Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

536 lines
14 KiB

  1. #include "pch.h"
  2. #include "samplerm.h"
  3. void _cdecl wmain( int argc, WCHAR * argv[] )
  4. {
  5. NTSTATUS Status = STATUS_SUCCESS;
  6. BOOL b = TRUE;
  7. DWORD DesiredAccess;
  8. DWORD Callback;
  9. DWORD Iteration;
  10. AUTHZ_RESOURCE_MANAGER_HANDLE hRM = NULL;
  11. HANDLE hToken = NULL;
  12. LUID luid = {0xdead,0xbeef};
  13. AUTHZ_CLIENT_CONTEXT_HANDLE hCC1 = NULL;
  14. AUTHZ_CLIENT_CONTEXT_HANDLE hCC2 = NULL;
  15. AUTHZ_CLIENT_CONTEXT_HANDLE hCC3 = NULL;
  16. AUTHZ_ACCESS_REQUEST Request;
  17. PAUTHZ_ACCESS_REPLY pReply = (PAUTHZ_ACCESS_REPLY) Buffer;
  18. PSECURITY_DESCRIPTOR pSD = NULL;
  19. DWORD dwErr;
  20. ULONG i = 0, jj = 0;
  21. PACE_HEADER Ace = NULL;
  22. DWORD AceCount = 0;
  23. DWORD Len = 0;
  24. SID_AND_ATTRIBUTES SidAttr[1];
  25. AUTHZ_AUDIT_INFO_HANDLE hAuditInfo = NULL;
  26. AUTHZ_RM_AUDIT_INFO_HANDLE hRmAuditInfo;
  27. PAUDIT_PARAMS pAuditParams;
  28. AUTHZ_HANDLE AuthHandle = 0;
  29. PACL pAcl = NULL;
  30. AUDIT_EVENT_INFO AuditEventInfo;
  31. PSID pUserSid = NULL;
  32. AUTHZ_AUDIT_QUEUE_HANDLE hQueue;
  33. PWCHAR StringSD = L"O:BAG:DUD:(A;;0x40;;;s-1-2-2)(A;;0x1;;;BA)(OA;;0x2;6da8a4ff-0e52-11d0-a286-00aa00304900;;BA)(OA;;0x4;6da8a4ff-0e52-11d0-a286-00aa00304901;;BA)(OA;;0x8;6da8a4ff-0e52-11d0-a286-00aa00304903;;AU)(OA;;0x10;6da8a4ff-0e52-11d0-a286-00aa00304904;;BU)(OA;;0x20;6da8a4ff-0e52-11d0-a286-00aa00304905;;AU)(A;;0x40;;;PS)S:(AU;IDSAFA;0xFFFFFF;;;WD)";
  34. //PWCHAR StringSD = L"O:BAG:DUD:(A;;0x100;;;SY)(A;;0x100;;;PS)S:(AU;IDSA;SD;;;DU)";
  35. if (argc != 4)
  36. {
  37. wprintf(L"usage: %s access iter [callback]\n", argv[0]);
  38. exit(0);
  39. }
  40. DesiredAccess = wcstol(argv[1], NULL, 16);
  41. Iteration = wcstol(argv[2], NULL, 16);
  42. Callback = wcstol(argv[3], NULL, 16);
  43. //
  44. // Create the SD for the access checks
  45. //
  46. b = ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSD, SDDL_REVISION_1, &pSD, NULL);
  47. if (!b)
  48. {
  49. wprintf(L"SDDL failed with %d\n", GetLastError());
  50. return;
  51. }
  52. //
  53. // If Callback aces are specified, change the DACL to use them
  54. //
  55. if (Callback)
  56. {
  57. pAcl = RtlpDaclAddrSecurityDescriptor((PISECURITY_DESCRIPTOR) pSD);
  58. AceCount = pAcl->AceCount;
  59. for (i = 0, Ace = FirstAce(pAcl); i < AceCount; i++, Ace = NextAce(Ace))
  60. {
  61. switch(Ace->AceType)
  62. {
  63. case ACCESS_ALLOWED_ACE_TYPE:
  64. Ace->AceType = ACCESS_ALLOWED_CALLBACK_ACE_TYPE;
  65. break;
