESS(Status)); 00833 00834 ASSERT(NT_SUCCESS(AccessStatus)); 00835 00836 ASSERT(GrantedAccess == (ACCESS_MASK)SET_WIDGET_COLOR); 00837 00838 // 00839 // Dacl3 00840 // 00841 // +----------------+ +----------------+ +----------------+ 00842 // | 1st ACE | | 2nd ACE | | 3rd ACE | 00843 // +----------------+ +----------------+ +----------------+ 00844 // | AccessAllowed | | AccessAllowed | | AccessDenied | 00845 // +----------------+ +----------------+ +----------------+ 00846 // | BARNEY | | PEBBLES | | FRED | 00847 // +----------------+ +----------------+ +----------------+ 00848 // | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | 00849 // +----------------+ +----------------+ +----------------+ 00850 // 00851 // +----------------+ +----------------+ 00852 // | 4th ACE | | 5th ACE | 00853 // +----------------+ +----------------+ 00854 // | AccessAllowed | | AccessAllowed | 00855 // +----------------+ +----------------+ 00856 // | BARNEY | | PEBBLES | 00857 // +----------------+ +----------------+ 00858 // | SetWidgeSize | | SetWidgeSize | 00859 // +----------------+ +----------------+ 00860 // 00861 00862 00863 RtlAddAce ( Dacl, 00864 ACL_REVISION, 00865 MAXULONG, 00866 AllowBarneySetSize, 00867 AllowBarneySetSizeLength ); 00868 00869 RtlAddAce ( Dacl, 00870 ACL_REVISION, 00871 MAXULONG, 00872 AllowPebblesSetSize, 00873 AllowPebblesSetSizeLength ); 00874 00875 // Change the security descriptor to use Dacl3 00876 // 00877 // Owner = Pebbles 00878 // Group = Flintstone 00879 // Dacl = Dacl3 00880 // Sacl = NULL 00881 // 00882 00883 RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, 00884 TRUE, 00885 Dacl, 00886 FALSE ); 00887 00888 // Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize 00889 // and SetWidgetColor 00890 00891 Status = NtAccessCheck( Widget1SecurityDescriptor, 00892 PrimaryToken, 00893 (ACCESS_MASK) MAXIMUM_ALLOWED, 00894 &GrantedAccess, 00895 &AccessStatus ); 00896 00897 00898 ASSERT(NT_SUCCESS(Status)); 00899 00900 ASSERT(NT_SUCCESS(AccessStatus)); 00901 00902 ASSERT(GrantedAccess == (ACCESS_MASK) (SET_WIDGET_COLOR | SET_WIDGET_SIZE)); 00903 00904 00905 // 00906 // Dacl4 00907 // 00908 // +----------------+ +----------------+ +----------------+ 00909 // | 1st ACE | | 2nd ACE | | 3rd ACE | 00910 // +----------------+ +----------------+ +----------------+ 00911 // | AccessAllowed | | AccessAllowed | | AccessDenied | 00912 // +----------------+ +----------------+ +----------------+ 00913 // | BARNEY | | PEBBLES | | FRED | 00914 // +----------------+ +----------------+ +----------------+ 00915 // | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | 00916 // +----------------+ +----------------+ +----------------+ 00917 // 00918 // +----------------+ +----------------+ +----------------+ 00919 // | 4th ACE | | 5th ACE | | 6th ACE | 00920 // +----------------+ +----------------+ +----------------+ 00921 // | AccessAllowed | | AccessAllowed | | AccessDenied | 00922 // +----------------+ +----------------+ +----------------+ 00923 // | BARNEY | | PEBBLES | | PEBBLES | 00924 // +----------------+ +----------------+ +----------------+ 00925 // | SetWidgeSize | | SetWidgeSize | | SetWidgeColor | 00926 // +----------------+ +----------------+ +----------------+ 00927 // 00928 00929 RtlAddAce ( Dacl, 00930 ACL_REVISION, 00931 MAXULONG, 00932 DenyPebblesSetColor, 00933 DenyPebblesSetColorLength ); 00934 00935 RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, 00936 TRUE, 00937 Dacl, 00938 FALSE ); 00939 00940 // Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize 00941 // and SetWidgetColor 00942 00943 Status = NtAccessCheck( Widget1SecurityDescriptor, 00944 PrimaryToken, 00945 (ACCESS_MASK) MAXIMUM_ALLOWED, 00946 &GrantedAccess, 00947 &AccessStatus ); 00948 00949 00950 ASSERT(NT_SUCCESS(Status)); 00951 00952 ASSERT(NT_SUCCESS(AccessStatus)); 00953 00954 ASSERT(GrantedAccess == (ACCESS_MASK) (SET_WIDGET_COLOR | SET_WIDGET_SIZE)); 00955 00956 00957 // 00958 // Dacl5 00959 // 00960 // +----------------+ +----------------+ +----------------+ 00961 // | 1st ACE | | 2nd ACE | | 3rd ACE | 00962 // +----------------+ +----------------+ +----------------+ 00963 // | AccessAllowed | | AccessDenied | | AccessDenied | 00964 // +----------------+ +----------------+ +----------------+ 00965 // | BARNEY | | PEBBLES | | FRED | 00966 // +----------------+ +----------------+ +----------------+ 00967 // | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | 00968 // +----------------+ +----------------+ +----------------+ 00969 // 00970 // +----------------+ +----------------+ +----------------+ 00971 // | 4th ACE | | 5th ACE | | 6th ACE | 00972 // +----------------+ +----------------+ +----------------+ 00973 // | AccessAllowed | | AccessAllowed | | AccessAllowed | 00974 // +----------------+ +----------------+ +----------------+ 00975 // | BARNEY | | PEBBLES | | PEBBLES | 00976 // +----------------+ +----------------+ +----------------+ 00977 // | SetWidgeSize | | SetWidgeSize | | SetWidgeColor | 00978 // +----------------+ +----------------+ +----------------+ 00979 // 00980 00981 RtlDeleteAce (Dacl, 1); 00982 00983 RtlAddAce ( Dacl, 00984 ACL_REVISION, 00985 1, 00986 DenyPebblesSetColor, 00987 DenyPebblesSetColorLength ); 00988 00989 RtlDeleteAce (Dacl, 5); 00990 00991 RtlAddAce ( Dacl, 00992 ACL_REVISION, 00993 MAXULONG, 00994 AllowPebblesSetColor, 00995 AllowPebblesSetColorLength ); 00996 00997 00998 DumpAcl ( Dacl ); 00999 01000 RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, 01001 TRUE, 01002 Dacl, 01003 FALSE ); 01004 01005 // Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize 01006 01007 Status = NtAccessCheck( Widget1SecurityDescriptor, 01008 PrimaryToken, 01009 (ACCESS_MASK) MAXIMUM_ALLOWED, 01010 &GrantedAccess, 01011 &AccessStatus ); 01012 01013 01014 ASSERT(NT_SUCCESS(Status)); 01015 01016 ASSERT(NT_SUCCESS(AccessStatus)); 01017 01018 ASSERT(GrantedAccess == (ACCESS_MASK) SET_WIDGET_SIZE); 01019 01020 01021 // 01022 // Dacl6 01023 // 01024 // +----------------+ +----------------+ +----------------+ 01025 // | 1st ACE | | 2nd ACE | | 3rd ACE | 01026 // +----------------+ +----------------+ +----------------+ 01027 // | AccessAllowed | | AccessDenied | | AccessDenied | 01028 // +----------------+ +----------------+ +----------------+ 01029 // | BARNEY | | PEBBLES | | FRED | 01030 // +----------------+ +----------------+ +----------------+ 01031 // | SetWidgeColor | | SetWidgeColor | | SetWidgeColor | 01032 // +----------------+ +----------------+ +----------------+ 01033 // 01034 // +----------------+ +----------------+ +----------------+ 01035 // | 4th ACE | | 5th ACE | | 6th ACE | 01036 // +----------------+ +----------------+ +----------------+ 01037 // | AccessAllowed | | AccessAllowed | | AccessAllowed | 01038 // +----------------+ +----------------+ +----------------+ 01039 // | BARNEY | | PEBBLES | | PEBBLES | 01040 // +----------------+ +----------------+ +----------------+ 01041 // | SetWidgeSize | | SetWidgeSize | | SetWidgeColor | 01042 // +----------------+ +----------------+ +----------------+ 01043 // 01044 // +----------------+ +----------------+ 01045 // | 7th ACE | | 8th ACE | 01046 // +----------------+ +----------------+ 01047 // | AccessAllowed | | AccessAllowed | 01048 // +----------------+ +----------------+ 01049 // | PEBBLES | | PEBBLES | 01050 // +----------------+ +----------------+ 01051 // | GetWidgeSize | | GetWidgeColor | 01052 // +----------------+ +----------------+ 01053 // 01054 01055 RtlAddAce ( Dacl, 01056 ACL_REVISION, 01057 MAXULONG, 01058 AllowPebblesGetSize, 01059 AllowPebblesGetSizeLength ); 01060 01061 RtlAddAce ( Dacl, 01062 ACL_REVISION, 01063 MAXULONG, 01064 AllowPebblesGetColor, 01065 AllowPebblesGetColorLength ); 01066 01067 DumpAcl ( Dacl ); 01068 01069 RtlSetDaclSecurityDescriptor( Widget1SecurityDescriptor, 01070 TRUE, 01071 Dacl, 01072 FALSE ); 01073 01074 // Request MAXIMUM_ACCESS for Pebbles. Should get back SetWidgetSize 