advapi32: Add more tests for granted access mask. Fix test on Wine.
This commit is contained in:
parent
bae75024a4
commit
c04e7e7878
|
@ -31,6 +31,7 @@
|
||||||
#include "sddl.h"
|
#include "sddl.h"
|
||||||
#include "ntsecapi.h"
|
#include "ntsecapi.h"
|
||||||
#include "lmcons.h"
|
#include "lmcons.h"
|
||||||
|
#include "winternl.h"
|
||||||
|
|
||||||
#include "wine/test.h"
|
#include "wine/test.h"
|
||||||
|
|
||||||
|
@ -59,8 +60,11 @@ typedef NTSTATUS (WINAPI *fnLsaQueryInformationPolicy)(LSA_HANDLE,POLICY_INFORMA
|
||||||
typedef NTSTATUS (WINAPI *fnLsaClose)(LSA_HANDLE);
|
typedef NTSTATUS (WINAPI *fnLsaClose)(LSA_HANDLE);
|
||||||
typedef NTSTATUS (WINAPI *fnLsaFreeMemory)(PVOID);
|
typedef NTSTATUS (WINAPI *fnLsaFreeMemory)(PVOID);
|
||||||
typedef NTSTATUS (WINAPI *fnLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
|
typedef NTSTATUS (WINAPI *fnLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
|
||||||
|
static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
|
||||||
|
|
||||||
static HMODULE hmod;
|
static HMODULE hmod;
|
||||||
|
static int myARGC;
|
||||||
|
static char** myARGV;
|
||||||
|
|
||||||
fnBuildTrusteeWithSidA pBuildTrusteeWithSidA;
|
fnBuildTrusteeWithSidA pBuildTrusteeWithSidA;
|
||||||
fnBuildTrusteeWithNameA pBuildTrusteeWithNameA;
|
fnBuildTrusteeWithNameA pBuildTrusteeWithNameA;
|
||||||
|
@ -85,7 +89,12 @@ struct sidRef
|
||||||
|
|
||||||
static void init(void)
|
static void init(void)
|
||||||
{
|
{
|
||||||
|
HMODULE hntdll = GetModuleHandleA("ntdll.dll");
|
||||||
|
|
||||||
hmod = GetModuleHandle("advapi32.dll");
|
hmod = GetModuleHandle("advapi32.dll");
|
||||||
|
myARGC = winetest_get_mainargs( &myARGV );
|
||||||
|
|
||||||
|
pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
|
||||||
}
|
}
|
||||||
|
|
||||||
static void test_str_sid(const char *str_sid)
|
static void test_str_sid(const char *str_sid)
|
||||||
|
@ -673,7 +682,7 @@ static void test_AccessCheck(void)
|
||||||
res = InitializeAcl(Acl, 256, ACL_REVISION);
|
res = InitializeAcl(Acl, 256, ACL_REVISION);
|
||||||
if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
|
if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
|
||||||
{
|
{
|
||||||
trace("ACLs not implemented - skipping tests\n");
|
skip("ACLs not implemented - skipping tests\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
ok(res, "InitializeAcl failed with error %d\n", GetLastError());
|
ok(res, "InitializeAcl failed with error %d\n", GetLastError());
|
||||||
|
@ -1347,10 +1356,136 @@ static void test_LookupAccountName(void)
|
||||||
HeapFree(GetProcessHeap(), 0, domain);
|
HeapFree(GetProcessHeap(), 0, domain);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,__LINE__)
|
||||||
|
static void test_granted_access(HANDLE handle, ACCESS_MASK access, int line)
|
||||||
|
{
|
||||||
|
OBJECT_BASIC_INFORMATION obj_info;
|
||||||
|
NTSTATUS status;
|
||||||
|
|
||||||
|
if (!pNtQueryObject)
|
||||||
|
{
|
||||||
|
skip_(__FILE__, line)("Not NT platform - skipping tests\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
|
||||||
|
sizeof(obj_info), NULL );
|
||||||
|
ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
|
||||||
|
ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Gratned access should "
|
||||||
|
"be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_process_security(void)
|
||||||
|
{
|
||||||
|
BOOL res;
|
||||||
|
PSID AdminSid = NULL, UsersSid = NULL;
|
||||||
|
PACL Acl = NULL;
|
||||||
|
SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
|
||||||
|
SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
|
||||||
|
char buffer[MAX_PATH];
|
||||||
|
PROCESS_INFORMATION info;
|
||||||
|
STARTUPINFOA startup;
|
||||||
|
SECURITY_ATTRIBUTES psa;
|
||||||
|
|
||||||
|
Acl = HeapAlloc(GetProcessHeap(), 0, 256);
|
||||||
|
res = InitializeAcl(Acl, 256, ACL_REVISION);
|
||||||
|
if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
|
||||||
|
{
|
||||||
|
skip("ACLs not implemented - skipping tests\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
ok(res, "InitializeAcl failed with error %d\n", GetLastError());
|
||||||
|
|
||||||
|
res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
||||||
|
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
|
||||||
|
ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
|
||||||
|
res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
||||||
|
DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
|
||||||
|
ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
|
||||||
|
|
||||||
|
