https://git.reactos.org/?p=reactos.git;a=commitdiff;h=aaa20942087ccb42011bd62312921e1c0970346c
commit aaa20942087ccb42011bd62312921e1c0970346c Author: George Bișoc <[email protected]> AuthorDate: Tue Oct 19 11:39:06 2021 +0200 Commit: George Bișoc <[email protected]> CommitDate: Sun Nov 7 14:14:19 2021 +0100 [KMTESTS:SE] Implement SeFilterToken testcase --- modules/rostests/kmtests/CMakeLists.txt | 1 + modules/rostests/kmtests/kmtest_drv/testlist.c | 2 + .../rostests/kmtests/ntos_se/SeTokenFiltering.c | 113 +++++++++++++++++++++ 3 files changed, 116 insertions(+) diff --git a/modules/rostests/kmtests/CMakeLists.txt b/modules/rostests/kmtests/CMakeLists.txt index 3898b37a6ba..4bfeb361b3c 100644 --- a/modules/rostests/kmtests/CMakeLists.txt +++ b/modules/rostests/kmtests/CMakeLists.txt @@ -98,6 +98,7 @@ list(APPEND KMTEST_DRV_SOURCE ntos_se/SeInheritance.c ntos_se/SeLogonSession.c ntos_se/SeQueryInfoToken.c + ntos_se/SeTokenFiltering.c rtl/RtlIsValidOemCharacter.c rtl/RtlRangeList.c ${COMMON_SOURCE} diff --git a/modules/rostests/kmtests/kmtest_drv/testlist.c b/modules/rostests/kmtests/kmtest_drv/testlist.c index d486c2e3351..36bec00ae0e 100644 --- a/modules/rostests/kmtests/kmtest_drv/testlist.c +++ b/modules/rostests/kmtests/kmtest_drv/testlist.c @@ -66,6 +66,7 @@ KMT_TESTFUNC Test_PsNotify; KMT_TESTFUNC Test_SeInheritance; KMT_TESTFUNC Test_SeLogonSession; KMT_TESTFUNC Test_SeQueryInfoToken; +KMT_TESTFUNC Test_SeTokenFiltering; KMT_TESTFUNC Test_RtlAvlTree; KMT_TESTFUNC Test_RtlException; KMT_TESTFUNC Test_RtlIntSafe; @@ -155,6 +156,7 @@ const KMT_TEST TestList[] = { "SeInheritance", Test_SeInheritance }, { "SeLogonSession", Test_SeLogonSession }, { "SeQueryInfoToken", Test_SeQueryInfoToken }, + { "SeTokenFiltering", Test_SeTokenFiltering }, { "ZwAllocateVirtualMemory", Test_ZwAllocateVirtualMemory }, { "ZwCreateSection", Test_ZwCreateSection }, { "ZwMapViewOfSection", Test_ZwMapViewOfSection }, diff --git a/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c b/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c new file mode 100644 index 00000000000..6f819dead74 --- /dev/null +++ b/modules/rostests/kmtests/ntos_se/SeTokenFiltering.c @@ -0,0 +1,113 @@ +/* + * PROJECT: ReactOS kernel-mode tests + * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) + * PURPOSE: Kernel mode tests for token filtering implementation + * COPYRIGHT: Copyright 2021 George Bișoc <[email protected]> + */ + +#include <kmt_test.h> +#include <ntifs.h> + +static +VOID +FilterToken(VOID) +{ + NTSTATUS Status; + PSECURITY_SUBJECT_CONTEXT SubjectContext; + PACCESS_TOKEN Token, FilteredToken; + TOKEN_GROUPS SidsToDisable, RestrictedGroups; + TOKEN_PRIVILEGES Privilege; + + /* Capture the subject context and token for tests */ + SubjectContext = ExAllocatePool(PagedPool, sizeof(SECURITY_SUBJECT_CONTEXT)); + if (SubjectContext == NULL) + { + trace("Failed to allocate memory pool for the subject context!\n"); + return; + } + + SeCaptureSubjectContext(SubjectContext); + SeLockSubjectContext(SubjectContext); + Token = SeQuerySubjectContextToken(SubjectContext); + ok(Token != NULL, "Token mustn't be NULL...\n"); + + /* Delete a privilege */ + Privilege.PrivilegeCount = 1; + Privilege.Privileges[0].Attributes = 0; + Privilege.Privileges[0].Luid = SeExports->SeSystemEnvironmentPrivilege; + + Status = SeFilterToken(Token, + 0, + NULL, + &Privilege, + NULL, + &FilteredToken); + ok_irql(PASSIVE_LEVEL); + ok_eq_hex(Status, STATUS_SUCCESS); + + /* Disable all the privileges */ + Status = SeFilterToken(Token, + DISABLE_MAX_PRIVILEGE, + NULL, + NULL, + NULL, + &FilteredToken); + ok_irql(PASSIVE_LEVEL); + ok_eq_hex(Status, STATUS_SUCCESS); + + /* Disable a SID */ + SidsToDisable.GroupCount = 1; + SidsToDisable.Groups[0].Attributes = 0; + SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid; + + Status = SeFilterToken(Token, + 0, + &SidsToDisable, + NULL, + NULL, + &FilteredToken); + ok_irql(PASSIVE_LEVEL); + ok_eq_hex(Status, STATUS_SUCCESS); + + /* + * Add a restricted SID but we're going to fail... + * Because no attributes must be within restricted + * SIDs. + */ + RestrictedGroups.GroupCount = 1; + RestrictedGroups.Groups[0].Attributes = SE_GROUP_ENABLED; + RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid; + + Status = SeFilterToken(Token, + 0, + NULL, + NULL, + &RestrictedGroups, + &FilteredToken); + ok_irql(PASSIVE_LEVEL); + ok_eq_hex(Status, STATUS_INVALID_PARAMETER); + + /* Add a restricted SID now */ + RestrictedGroups.GroupCount = 1; + RestrictedGroups.Groups[0].Attributes = 0; + RestrictedGroups.Groups[0].Sid = SeExports->SeDialupSid; + + Status = SeFilterToken(Token, + 0, + NULL, + NULL, + &RestrictedGroups, + &FilteredToken); + ok_irql(PASSIVE_LEVEL); + ok_eq_hex(Status, STATUS_SUCCESS); + + /* We're done */ + SeUnlockSubjectContext(SubjectContext); + if (SubjectContext) + ExFreePool(SubjectContext); +} + +START_TEST(SeTokenFiltering) +{ + FilterToken(); +}
