Module: wine Branch: master Commit: c04e7e7878fae6591f7fe0df0a6adf2336dc5716 URL: http://source.winehq.org/git/wine.git/?a=commit;h=c04e7e7878fae6591f7fe0df0a...
Author: Vitaliy Margolen wine-patches@kievinfo.com Date: Wed Jan 24 23:43:18 2007 -0700
advapi32: Add more tests for granted access mask. Fix test on Wine.
---
dlls/advapi32/tests/security.c | 138 +++++++++++++++++++++++++++++++++++++++- server/handle.c | 2 +- 2 files changed, 138 insertions(+), 2 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c index 4fc9fad..bb5954c 100644 --- a/dlls/advapi32/tests/security.c +++ b/dlls/advapi32/tests/security.c @@ -31,6 +31,7 @@ #include "sddl.h" #include "ntsecapi.h" #include "lmcons.h" +#include "winternl.h"
#include "wine/test.h"
@@ -59,8 +60,11 @@ typedef NTSTATUS (WINAPI *fnLsaQueryInfo typedef NTSTATUS (WINAPI *fnLsaClose)(LSA_HANDLE); typedef NTSTATUS (WINAPI *fnLsaFreeMemory)(PVOID); typedef NTSTATUS (WINAPI *fnLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE); +static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
static HMODULE hmod; +static int myARGC; +static char** myARGV;
fnBuildTrusteeWithSidA pBuildTrusteeWithSidA; fnBuildTrusteeWithNameA pBuildTrusteeWithNameA; @@ -85,7 +89,12 @@ struct sidRef
static void init(void) { + HMODULE hntdll = GetModuleHandleA("ntdll.dll"); + hmod = GetModuleHandle("advapi32.dll"); + myARGC = winetest_get_mainargs( &myARGV ); + + pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" ); }
static void test_str_sid(const char *str_sid) @@ -673,7 +682,7 @@ static void test_AccessCheck(void) res = InitializeAcl(Acl, 256, ACL_REVISION); if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED) { - trace("ACLs not implemented - skipping tests\n"); + skip("ACLs not implemented - skipping tests\n"); return; } ok(res, "InitializeAcl failed with error %d\n", GetLastError()); @@ -1347,10 +1356,136 @@ static void test_LookupAccountName(void) HeapFree(GetProcessHeap(), 0, domain); }
+#define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,__LINE__) +static void test_granted_access(HANDLE handle, ACCESS_MASK access, int line) +{ + OBJECT_BASIC_INFORMATION obj_info; + NTSTATUS status; + + if (!pNtQueryObject) + { + skip_(__FILE__, line)("Not NT platform - skipping tests\n"); + return; + } + + status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info, + sizeof(obj_info), NULL ); + ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status); + ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Gratned access should " + "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess); +} + +static void test_process_security(void) +{ + BOOL res; + PSID AdminSid = NULL, UsersSid = NULL; + PACL Acl = NULL; + SECURITY_DESCRIPTOR *SecurityDescriptor = NULL; + SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY }; + char buffer[MAX_PATH]; + PROCESS_INFORMATION info; + STARTUPINFOA startup; + SECURITY_ATTRIBUTES psa; + + Acl = HeapAlloc(GetProcessHeap(), 0, 256); + res = InitializeAcl(Acl, 256, ACL_REVISION); + if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED) + { + skip("ACLs not implemented - skipping tests\n"); + return; + } + ok(res, "InitializeAcl failed with error %d\n", GetLastError()); + + res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid); + ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError()); + res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid); + ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError()); + + res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid); + ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError()); + res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid); + ok(res, "AddAccessAllowedAceEx failed with error %d\n", GetLastError()); + + SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH); + res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); + ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError()); + + /* Set owner and group and dacl */ + res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE); + ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError()); + res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE); + ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError()); + res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE); + ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError()); + + + sprintf(buffer, "%s tests/security.c test", myARGV[0]); + memset(&startup, 0, sizeof(startup)); + startup.cb = sizeof(startup); + startup.dwFlags = STARTF_USESHOWWINDOW; + startup.wShowWindow = SW_SHOWNORMAL; + + psa.nLength = sizeof(psa); + psa.lpSecurityDescriptor = SecurityDescriptor; + psa.bInheritHandle = TRUE; + + /* Doesn't matter what ACL say we should get full access for ourselves */ + ok(CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info ), + "CreateProcess with err:%d\n", GetLastError()); + TEST_GRANTED_ACCESS( info.hProcess, PROCESS_ALL_ACCESS ); + ok(WaitForSingleObject(info.hProcess, 30000) == WAIT_OBJECT_0, "Child process termination\n"); + + if (AdminSid) FreeSid(AdminSid); + if (UsersSid) FreeSid(UsersSid); + HeapFree(GetProcessHeap(), 0, Acl); + HeapFree(GetProcessHeap(), 0, SecurityDescriptor); +} + +static void test_process_security_child(void) +{ + HANDLE handle, handle1; + + handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() ); + ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError()); + TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE ); + + ok(DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(), + &handle1, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS), + "duplicating handle err:%d\n", GetLastError()); + TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE ); + + CloseHandle( handle1 ); + CloseHandle( handle ); + + /* These two should fail - they are denied by ACL */ + handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() ); + todo_wine + ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n"); + handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() ); + todo_wine + ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n"); + + /* Documented privilege elevation */ + ok(DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), + &handle, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS), + "duplicating handle err:%d\n", GetLastError()); + TEST_GRANTED_ACCESS( handle, PROCESS_ALL_ACCESS ); + + CloseHandle( handle ); +} + START_TEST(security) { init(); if (!hmod) return; + + if (myARGC >= 3) + { + test_process_security_child(); + return; + } test_sid(); test_trustee(); test_luid(); @@ -1359,4 +1494,5 @@ START_TEST(security) test_token_attr(); test_LookupAccountSid(); test_LookupAccountName(); + test_process_security(); } diff --git a/server/handle.c b/server/handle.c index f0c58a8..4b52280 100644 --- a/server/handle.c +++ b/server/handle.c @@ -459,7 +459,7 @@ obj_handle_t duplicate_handle( struct pr access = entry->access; else /* pseudo-handle, give it full access */ { - access = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL; + access = obj->ops->map_access( obj, GENERIC_ALL ); clear_error(); } }
-
Alexandre Julliard