[KMTESTS:SE] Implement SeFilterToken testcase

modules/rostests/kmtests/CMakeLists.txt

@@ -98,6 +98,7 @@ list(APPEND KMTEST_DRV_SOURCE
     ntos_se/SeInheritance.c
     ntos_se/SeLogonSession.c
     ntos_se/SeQueryInfoToken.c
+    ntos_se/SeTokenFiltering.c
     rtl/RtlIsValidOemCharacter.c
     rtl/RtlRangeList.c
     ${COMMON_SOURCE}

modules/rostests/kmtests/kmtest_drv/testlist.c

@@ -66,6 +66,7 @@ KMT_TESTFUNC Test_PsNotify;
 KMT_TESTFUNC Test_SeInheritance;
 KMT_TESTFUNC Test_SeLogonSession;
 KMT_TESTFUNC Test_SeQueryInfoToken;
+KMT_TESTFUNC Test_SeTokenFiltering;
 KMT_TESTFUNC Test_RtlAvlTree;
 KMT_TESTFUNC Test_RtlException;
 KMT_TESTFUNC Test_RtlIntSafe;
@@ -155,6 +156,7 @@ const KMT_TEST TestList[] =
     { "SeInheritance",                      Test_SeInheritance },
     { "SeLogonSession",                     Test_SeLogonSession },
     { "SeQueryInfoToken",                   Test_SeQueryInfoToken },
+    { "SeTokenFiltering",                   Test_SeTokenFiltering },
     { "ZwAllocateVirtualMemory",            Test_ZwAllocateVirtualMemory },
     { "ZwCreateSection",                    Test_ZwCreateSection },
     { "ZwMapViewOfSection",                 Test_ZwMapViewOfSection },

modules/rostests/kmtests/ntos_se/SeTokenFiltering.c

@@ -0,0 +1,113 @@
+/*
+ * PROJECT:     ReactOS kernel-mode tests
+ * LICENSE:     GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
+ * PURPOSE:     Kernel mode tests for token filtering implementation
+ * COPYRIGHT:   Copyright 2021 George Bișoc <george.bisoc@reactos.org>
+ */
+
+#include <kmt_test.h>
+#include <ntifs.h>
+
+static
+VOID
+FilterToken(VOID)
+{
+    NTSTATUS Status;
+    PSECURITY_SUBJECT_CONTEXT SubjectContext;
+    PACCESS_TOKEN Token, FilteredToken;
+    TOKEN_GROUPS SidsToDisable, RestrictedGroups;
+    TOKEN_PRIVILEGES Privilege;
+
+    /* Capture the subject context and token for tests */
+    SubjectContext = ExAllocatePool(PagedPool, sizeof(SECURITY_SUBJECT_CONTEXT));
+    if (SubjectContext == NULL)
+    {
+        trace("Failed to allocate memory pool for the subject context!\n");
+        return;
+    }
+
+    SeCaptureSubjectContext(SubjectContext);
+    SeLockSubjectContext(SubjectContext);
+    Token = SeQuerySubjectContextToken(SubjectContext);
+    ok(Token != NULL, "Token mustn't be NULL...\n");
+
+    /* Delete a privilege */
+    Privilege.PrivilegeCount = 1;
+    Privilege.Privileges[0].Attributes = 0;
+    Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege;
+
+    Status = SeFilterToken(Token,
+                           0,
+                           NULL,
+                           &Privilege,
+                           NULL,
+                           &FilteredToken);
+    ok_irql(PASSIVE_LEVEL);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+
+    /* Disable all the privileges */
+    Status = SeFilterToken(Token,
+                           DISABLE_MAX_PRIVILEGE,
+                           NULL,
+                           NULL,
+                           NULL,
+                           &FilteredToken);
+    ok_irql(PASSIVE_LEVEL);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+
+    /* Disable a SID */
+    SidsToDisable.GroupCount = 1;
+    SidsToDisable.Groups[0].Attributes = 0;
+    SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
+
+    Status = SeFilterToken(Token,
+                           0,
+                           &SidsToDisable,
+                           NULL,
+                           NULL,
+                           &FilteredToken);
+    ok_irql(PASSIVE_LEVEL);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+
+    /*
+     * Add a restricted SID but we're going to fail...
+     * Because no attributes must be within restricted
+     * SIDs.
+     */
+    RestrictedGroups.GroupCount = 1;
+    RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
+    RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
+
+    Status = SeFilterToken(Token,
+                           0,
+                           NULL,
+                           NULL,
+                           &RestrictedGroups,
+                           &FilteredToken);
+    ok_irql(PASSIVE_LEVEL);
+    ok_eq_hex(Status, STATUS_INVALID_PARAMETER);
+
+    /* Add a restricted SID now */
+    RestrictedGroups.GroupCount = 1;
+    RestrictedGroups.Groups[0].Attributes = 0;
+    RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
+
+    Status = SeFilterToken(Token,
+                           0,
+                           NULL,
+                           NULL,
+                           &RestrictedGroups,
+                           &FilteredToken);
+    ok_irql(PASSIVE_LEVEL);
+    ok_eq_hex(Status, STATUS_SUCCESS);
+
+    /* We're done */
+    SeUnlockSubjectContext(SubjectContext);
+    if (SubjectContext)
+        ExFreePool(SubjectContext);
+}
+
+START_TEST(SeTokenFiltering)
+{
+    FilterToken();
+}