{
PACL Dacl;
ULONG AclSize;
+ NTSTATUS Status;
/* Initialize the SD */
- RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+ Status = RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
if (ObpProtectionMode & 1)
{
}
/* Initialize the DACL */
- RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+ Status = RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
/* Add the ACEs */
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_READ | GENERIC_EXECUTE,
- SeWorldSid);
-
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_EXECUTE,
- SeWorldSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeAliasAdminsSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeCreatorOwnerSid);
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_READ | GENERIC_EXECUTE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_EXECUTE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeAliasAdminsSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeCreatorOwnerSid);
+ ASSERT(NT_SUCCESS(Status));
}
else
{
}
/* Initialize the DACL */
- RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+ Status = RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
/* Add the ACEs */
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE,
- SeWorldSid);
-
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeWorldSid);
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
}
/* Attach the DACL to the SD */
- RtlSetDaclSecurityDescriptor(SecurityDescriptor, TRUE, Dacl, FALSE);
+ Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor, TRUE, Dacl, FALSE);
+ ASSERT(NT_SUCCESS(Status));
return STATUS_SUCCESS;
}
+INIT_FUNCTION
+VOID
+NTAPI
+ObpFreeDosDevicesProtection(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+ PACL Dacl;
+ NTSTATUS Status;
+ BOOLEAN DaclPresent, DaclDefaulted;
+
+ Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, &DaclPresent, &Dacl, &DaclDefaulted);
+ ASSERT(NT_SUCCESS(Status));
+ ASSERT(DaclPresent);
+ ASSERT(Dacl != NULL);
+ ExFreePoolWithTag(Dacl, 'lcaD');
+}
+
INIT_FUNCTION
NTSTATUS
NTAPI
HANDLE Handle, SymHandle;
SECURITY_DESCRIPTOR DosDevicesSD;
NTSTATUS Status;
- PACL Dacl;
- BOOLEAN DaclPresent, DaclDefaulted;
+
+ /*
+ * Enable LUID mappings only if not explicitely disabled
+ * and if protection mode is set
+ */
+ if (ObpProtectionMode == 0 || ObpLUIDDeviceMapsDisabled != 0)
+ ObpLUIDDeviceMapsEnabled = 0;
+ else
+ ObpLUIDDeviceMapsEnabled = 1;
/* Create a custom security descriptor for the global DosDevices directory */
Status = ObpGetDosDevicesProtection(&DosDevicesSD);
Status = NtCreateDirectoryObject(&Handle,
DIRECTORY_ALL_ACCESS,
&ObjectAttributes);
- RtlGetDaclSecurityDescriptor(&DosDevicesSD, &DaclPresent, &Dacl, &DaclDefaulted);
- ExFreePoolWithTag(Dacl, 'lcaD');
- if (!NT_SUCCESS(Status)) return Status;
+ if (!NT_SUCCESS(Status))
+ goto done;
/* Create the system device map */
- Status = ObpCreateDeviceMap(Handle);
+ Status = ObSetDeviceMap(NULL, Handle);
if (!NT_SUCCESS(Status))
- return Status;
+ goto done;
/*********************************************\
|*** HACK until we support device mappings ***|
&LinkName,
OBJ_PERMANENT,
NULL,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
&LinkName,
OBJ_PERMANENT,
Handle,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
&LinkName,
OBJ_PERMANENT,
Handle,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
/* Close the directory handle */
NtClose(Handle);
- if (!NT_SUCCESS(Status)) return Status;
+ if (!NT_SUCCESS(Status))
+ goto done;
/*
* Initialize the \DosDevices symbolic link pointing to the global
&LinkName,
OBJ_PERMANENT,
NULL,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
&RootName);
if (NT_SUCCESS(Status)) NtClose(SymHandle);
+done:
+ ObpFreeDosDevicesProtection(&DosDevicesSD);
+
/* Return status */
return Status;
}