advapi32: Add more tests for granted access mask. Fix test on Wine.

dlls/advapi32/tests/security.c

@@ -31,6 +31,7 @@
 #include "sddl.h"
 #include "ntsecapi.h"
 #include "lmcons.h"
+#include "winternl.h"
 
 #include "wine/test.h"
 
@@ -59,8 +60,11 @@ typedef NTSTATUS (WINAPI *fnLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMA
 typedef NTSTATUS (WINAPI *fnLsaClose)(LSA_HANDLE);
 typedef NTSTATUS (WINAPI *fnLsaFreeMemory)(PVOID);
 typedef NTSTATUS (WINAPI *fnLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
+static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
 
 static HMODULE hmod;
+static int     myARGC;
+static char**  myARGV;
 
 fnBuildTrusteeWithSidA   pBuildTrusteeWithSidA;
 fnBuildTrusteeWithNameA  pBuildTrusteeWithNameA;
@@ -85,7 +89,12 @@ struct sidRef
 
 static void init(void)
 {
+    HMODULE hntdll = GetModuleHandleA("ntdll.dll");
+
     hmod = GetModuleHandle("advapi32.dll");
+    myARGC = winetest_get_mainargs( &myARGV );
+
+    pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
 }
 
 static void test_str_sid(const char *str_sid)
@@ -673,7 +682,7 @@ static void test_AccessCheck(void)
     res = InitializeAcl(Acl, 256, ACL_REVISION);
     if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
     {
-        trace("ACLs not implemented - skipping tests\n");
+        skip("ACLs not implemented - skipping tests\n");
         return;
     }
     ok(res, "InitializeAcl failed with error %d\n", GetLastError());
@@ -1347,10 +1356,136 @@ static void test_LookupAccountName(void)
     HeapFree(GetProcessHeap(), 0, domain);
 }
 
+#define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,__LINE__)
+static void test_granted_access(HANDLE handle, ACCESS_MASK access, int line)
+{
+    OBJECT_BASIC_INFORMATION obj_info;
+    NTSTATUS status;
+
+    if (!pNtQueryObject)
+    {
+        skip_(__FILE__, line)("Not NT platform - skipping tests\n");
+        return;
+    }
+
+    status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
+                             sizeof(obj_info), NULL );
+    ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
+    ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Gratned access should "
+        "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
+}
+
+static void test_process_security(void)
+{
+    BOOL res;
+    PSID AdminSid = NULL, UsersSid = NULL;
+    PACL Acl = NULL;
+    SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
+    SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
+    char buffer[MAX_PATH];
+    PROCESS_INFORMATION info;
+    STARTUPINFOA startup;
+    SECURITY_ATTRIBUTES psa;
+
+    Acl = HeapAlloc(GetProcessHeap(), 0, 256);
+    res = InitializeAcl(Acl, 256, ACL_REVISION);
+    if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
+    {
+        skip("ACLs not implemented - skipping tests\n");
+        return;
+    }
+    ok(res, "InitializeAcl failed with error %d\n", GetLastError());
+
+    res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
+                                    DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
+    ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+    res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
+                                    DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
+    ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+
+    res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
+    ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
+    res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
+    ok(res, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
+
+    SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
+    res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+    ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
+
+    /* Set owner and group and dacl */
+    res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
+    ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+    res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
+    ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+    res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
+    ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
+
+
+    sprintf(buffer, "%s tests/security.c test", myARGV[0]);
+    memset(&startup, 0, sizeof(startup));
+    startup.cb = sizeof(startup);
+    startup.dwFlags = STARTF_USESHOWWINDOW;
+    startup.wShowWindow = SW_SHOWNORMAL;
+
+    psa.nLength = sizeof(psa);
+    psa.lpSecurityDescriptor = SecurityDescriptor;
+    psa.bInheritHandle = TRUE;
+
+    /* Doesn't matter what ACL say we should get full access for ourselves */
+    ok(CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info ),
+        "CreateProcess with err:%d\n", GetLastError());
+    TEST_GRANTED_ACCESS( info.hProcess, PROCESS_ALL_ACCESS );
+    ok(WaitForSingleObject(info.hProcess, 30000) == WAIT_OBJECT_0, "Child process termination\n");
+
+    if (AdminSid) FreeSid(AdminSid);
+    if (UsersSid) FreeSid(UsersSid);
+    HeapFree(GetProcessHeap(), 0, Acl);
+    HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
+}
+
+static void test_process_security_child(void)
+{
+    HANDLE handle, handle1;
+
+    handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
+    ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
+    TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
+
+    ok(DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
+                        &handle1, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS),
+       "duplicating handle err:%d\n", GetLastError());
+    TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
+
+    CloseHandle( handle1 );
+    CloseHandle( handle );
+
+    /* These two should fail - they are denied by ACL */
+    handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
+    todo_wine
+    ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
+    handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
+    todo_wine
+    ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
+
+    /* Documented privilege elevation */
+    ok(DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
+                        &handle, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS),
+       "duplicating handle err:%d\n", GetLastError());
+    TEST_GRANTED_ACCESS( handle, PROCESS_ALL_ACCESS );
+
+    CloseHandle( handle );
+}
+
 START_TEST(security)
 {
     init();
     if (!hmod) return;
+
+    if (myARGC >= 3)
+    {
+        test_process_security_child();
+        return;
+    }
     test_sid();
     test_trustee();
     test_luid();
@@ -1359,4 +1494,5 @@ START_TEST(security)
     test_token_attr();
     test_LookupAccountSid();
     test_LookupAccountName();
+    test_process_security();
 }

server/handle.c

@@ -459,7 +459,7 @@ obj_handle_t duplicate_handle( struct process *src, obj_handle_t src_handle, str
             access = entry->access;
         else  /* pseudo-handle, give it full access */
         {
-            access = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
+            access = obj->ops->map_access( obj, GENERIC_ALL );
             clear_error();
         }
     }