[KMTESTS:SE] Implement SeFilterToken testcase

2025-08-07 03:53:00 +00:00 · 2021-10-19 11:39:06 +02:00 · 2021-10-19 11:39:06 +02:00 · aaa2094208
commit aaa2094208
parent 6fe1b387c6
3 changed files with 116 additions and 0 deletions
--- a/modules/rostests/kmtests/CMakeLists.txt
+++ b/modules/rostests/kmtests/CMakeLists.txt
@ -98,6 +98,7 @@ list(APPEND KMTEST_DRV_SOURCE
    ntos_se/SeInheritance.c
    ntos_se/SeLogonSession.c
    ntos_se/SeQueryInfoToken.c
    ntos_se/SeTokenFiltering.c
    rtl/RtlIsValidOemCharacter.c
    rtl/RtlRangeList.c
    ${COMMON_SOURCE}
--- a/modules/rostests/kmtests/kmtest_drv/testlist.c
+++ b/modules/rostests/kmtests/kmtest_drv/testlist.c
@ -66,6 +66,7 @@ KMT_TESTFUNC Test_PsNotify;
 KMT_TESTFUNC Test_SeInheritance;
 KMT_TESTFUNC Test_SeLogonSession;
 KMT_TESTFUNC Test_SeQueryInfoToken;
 KMT_TESTFUNC Test_SeTokenFiltering;
 KMT_TESTFUNC Test_RtlAvlTree;
 KMT_TESTFUNC Test_RtlException;
 KMT_TESTFUNC Test_RtlIntSafe;
@ -155,6 +156,7 @@ const KMT_TEST TestList[] =
    { "SeInheritance",                      Test_SeInheritance },
    { "SeLogonSession",                     Test_SeLogonSession },
    { "SeQueryInfoToken",                   Test_SeQueryInfoToken },
    { "SeTokenFiltering",                   Test_SeTokenFiltering },
    { "ZwAllocateVirtualMemory",            Test_ZwAllocateVirtualMemory },
    { "ZwCreateSection",                    Test_ZwCreateSection },
    { "ZwMapViewOfSection",                 Test_ZwMapViewOfSection },
--- a/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c
+++ b/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c
@ -0,0 +1,113 @@
 /*
 * PROJECT:     ReactOS kernel-mode tests
 * LICENSE:     GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
 * PURPOSE:     Kernel mode tests for token filtering implementation
 * COPYRIGHT:   Copyright 2021 George Bișoc <george.bisoc@reactos.org>
 */
 #include <kmt_test.h>
 #include <ntifs.h>
 static
 VOID
 FilterToken(VOID)
 {
    NTSTATUS Status;
    PSECURITY_SUBJECT_CONTEXT SubjectContext;
    PACCESS_TOKEN Token, FilteredToken;
    TOKEN_GROUPS SidsToDisable, RestrictedGroups;
    TOKEN_PRIVILEGES Privilege;
    /* Capture the subject context and token for tests */
    SubjectContext = ExAllocatePool(PagedPool, sizeof(SECURITY_SUBJECT_CONTEXT));
    if (SubjectContext == NULL)
    {
        trace("Failed to allocate memory pool for the subject context!\n");
        return;
    }
    SeCaptureSubjectContext(SubjectContext);
    SeLockSubjectContext(SubjectContext);
    Token = SeQuerySubjectContextToken(SubjectContext);
    ok(Token != NULL, "Token mustn't be NULL...\n");
    /* Delete a privilege */
    Privilege.PrivilegeCount = 1;
    Privilege.Privileges[0].Attributes = 0;
    Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege;
    Status = SeFilterToken(Token,
                           0,
                           NULL,
                           &Privilege,
                           NULL,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
    /* Disable all the privileges */
    Status = SeFilterToken(Token,
                           DISABLE_MAX_PRIVILEGE,
                           NULL,
                           NULL,
                           NULL,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
    /* Disable a SID */
    SidsToDisable.GroupCount = 1;
    SidsToDisable.Groups[0].Attributes = 0;
    SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
    Status = SeFilterToken(Token,
                           0,
                           &SidsToDisable,
                           NULL,
                           NULL,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
    /*
     * Add a restricted SID but we're going to fail...
     * Because no attributes must be within restricted
     * SIDs.
     */
    RestrictedGroups.GroupCount = 1;
    RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED;
    RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
    Status = SeFilterToken(Token,
                           0,
                           NULL,
                           NULL,
                           &RestrictedGroups,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_INVALID_PARAMETER);
    /* Add a restricted SID now */
    RestrictedGroups.GroupCount = 1;
    RestrictedGroups.Groups[0].Attributes = 0;
    RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid;
    Status = SeFilterToken(Token,
                           0,
                           NULL,
                           NULL,
                           &RestrictedGroups,
                           &FilteredToken);
    ok_irql(PASSIVE_LEVEL);
    ok_eq_hex(Status, STATUS_SUCCESS);
    /* We're done */
    SeUnlockSubjectContext(SubjectContext);
    if (SubjectContext)
        ExFreePool(SubjectContext);
 }
 START_TEST(SeTokenFiltering)
 {
    FilterToken();
 }