  66. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  67. Ace->AceType = ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE;
  68. break;
  69. }
  70. }
  71. }
  72. AuditEventInfo.Version = AUDIT_TYPE_LEGACY;
  73. AuditEventInfo.u.Legacy.CategoryId = SE_CATEGID_OBJECT_ACCESS;
  74. AuditEventInfo.u.Legacy.AuditId = SE_AUDITID_OBJECT_OPERATION;
  75. AuditEventInfo.u.Legacy.ParameterCount = 11;
  76. b = AuthzInitializeAuditQueue(
  77. &hQueue,
  78. 0,
  79. 1000,
  80. 100,
  81. NULL
  82. );
  83. if (!b)
  84. {
  85. wprintf(L"authzinitauditqueueueueue %d\n", GetLastError());
  86. return;
  87. }
  88. if (!b)
  89. {
  90. printf("AuthzAllocInitRmAuditInfoHandle FAILED.\n");
  91. return;
  92. }
  93. b = AuthzInitializeResourceManager(
  94. MyAccessCheck,
  95. MyComputeDynamicGroups,
  96. MyFreeDynamicGroups,
  97. L"some rm",
  98. 0, // Flags
  99. &hRM
  100. );
  101. if (!b)
  102. {
  103. wprintf(L"AuthzInitializeResourceManager failed with %d\n", GetLastError());
  104. return;
  105. }
  106. // AuthzInitializeAuditParamsWithRM(
  107. // &pAuditParams,
  108. // hRM,
  109. // APF_AuditSuccess,
  110. // 1,
  111. // APT_String, L"Jeff operation"
  112. // );
  113. //
  114. //
  115. b = AuthzInitializeAuditInfo(
  116. &hAuditInfo,
  117. 0,
  118. hRM,
  119. &AuditEventInfo,
  120. NULL,//pAuditParams,
  121. hQueue,
  122. INFINITE,
  123. L"Cleaning",
  124. L"Toothbrush",
  125. L"Oral B",
  126. L"Rinse after brushing."
  127. );
  128. if (!b)
  129. {
  130. printf("AuthzInitAuditInfo FAILED with %d.\n", GetLastError());
  131. return;
  132. }
  133. OpenProcessToken(
  134. GetCurrentProcess(),
  135. TOKEN_QUERY,
  136. &hToken
  137. );
  138. b = AuthzInitializeContextFromToken(
  139. hToken,
  140. hRM,
  141. NULL,
  142. luid,
  143. 0,
  144. NULL,
  145. &hCC1
  146. );
  147. if (!b)
  148. {
  149. wprintf(L"AuthzInitializeContextFromSid failed with 0x%x\n", GetLastError());
  150. return;
  151. }
  152. Request.ObjectTypeList = (POBJECT_TYPE_LIST) TypeListBuffer;
  153. Request.ObjectTypeList[0].Level = 0;
  154. Request.ObjectTypeList[0].ObjectType = &Guid0;
  155. Request.ObjectTypeList[0].Sbz = 0;
  156. Request.ObjectTypeListLength = 1;
  157. Request.OptionalArguments = NULL;
  158. Request.PrincipalSelfSid = NULL;
  159. Request.DesiredAccess = 0x100;
  160. //
  161. // The ResultListLength is set to the number of ObjectType GUIDs in the Request, indicating
  162. // that the caller would like detailed information about granted access to each node in the
  163. // tree.
