se_access_check_denyall.c [plain text]
#include "includes.h"
#include "se_access_check_utils.h"
BOOL failed;
SEC_DESC *sd;
struct ace_entry acl_denyall[] = {
{ SEC_ACE_TYPE_ACCESS_DENIED, SEC_ACE_FLAG_CONTAINER_INHERIT,
GENERIC_ALL_ACCESS, "S-1-1-0" },
{ 0, 0, 0, NULL}
};
BOOL denyall_check(struct passwd *pw, int ngroups, gid_t *groups)
{
uint32 acc_granted, status;
BOOL result;
result = se_access_check(sd, pw->pw_uid, pw->pw_gid,
ngroups, groups,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&acc_granted, &status);
if (result || acc_granted != 0) {
printf("FAIL: denyall se_access_check %d/%d\n",
pw->pw_uid, pw->pw_gid);
failed = True;
}
return True;
}
int main(int argc, char **argv)
{
generate_wellknown_sids();
sd = build_sec_desc(acl_denyall, NULL, NULL_SID, NULL_SID);
if (!sd) {
printf("FAIL: could not build security descriptor\n");
return 1;
}
visit_pwdb(denyall_check);
if (!failed) {
printf("PASS\n");
return 0;
}
return 1;
}