Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-01-04 05:20:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

[KMTESTS:CM]

Browse source 
- Add a test for registry hive security descriptors

svn path=/trunk/; revision=69265
This commit is contained in:
Thomas Faber 2015-09-18 11:06:11 +00:00
parent 852be46e0a
commit 567c098f48
3 changed files with 263 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
rostests/kmtests/CMakeLists.txt
View file

@ -35,6 +35,7 @@ list(APPEND KMTEST_DRV_SOURCE
npfs/NpfsHelpers.c npfs/NpfsHelpers.c
npfs/NpfsReadWrite.c npfs/NpfsReadWrite.c
npfs/NpfsVolumeInfo.c npfs/NpfsVolumeInfo.c
ntos_cm/CmSecurity.c
ntos_ex/ExCallback.c ntos_ex/ExCallback.c
ntos_ex/ExDoubleList.c ntos_ex/ExDoubleList.c
ntos_ex/ExFastMutex.c ntos_ex/ExFastMutex.c

2
rostests/kmtests/kmtest_drv/testlist.c
View file

@ -7,6 +7,7 @@
#include <kmt_test.h> #include <kmt_test.h>
KMT_TESTFUNC Test_CmSecurity;
KMT_TESTFUNC Test_Example; KMT_TESTFUNC Test_Example;
KMT_TESTFUNC Test_ExCallback; KMT_TESTFUNC Test_ExCallback;
KMT_TESTFUNC Test_ExDoubleList; KMT_TESTFUNC Test_ExDoubleList;
@ -68,6 +69,7 @@ KMT_TESTFUNC Test_ZwMapViewOfSection;
const KMT_TEST TestList[] = const KMT_TEST TestList[] =
{ {
{ "CmSecurity", Test_CmSecurity },
{ "ExCallback", Test_ExCallback }, { "ExCallback", Test_ExCallback },
{ "ExDoubleList", Test_ExDoubleList }, { "ExDoubleList", Test_ExDoubleList },
{ "ExFastMutex", Test_ExFastMutex }, { "ExFastMutex", Test_ExFastMutex },

260
rostests/kmtests/ntos_cm/CmSecurity.c Normal file
View file

@ -0,0 +1,260 @@
/*
* PROJECT: ReactOS kernel-mode tests
* LICENSE: LGPLv2+ - See COPYING.LIB in the top level directory
* PURPOSE: Kernel-Mode Test Suite NPFS security test
* PROGRAMMER: Thomas Faber <thomas.faber@reactos.org>
*/
#include <kmt_test.h>
#include "../ntos_se/se.h"
#define CheckKeySecurity(name, AceCount, ...) CheckKeySecurity_(name, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
#define CheckKeySecurity_(name, AceCount, file, line, ...) CheckKeySecurity__(name, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
static
VOID
CheckKeySecurity__(
_In_ PCWSTR KeyName,
_In_ ULONG AceCount,
_In_ PCSTR FileAndLine,
...)
{
NTSTATUS Status;
UNICODE_STRING KeyNameString;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE KeyHandle;
PSECURITY_DESCRIPTOR SecurityDescriptor;
ULONG SecurityDescriptorSize;
PSID Owner;
PSID Group;
PACL Dacl;
PACL Sacl;
BOOLEAN Present;
BOOLEAN Defaulted;
va_list Arguments;
RtlInitUnicodeString(&KeyNameString, KeyName);
InitializeObjectAttributes(&ObjectAttributes,
&KeyNameString,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwOpenKey(&KeyHandle,
READ_CONTROL | ACCESS_SYSTEM_SECURITY,
&ObjectAttributes);
ok_eq_hex(Status, STATUS_SUCCESS);
if (skip(NT_SUCCESS(Status), "No key (%ls)\n", KeyName))
{
return;
}
Status = ZwQuerySecurityObject(KeyHandle,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
NULL,
0,
&SecurityDescriptorSize);
ok_eq_hex(Status, STATUS_BUFFER_TOO_SMALL);
if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", KeyName))
{
ObCloseHandle(KeyHandle, KernelMode);
return;
}
SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
SecurityDescriptorSize,
'dSmK');
ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", KeyName))
{
ObCloseHandle(KeyHandle, KernelMode);
return;
}
Status = ZwQuerySecurityObject(KeyHandle,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
SecurityDescriptor,
SecurityDescriptorSize,
&SecurityDescriptorSize);
ok_eq_hex(Status, STATUS_SUCCESS);
if (NT_SUCCESS(Status))
{
Owner = NULL;
Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
&Owner,
&Defaulted);
CheckSid(Owner, NO_SIZE, SeExports->SeAliasAdminsSid);
ok(Defaulted == FALSE, "Owner defaulted for %ls\n", KeyName);
Group = NULL;
Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor,
&Group,
&Defaulted);
CheckSid(Group, NO_SIZE, SeExports->SeLocalSystemSid);
ok(Defaulted == FALSE, "Group defaulted for %ls\n", KeyName);
Dacl = NULL;
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
&Present,
&Dacl,
&Defaulted);
ok_eq_hex(Status, STATUS_SUCCESS);
ok(Present == TRUE, "DACL not present for %ls\n", KeyName);
ok(Defaulted == FALSE, "DACL defaulted for %ls\n", KeyName);
va_start(Arguments, FileAndLine);
VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
va_end(Arguments);
Sacl = NULL;
Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor,
&Present,
&Sacl,
&Defaulted);
ok_eq_hex(Status, STATUS_SUCCESS);
ok(Present == FALSE, "SACL present for %ls\n", KeyName);
ok(Defaulted == FALSE, "SACL defaulted for %ls\n", KeyName);
ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, KeyName);
}
ExFreePoolWithTag(SecurityDescriptor, 'dSmK');
ObCloseHandle(KeyHandle, KernelMode);
}
START_TEST(CmSecurity)
{
SID_IDENTIFIER_AUTHORITY NtSidAuthority = {SECURITY_NT_AUTHORITY};
PSID TerminalServerSid;
TerminalServerSid = ExAllocatePoolWithTag(PagedPool,
RtlLengthRequiredSid(1),
'iSmK');
if (TerminalServerSid != NULL)
{
RtlInitializeSid(TerminalServerSid, &NtSidAuthority, 1);
*RtlSubAuthoritySid(TerminalServerSid, 0) = SECURITY_TERMINAL_SERVER_RID;
}
CheckKeySecurity(L"\\REGISTRY",
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
CheckKeySecurity(L"\\REGISTRY\\MACHINE",
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\HARDWARE",
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SAM",
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SECURITY",
2, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, WRITE_DAC | READ_CONTROL);
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SOFTWARE",
12, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ | KEY_WRITE | DELETE,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ | GENERIC_WRITE | DELETE,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, TerminalServerSid, KEY_READ | KEY_WRITE | DELETE,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, TerminalServerSid, GENERIC_READ | GENERIC_WRITE | DELETE);
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SYSTEM",
10, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL);
CheckKeySecurity(L"\\REGISTRY\\USER",
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
CheckKeySecurity(L"\\REGISTRY\\USER\\.DEFAULT",
10, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL);
CheckKeySecurity(L"\\REGISTRY\\USER\\S-1-5-18",
10, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL);
CheckKeySecurity(L"\\REGISTRY\\USER\\S-1-5-20",
8, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeNetworkServiceSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, KEY_READ,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE, SeExports->SeNetworkServiceSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE, SeExports->SeRestrictedSid, GENERIC_READ);
if (TerminalServerSid != NULL)
{
ExFreePoolWithTag(TerminalServerSid, 'iSmK');
}
}