res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
|
||||||
|
ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
|
||||||
|
res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
|
||||||
|
ok(res, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
|
||||||
|
|
||||||
|
SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
|
||||||
|
res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
|
||||||
|
ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
|
||||||
|
|
||||||
|
/* Set owner and group and dacl */
|
||||||
|
res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
|
||||||
|
ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
|
||||||
|
res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
|
||||||
|
ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
|
||||||
|
res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
|
||||||
|
ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
|
||||||
|
|
||||||
|
|
||||||
|
sprintf(buffer, "%s tests/security.c test", myARGV[0]);
|
||||||
|
memset(&startup, 0, sizeof(startup));
|
||||||
|
startup.cb = sizeof(startup);
|
||||||
|
startup.dwFlags = STARTF_USESHOWWINDOW;
|
||||||
|
startup.wShowWindow = SW_SHOWNORMAL;
|
||||||
|
|
||||||
|
psa.nLength = sizeof(psa);
|
||||||
|
psa.lpSecurityDescriptor = SecurityDescriptor;
|
||||||
|
psa.bInheritHandle = TRUE;
|
||||||
|
|
||||||
|
/* Doesn't matter what ACL say we should get full access for ourselves */
|
||||||
|
ok(CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info ),
|
||||||
|
"CreateProcess with err:%d\n", GetLastError());
|
||||||
|
TEST_GRANTED_ACCESS( info.hProcess, PROCESS_ALL_ACCESS );
|
||||||
|
ok(WaitForSingleObject(info.hProcess, 30000) == WAIT_OBJECT_0, "Child process termination\n");
|
||||||
|
|
||||||
|
if (AdminSid) FreeSid(AdminSid);
|
||||||
|
if (UsersSid) FreeSid(UsersSid);
|
||||||
|
HeapFree(GetProcessHeap(), 0, Acl);
|
||||||
|
HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_process_security_child(void)
|
||||||
|
{
|
||||||
|
HANDLE handle, handle1;
|
||||||
|
|
||||||
|
handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
|
||||||
|
ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
|
||||||
|
TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
|
||||||
|
|
||||||
|
ok(DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
|
||||||
|
&handle1, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS),
|
||||||
|
"duplicating handle err:%d\n", GetLastError());
|
||||||
|
TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
|
||||||
|
|
||||||
|
CloseHandle( handle1 );
|
||||||
|
CloseHandle( handle );
|
||||||
|
|
||||||
|
/* These two should fail - they are denied by ACL */
|
||||||
|
handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
|
||||||
|
todo_wine
|
||||||
|
ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
|
||||||
|
handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
|
||||||
|
todo_wine
|
||||||
|
ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
|
||||||
|
|
||||||
|
/* Documented privilege elevation */
|
||||||
|
ok(DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
|
||||||
|
&handle, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS),
|
||||||
|
"duplicating handle err:%d\n", GetLastError());
|
||||||
|
TEST_GRANTED_ACCESS( handle, PROCESS_ALL_ACCESS );
|
||||||
|
|
||||||
|
CloseHandle( handle );
|
||||||
|
}
|
||||||
|
|
||||||
START_TEST(security)
|
START_TEST(security)
|
||||||
{
|
{
|
||||||
init();
|
init();
|
||||||
if (!hmod) return;
|
if (!hmod) return;
|
||||||
|
|
||||||
|
if (myARGC >= 3)
|
||||||
|
{
|
||||||
|
test_process_security_child();
|
||||||
|
return;
|
||||||
|
}
|
||||||
test_sid();
|
test_sid();
|
||||||
test_trustee();
|
test_trustee();
|
||||||
test_luid();
|
test_luid();
|
||||||
|
@ -1359,4 +1494,5 @@ START_TEST(security)
|
||||||
test_token_attr();
|
test_token_attr();
|
||||||
test_LookupAccountSid();
|
test_LookupAccountSid();
|
||||||
test_LookupAccountName();
|
test_LookupAccountName();
|
||||||
|
test_process_security();
|
||||||
}
|
}
|
||||||
|
|
|
@ -459,7 +459,7 @@ obj_handle_t duplicate_handle( struct process *src, obj_handle_t src_handle, str
|
||||||
access = entry->access;
|
access = entry->access;
|
||||||
else /* pseudo-handle, give it full access */
|
else /* pseudo-handle, give it full access */
|
||||||
{
|
{
|
||||||
access = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
|
access = obj->ops->map_access( obj, GENERIC_ALL );
|
||||||
clear_error();
|
clear_error();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue