Vitaliy Margolen : advapi32: Add more tests for granted access mask.
Fix test on Wine.
Alexandre Julliard
julliard at wine.codeweavers.com
Thu Jan 25 06:12:24 CST 2007
Module: wine
Branch: master
Commit: c04e7e7878fae6591f7fe0df0a6adf2336dc5716
URL: http://source.winehq.org/git/wine.git/?a=commit;h=c04e7e7878fae6591f7fe0df0a6adf2336dc5716
Author: Vitaliy Margolen <wine-patches at kievinfo.com>
Date: Wed Jan 24 23:43:18 2007 -0700
advapi32: Add more tests for granted access mask. Fix test on Wine.
---
dlls/advapi32/tests/security.c | 138 +++++++++++++++++++++++++++++++++++++++-
server/handle.c | 2 +-
2 files changed, 138 insertions(+), 2 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 4fc9fad..bb5954c 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -31,6 +31,7 @@
#include "sddl.h"
#include "ntsecapi.h"
#include "lmcons.h"
+#include "winternl.h"
#include "wine/test.h"
@@ -59,8 +60,11 @@ typedef NTSTATUS (WINAPI *fnLsaQueryInfo
typedef NTSTATUS (WINAPI *fnLsaClose)(LSA_HANDLE);
typedef NTSTATUS (WINAPI *fnLsaFreeMemory)(PVOID);
typedef NTSTATUS (WINAPI *fnLsaOpenPolicy)(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
+static NTSTATUS (WINAPI *pNtQueryObject)(HANDLE,OBJECT_INFORMATION_CLASS,PVOID,ULONG,PULONG);
static HMODULE hmod;
+static int myARGC;
+static char** myARGV;
fnBuildTrusteeWithSidA pBuildTrusteeWithSidA;
fnBuildTrusteeWithNameA pBuildTrusteeWithNameA;
@@ -85,7 +89,12 @@ struct sidRef
static void init(void)
{
+ HMODULE hntdll = GetModuleHandleA("ntdll.dll");
+
hmod = GetModuleHandle("advapi32.dll");
+ myARGC = winetest_get_mainargs( &myARGV );
+
+ pNtQueryObject = (void *)GetProcAddress( hntdll, "NtQueryObject" );
}
static void test_str_sid(const char *str_sid)
@@ -673,7 +682,7 @@ static void test_AccessCheck(void)
res = InitializeAcl(Acl, 256, ACL_REVISION);
if(!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
{
- trace("ACLs not implemented - skipping tests\n");
+ skip("ACLs not implemented - skipping tests\n");
return;
}
ok(res, "InitializeAcl failed with error %d\n", GetLastError());
@@ -1347,10 +1356,136 @@ static void test_LookupAccountName(void)
HeapFree(GetProcessHeap(), 0, domain);
}
+#define TEST_GRANTED_ACCESS(a,b) test_granted_access(a,b,__LINE__)
+static void test_granted_access(HANDLE handle, ACCESS_MASK access, int line)
+{
+ OBJECT_BASIC_INFORMATION obj_info;
+ NTSTATUS status;
+
+ if (!pNtQueryObject)
+ {
+ skip_(__FILE__, line)("Not NT platform - skipping tests\n");
+ return;
+ }
+
+ status = pNtQueryObject( handle, ObjectBasicInformation, &obj_info,
+ sizeof(obj_info), NULL );
+ ok_(__FILE__, line)(!status, "NtQueryObject with err: %08x\n", status);
+ ok_(__FILE__, line)(obj_info.GrantedAccess == access, "Gratned access should "
+ "be 0x%08x, instead of 0x%08x\n", access, obj_info.GrantedAccess);
+}
+
+static void test_process_security(void)
+{
+ BOOL res;
+ PSID AdminSid = NULL, UsersSid = NULL;
+ PACL Acl = NULL;
+ SECURITY_DESCRIPTOR *SecurityDescriptor = NULL;
+ SID_IDENTIFIER_AUTHORITY SIDAuthNT = { SECURITY_NT_AUTHORITY };
+ char buffer[MAX_PATH];
+ PROCESS_INFORMATION info;
+ STARTUPINFOA startup;
+ SECURITY_ATTRIBUTES psa;
+
+ Acl = HeapAlloc(GetProcessHeap(), 0, 256);
+ res = InitializeAcl(Acl, 256, ACL_REVISION);
+ if (!res && GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
+ {
+ skip("ACLs not implemented - skipping tests\n");
+ return;
+ }
+ ok(res, "InitializeAcl failed with error %d\n", GetLastError());
+
+ res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdminSid);
+ ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+ res = AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &UsersSid);
+ ok(res, "AllocateAndInitializeSid failed with error %d\n", GetLastError());
+