  164. //
  165. RtlZeroMemory(Buffer, sizeof(Buffer));
  166. pReply->ResultListLength = 1;
  167. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  168. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  169. wprintf(L"* AccessCheck (PSS == NULL, ResultListLength == 1 with cache handle)\n");
  170. b = AuthzAccessCheck(
  171. hCC1,
  172. &Request,
  173. hAuditInfo,
  174. pSD,
  175. NULL,
  176. 0,
  177. pReply,
  178. &AuthHandle
  179. );
  180. if (!b)
  181. {
  182. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  183. return;
  184. }
  185. else
  186. {
  187. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  188. for (i = 0; i < pReply->ResultListLength; i++)
  189. {
  190. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  191. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  192. }
  193. }
  194. AuthzFreeAuditInfo(hAuditInfo);
  195. AuthzFreeAuditQueue(hQueue);
  196. return;
  197. RtlZeroMemory(Buffer, sizeof(Buffer));
  198. pReply->ResultListLength = 1;
  199. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  200. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  201. wprintf(L"* AccessCheck (PSS == NULL, ResultListLength == 1 without cache handle)\n");
  202. b = AuthzAccessCheck(
  203. hCC1,
  204. &Request,
  205. hAuditInfo,
  206. pSD,
  207. NULL,
  208. 0,
  209. pReply,
  210. NULL
  211. );
  212. if (!b)
  213. {
  214. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  215. return;
  216. }
  217. else
  218. {
  219. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  220. for (i = 0; i < pReply->ResultListLength; i++)
  221. {
  222. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  223. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  224. }
  225. }
  226. AuthzFreeAuditParams(pAuditParams);
  227. Request.ObjectTypeList = (POBJECT_TYPE_LIST) TypeListBuffer;
  228. Request.ObjectTypeList[0].Level = 0;
  229. Request.ObjectTypeList[0].ObjectType = &Guid0;
  230. Request.ObjectTypeList[0].Sbz = 0;
  231. Request.ObjectTypeList[1].Level = 1;
  232. Request.ObjectTypeList[1].ObjectType = &Guid1;
  233. Request.ObjectTypeList[1].Sbz = 0;
  234. Request.ObjectTypeList[2].Level = 2;
  235. Request.ObjectTypeList[2].ObjectType = &Guid2;
  236. Request.ObjectTypeList[2].Sbz = 0;
  237. Request.ObjectTypeList[3].Level = 2;
  238. Request.ObjectTypeList[3].ObjectType = &Guid3;
  239. Request.ObjectTypeList[3].Sbz = 0;
  240. Request.ObjectTypeList[4].Level = 1;
  241. Request.ObjectTypeList[4].ObjectType = &Guid4;
  242. Request.ObjectTypeList[4].Sbz = 0;
  243. Request.ObjectTypeList[5].Level = 2;
  244. Request.ObjectTypeList[5].ObjectType = &Guid5;
  245. Request.ObjectTypeList[5].Sbz = 0;
  246. Request.ObjectTypeList[6].Level = 3;
  247. Request.ObjectTypeList[6].ObjectType = &Guid6;
  248. Request.ObjectTypeList[6].Sbz = 0;
  249. Request.ObjectTypeList[7].Level = 2;
  250. Request.ObjectTypeList[7].ObjectType = &Guid7;
  251. Request.ObjectTypeList[7].Sbz = 0;
  252. Request.ObjectTypeListLength = 8;
  253. Request.OptionalArguments = NULL;
  254. Request.PrincipalSelfSid = NULL;
  255. Request.DesiredAccess = DesiredAccess;
  256. //
  257. // The ResultListLength is set to the number of ObjectType GUIDs in the Request, indicating
  258. // that the caller would like detailed information about granted access to each node in the
  259. // tree.
  260. //
  261. pReply->ResultListLength = 8;
  262. pReply->Error = (PDWORD) (((PCHAR) pReply) + sizeof(AUTHZ_ACCESS_REPLY));
  263. pReply->GrantedAccessMask = (PACCESS_MASK) (pReply->Error + pReply->ResultListLength);
  264. wprintf(L"* AccessCheck (PrincipalSelfSid == NULL, ResultListLength == 8)\n");
  265. b = AuthzAccessCheck(
  266. hCC1,
  267. &Request,
  268. hAuditInfo,
  269. pSD,
  270. NULL,
  271. 0,
  272. pReply,
  273. &AuthHandle
  274. );
  275. if (!b)
  276. {
  277. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  278. return;
  279. }
  280. else
  281. {
  282. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  283. for (i = 0; i < pReply->ResultListLength; i++)
  284. {
  285. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  286. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  287. }
  288. }
  289. //
  290. // In the original AuthzAccessCheck call, we passed in a handle to store caching information. Now we
  291. // can use this handle to perform an AccessCheck on the same object.
  292. //
  293. if (AuthHandle)
  294. {
  295. wprintf(L"* Cached AccessCheck (PrincipalSelfSid == NULL, ResultListLength = 8)\n");
  296. b = AuthzCachedAccessCheck(
  297. AuthHandle,
  298. &Request,
  299. hAuditInfo,
  300. pReply
  301. );
  302. if (!b)
  303. {
  304. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  305. return;
  306. }
  307. else
  308. {
  309. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  310. for (i = 0; i < pReply->ResultListLength; i++)
  311. {
  312. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  313. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  314. }
  315. }
  316. //
  317. // Since we will no longer use this caching handle, free it.
