https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f529033555bdfe7fb090e8f21f1191187b21706b
commit f529033555bdfe7fb090e8f21f1191187b21706b Author: Pierre Schweitzer <pie...@reactos.org> AuthorDate: Thu Jun 20 08:53:27 2019 +0200 Commit: Pierre Schweitzer <pie...@reactos.org> CommitDate: Sun Jun 30 23:07:54 2019 +0200 [KMTESTS:OB] Add support for LUID mappings being disabled in ObSecurity tests CORE-16114 --- modules/rostests/kmtests/include/kmt_platform.h | 1 + modules/rostests/kmtests/ntos_ob/ObSecurity.c | 52 ++++++++++++++++++++----- 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/modules/rostests/kmtests/include/kmt_platform.h b/modules/rostests/kmtests/include/kmt_platform.h index 4895bf25a31..2cdc9b655c8 100644 --- a/modules/rostests/kmtests/include/kmt_platform.h +++ b/modules/rostests/kmtests/include/kmt_platform.h @@ -24,6 +24,7 @@ #include <ndk/kefuncs.h> #include <ndk/mmfuncs.h> #include <ndk/obfuncs.h> +#include <ndk/psfuncs.h> #include <ndk/sefuncs.h> #include <ntstrsafe.h> #if defined KMT_FILTER_DRIVER diff --git a/modules/rostests/kmtests/ntos_ob/ObSecurity.c b/modules/rostests/kmtests/ntos_ob/ObSecurity.c index 4ac9478074a..55f5a0fe4cb 100644 --- a/modules/rostests/kmtests/ntos_ob/ObSecurity.c +++ b/modules/rostests/kmtests/ntos_ob/ObSecurity.c @@ -124,18 +124,52 @@ CheckDirectorySecurity__( START_TEST(ObSecurity) { + NTSTATUS Status; + /* Assume yes, that's the default on W2K3 */ + ULONG LUIDMappingsEnabled = 1, ReturnLength; + #define DIRECTORY_GENERIC_READ STANDARD_RIGHTS_READ | DIRECTORY_TRAVERSE | DIRECTORY_QUERY #define DIRECTORY_GENERIC_WRITE STANDARD_RIGHTS_WRITE | DIRECTORY_CREATE_SUBDIRECTORY | DIRECTORY_CREATE_OBJECT - CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users" - 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | - OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS, - ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | - OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, - ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, - ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | - CONTAINER_INHERIT_ACE | - OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL); + /* Check if LUID device maps are enabled */ + Status = ZwQueryInformationProcess(NtCurrentProcess(), + ProcessLUIDDeviceMapsEnabled, + &LUIDMappingsEnabled, + sizeof(LUIDMappingsEnabled), + &ReturnLength); + ok(NT_SUCCESS(Status), "NtQueryInformationProcess failed: 0x%x\n", Status); + + trace("LUID mappings are enabled: %d\n", LUIDMappingsEnabled); + if (LUIDMappingsEnabled != 0) + { + CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users" + 4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL); + } + else + { + CheckDirectorySecurityWithOwnerAndGroup(L"\\??", SeExports->SeAliasAdminsSid, NULL, // Group is "Domain Users" + 6, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, DIRECTORY_ALL_ACCESS, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeWorldSid, GENERIC_EXECUTE, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid,GENERIC_ALL, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid,GENERIC_ALL, + ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE | + CONTAINER_INHERIT_ACE | + OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid,GENERIC_ALL); + } CheckDirectorySecurity(L"\\", 4, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeWorldSid, DIRECTORY_GENERIC_READ,