01075 01076 Status = NtAccessCheck( Widget1SecurityDescriptor, 01077 PrimaryToken, 01078 (ACCESS_MASK) MAXIMUM_ALLOWED, 01079 &GrantedAccess, 01080 &AccessStatus ); 01081 01082 01083 ASSERT(NT_SUCCESS(Status)); 01084 01085 ASSERT(NT_SUCCESS(AccessStatus)); 01086 01087 ASSERT(GrantedAccess == (ACCESS_MASK) SET_WIDGET_SIZE); 01088 01089 01090 01091 return(TRUE); 01092 01093 01094 } 01095 01096 01098 // // 01099 // // 01100 // Main test entry point // 01101 // // 01102 // // 01104 01105 01106 BOOLEAN 01107 CTAccess() 01108 { 01109 01110 BOOLEAN Result = TRUE; 01111 01112 if (!TSeVariableInitialization()) { 01113 DbgPrint("Se: Failed to initialize global test variables.\n"); 01114 return FALSE; 01115 } 01116 01117 DbgPrint("Se: Initialization..."); 01118 TestTokenInitialize(); 01119 CreateDAclToken(); 01120 01121 } 01122 01123 01124 // 01125 // Debug support routine 01126 // 01127 01128 01129 typedef struct _STANDARD_ACE { 01130 ACE_HEADER Header; 01131 ACCESS_MASK Mask; 01132 PSID Sid; 01133 } STANDARD_ACE; 01134 typedef STANDARD_ACE *PSTANDARD_ACE; 01135 01136 01137 01138 VOID 01139 DumpAcl ( 01140 IN PACL Acl 01141 ) 01142 01143 /*++ 01144 01145 Routine Description: 01146 01147 This routine dumps via (DbgPrint) an Acl for debug purposes. It is 01148 specialized to dump standard aces. 01149 01150 Arguments: 01151 01152 Acl - Supplies the Acl to dump 01153 01154 Return Value: 01155 01156 None 01157 01158 --*/ 01159 01160 01161 { 01162 ULONG i; 01163 PSTANDARD_ACE Ace; 01164 01165 DbgPrint("DumpAcl @ %8lx", Acl); 01166 01167 // 01168 // Check if the Acl is null 01169 // 01170 01171 if (Acl == NULL) { 01172 01173 return; 01174 01175 } 01176 01177 // 01178 // Dump the Acl header 01179 // 01180 01181 DbgPrint(" Revision: %02x", Acl->AclRevision); 01182 DbgPrint(" Size: %04x", Acl->AclSize); 01183 DbgPrint(" AceCount: %04x\n", Acl->AceCount); 01184 01185 // 01186 // Now for each Ace we want do dump it 01187 // 01188 01189 for (i = 0, Ace = FirstAce(Acl); 01190 i < Acl->AceCount; 01191 i++, Ace = NextAce(Ace) ) { 01192 01193 // 01194 // print out the ace header 01195 // 01196 01197 DbgPrint(" AceHeader: %08lx ", *(PULONG)Ace); 01198 01199 // 01200 // special case on the standard ace types 01201 // 01202 01203 if ((Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) || 01204 (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) || 01205 (Ace->Header.AceType == SYSTEM_AUDIT_ACE_TYPE) || 01206 (Ace->Header.AceType == SYSTEM_ALARM_ACE_TYPE)) { 01207 01208 // 01209 // The following array is indexed by ace types and must 01210 // follow the allowed, denied, audit, alarm seqeuence 01211 // 01212 01213 static PCHAR AceTypes[] = { "Access Allowed", 01214 "Access Denied ", 01215 "System Audit ", 01216 "System Alarm " 01217 }; 01218 01219 DbgPrint(AceTypes[Ace->Header.AceType]); 01220 DbgPrint("\nAccess Mask: %08lx ", Ace->Mask); 01221 01222 } else { 01223 01224 DbgPrint("Unknown Ace Type\n"); 01225 01226 } 01227 01228 DbgPrint("\n"); 01229 01230 DbgPrint("AceSize = %d\n",Ace->Header.AceSize); 01231 DbgPrint("Ace Flags = "); 01232 if (Ace->Header.AceFlags & OBJECT_INHERIT_ACE) { 01233 DbgPrint("OBJECT_INHERIT_ACE\n"); 01234 DbgPrint(" "); 01235 } 01236 if (Ace->Header.AceFlags & CONTAINER_INHERIT_ACE) { 01237 DbgPrint("CONTAINER_INHERIT_ACE\n"); 01238 DbgPrint(" "); 01239 } 01240 01241 if (Ace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE) { 01242 DbgPrint("NO_PROPAGATE_INHERIT_ACE\n"); 01243 DbgPrint(" "); 01244 } 01245 01246 if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) { 01247 DbgPrint("INHERIT_ONLY_ACE\n"); 01248 DbgPrint(" "); 01249 } 01250 01251 01252 if (Ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) { 01253 DbgPrint("SUCCESSFUL_ACCESS_ACE_FLAG\n"); 01254 DbgPrint(" "); 01255 } 01256 01257 if (Ace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG) { 01258 DbgPrint("FAILED_ACCESS_ACE_FLAG\n"); 01259 DbgPrint(" "); 01260 } 01261 01262 DbgPrint("\n"); 01263 01264 01265 } 01266 01267 } 01268