  318. //
  319. AuthzFreeHandle(AuthHandle);
  320. }
  321. else
  322. {
  323. wprintf(L"No CachedAccessCheck done since NULL = AuthHandle\n");
  324. }
  325. //
  326. // We set the PrincipalSelfSid in the Request, and leave all other parameters the same.
  327. //
  328. Request.PrincipalSelfSid = (PSID) KedarSid;
  329. wprintf(L"* AccessCheck (PrincipalSelfSid == Kedard, ResultListLength == 8)\n");
  330. b = AuthzAccessCheck(
  331. hCC1,
  332. &Request,
  333. hAuditInfo,
  334. pSD,
  335. NULL,
  336. 0,
  337. pReply,
  338. &AuthHandle
  339. );
  340. if (!b)
  341. {
  342. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  343. return;
  344. }
  345. else
  346. {
  347. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  348. for (i = 0; i < pReply->ResultListLength; i++)
  349. {
  350. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  351. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  352. }
  353. }
  354. //
  355. // Use our caching handle to perform the same AccessCheck with speed.
  356. //
  357. if (AuthHandle)
  358. {
  359. wprintf(L"* Cached AccessCheck (PrincipalSelfSid == Kedard, ResultListLength = 8)\n");
  360. b = AuthzCachedAccessCheck(
  361. AuthHandle,
  362. &Request,
  363. hAuditInfo,
  364. pReply
  365. );
  366. if (!b)
  367. {
  368. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  369. return;
  370. }
  371. else
  372. {
  373. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  374. for (i = 0; i < pReply->ResultListLength; i++)
  375. {
  376. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  377. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  378. }
  379. }
  380. //
  381. // Free the handle, since it will not be used again.
  382. //
  383. AuthzFreeHandle(AuthHandle);
  384. }
  385. else
  386. {
  387. wprintf(L"No CachedAccessCheck done since NULL = AuthHandle\n");
  388. }
  389. //
  390. // Set the ResultListLength to 1, indicating that we do not care about the results
  391. // of the AccessCheck at the individual nodes in the tree. Rather, we care about
  392. // our permissions to the entire tree. The returned access indicates if we have
  393. // access to the whole thing.
  394. //
  395. pReply->ResultListLength = 1;
  396. wprintf(L"* AccessCheck (PrincipalSelfSid == Kedard, ResultListLength == 1)\n");
  397. b = AuthzAccessCheck(
  398. hCC1,
  399. &Request,
  400. hAuditInfo,
  401. pSD,
  402. NULL,
  403. 0,
  404. pReply,
  405. NULL
  406. );
  407. if (!b)
  408. {
  409. wprintf(L"\tFailed. LastError = %d\n", GetLastError());
  410. return;
  411. }
  412. else
  413. {
  414. wprintf(L"\tSucceeded. Granted Access Masks:\n");
  415. for (i = 0; i < pReply->ResultListLength; i++)
  416. {
  417. wprintf(L"\t\tObjectType %d :: AccessMask = 0x%x, Error = %d\n",
  418. i, pReply->GrantedAccessMask[i], pReply->Error[i]);
  419. }
  420. }
  421. // for (i = 0; i < 10; i ++)
  422. // {
  423. // AuthzOpenObjectAuditAlarm(
  424. // hCC1,
  425. // &Request,
  426. // hAuditInfo,
  427. // pSD,
  428. // NULL,
  429. // 0,
  430. // pReply
  431. // );
  432. //
  433. // if (!b)
  434. // {
  435. // wprintf(L"AuthzOpenObjectAuditAlarm failed with %d\n", GetLastError);
  436. // }
  437. // }
  438. //
  439. // Free the RM auditing data before exiting. This call is importants, as it also waits on
  440. // threads used by the Authzs auditing component to complete.
  441. //
  442. //AuthzFreeRmAuditInfoHandle(hRmAuditInfo);
  443. //
  444. // Free the contexts that the RM created.
  445. //
  446. AuthzFreeContext(hCC1);
  447. AuthzFreeAuditQueue(hQueue);
  448. return;
  449. }