+ res = AddAccessDeniedAce(Acl, ACL_REVISION, PROCESS_VM_READ, AdminSid);
+ ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
+ res = AddAccessAllowedAce(Acl, ACL_REVISION, PROCESS_ALL_ACCESS, AdminSid);
+ ok(res, "AddAccessAllowedAceEx failed with error %d\n", GetLastError());
+
+ SecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
+ res = InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+ ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
+
+ /* Set owner and group and dacl */
+ res = SetSecurityDescriptorOwner(SecurityDescriptor, AdminSid, FALSE);
+ ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+ res = SetSecurityDescriptorGroup(SecurityDescriptor, UsersSid, TRUE);
+ ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+ res = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
+ ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
+
+
+ sprintf(buffer, "%s tests/security.c test", myARGV[0]);
+ memset(&startup, 0, sizeof(startup));
+ startup.cb = sizeof(startup);
+ startup.dwFlags = STARTF_USESHOWWINDOW;
+ startup.wShowWindow = SW_SHOWNORMAL;
+
+ psa.nLength = sizeof(psa);
+ psa.lpSecurityDescriptor = SecurityDescriptor;
+ psa.bInheritHandle = TRUE;
+
+ /* Doesn't matter what ACL say we should get full access for ourselves */
+ ok(CreateProcessA( NULL, buffer, &psa, NULL, FALSE, 0, NULL, NULL, &startup, &info ),
+ "CreateProcess with err:%d\n", GetLastError());
+ TEST_GRANTED_ACCESS( info.hProcess, PROCESS_ALL_ACCESS );
+ ok(WaitForSingleObject(info.hProcess, 30000) == WAIT_OBJECT_0, "Child process termination\n");
+
+ if (AdminSid) FreeSid(AdminSid);
+ if (UsersSid) FreeSid(UsersSid);
+ HeapFree(GetProcessHeap(), 0, Acl);
+ HeapFree(GetProcessHeap(), 0, SecurityDescriptor);
+}
+
+static void test_process_security_child(void)
+{
+ HANDLE handle, handle1;
+
+ handle = OpenProcess( PROCESS_TERMINATE, FALSE, GetCurrentProcessId() );
+ ok(handle != NULL, "OpenProcess(PROCESS_TERMINATE) with err:%d\n", GetLastError());
+ TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
+
+ ok(DuplicateHandle( GetCurrentProcess(), handle, GetCurrentProcess(),
+ &handle1, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS),
+ "duplicating handle err:%d\n", GetLastError());
+ TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE );
+
+ CloseHandle( handle1 );
+ CloseHandle( handle );
+
+ /* These two should fail - they are denied by ACL */
+ handle = OpenProcess( PROCESS_VM_READ, FALSE, GetCurrentProcessId() );
+ todo_wine
+ ok(handle == NULL, "OpenProcess(PROCESS_VM_READ) should have failed\n");
+ handle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
+ todo_wine
+ ok(handle == NULL, "OpenProcess(PROCESS_ALL_ACCESS) should have failed\n");
+
+ /* Documented privilege elevation */
+ ok(DuplicateHandle( GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),
+ &handle, PROCESS_ALL_ACCESS, TRUE, DUPLICATE_SAME_ACCESS),
+ "duplicating handle err:%d\n", GetLastError());
+ TEST_GRANTED_ACCESS( handle, PROCESS_ALL_ACCESS );
+
+ CloseHandle( handle );
+}
+
START_TEST(security)
{
init();
if (!hmod) return;
+
+ if (myARGC >= 3)
+ {
+ test_process_security_child();
+ return;
+ }
test_sid();
test_trustee();
test_luid();
@@ -1359,4 +1494,5 @@ START_TEST(security)
test_token_attr();
test_LookupAccountSid();
test_LookupAccountName();
+ test_process_security();
}
diff --git a/server/handle.c b/server/handle.c
index f0c58a8..4b52280 100644
--- a/server/handle.c
+++ b/server/handle.c
@@ -459,7 +459,7 @@ obj_handle_t duplicate_handle( struct pr
access = entry->access;
else /* pseudo-handle, give it full access */
{
- access = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
+ access = obj->ops->map_access( obj, GENERIC_ALL );
clear_error();
}
}
More information about the wine-cvs
mailing list