PSE_EXPORTS SeExports = NULL;
SE_EXPORTS SepExports;
+ULONG SidInTokenCalls = 0;
extern ULONG ExpInitializationPhase;
extern ERESOURCE SepSubjectContextLock;
/* PRIVATE FUNCTIONS **********************************************************/
-static BOOLEAN INIT_FUNCTION
+static BOOLEAN
+INIT_FUNCTION
SepInitExports(VOID)
{
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
SepInitializationPhase1(VOID)
{
NTSTATUS Status;
+
PAGED_CODE();
/* Insert the system token into the tree */
return STATUS_SUCCESS;
}
-ULONG SidInTokenCalls = 0;
-
static BOOLEAN
SepSidInToken(PACCESS_TOKEN _Token,
PSID Sid)
SidInTokenCalls++;
if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
-
+
if (Token->UserAndGroupCount == 0)
{
return FALSE;
return FALSE;
}
+static BOOLEAN
+SepTokenIsOwner(PACCESS_TOKEN Token,
+ PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+ NTSTATUS Status;
+ PSID Sid = NULL;
+ BOOLEAN Defaulted;
+
+ Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
+ &Sid,
+ &Defaulted);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
+ return FALSE;
+ }
-VOID NTAPI
+ if (Sid == NULL)
+ {
+ DPRINT1("Owner Sid is NULL\n");
+ return FALSE;
+ }
+
+ return SepSidInToken(Token, Sid);
+}
+
+VOID
+NTAPI
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess)
{
{
*DesiredAccess |= READ_CONTROL;
}
+
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
}
-VOID NTAPI
+VOID
+NTAPI
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess)
{
{
*DesiredAccess |= WRITE_OWNER;
}
+
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
*DesiredAccess |= WRITE_DAC;
}
+
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
}
+
+#define OLD_ACCESS_CHECK
+
BOOLEAN NTAPI
SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
- IN BOOLEAN SubjectContextLocked,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET* Privileges,
IN PGENERIC_MAPPING GenericMapping,
IN KPROCESSOR_MODE AccessMode,
OUT PACCESS_MASK GrantedAccess,
- OUT PNTSTATUS AccessStatus,
- SECURITY_IMPERSONATION_LEVEL LowestImpersonationLevel)
+ OUT PNTSTATUS AccessStatus)
{
LUID_AND_ATTRIBUTES Privilege;
+#ifdef OLD_ACCESS_CHECK
ACCESS_MASK CurrentAccess, AccessMask;
+#endif
+ ACCESS_MASK RemainingAccess;
+ ACCESS_MASK TempAccess;
+ ACCESS_MASK TempGrantedAccess = 0;
+ ACCESS_MASK TempDeniedAccess = 0;
PACCESS_TOKEN Token;
ULONG i;
PACL Dacl;
NTSTATUS Status;
PAGED_CODE();
- /* Check if this is kernel mode */
- if (AccessMode == KernelMode)
- {
- /* Check if kernel wants everything */
- if (DesiredAccess & MAXIMUM_ALLOWED)
- {
- /* Give it */
- *GrantedAccess = GenericMapping->GenericAll;
- *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
- *GrantedAccess |= PreviouslyGrantedAccess;
- }
- else
- {
- /* Give the desired and previous access */
- *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
- }
-
- /* Success */
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
-
- /* Check if we didn't get an SD */
- if (!SecurityDescriptor)
- {
- /* Automatic failure */
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
- }
-
- /* Check for invalid impersonation */
- if ((SubjectSecurityContext->ClientToken) &&
- (SubjectSecurityContext->ImpersonationLevel < LowestImpersonationLevel))
- {
- *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
- return FALSE;
- }
-
/* Check for no access desired */
if (!DesiredAccess)
{
return TRUE;
}
- /* Acquire the lock if needed */
- if (!SubjectContextLocked) SeLockSubjectContext(SubjectSecurityContext);
-
/* Map given accesses */
RtlMapGenericMask(&DesiredAccess, GenericMapping);
if (PreviouslyGrantedAccess)
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
-
-
+#ifdef OLD_ACCESS_CHECK
CurrentAccess = PreviouslyGrantedAccess;
-
-
+#endif
+ /* Initialize remaining access rights */
+ RemainingAccess = DesiredAccess;
Token = SubjectSecurityContext->ClientToken ?
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
+ /* Check for system security access */
+ if (RemainingAccess & ACCESS_SYSTEM_SECURITY)
+ {
+ Privilege.Luid = SeSecurityPrivilege;
+ Privilege.Attributes = SE_PRIVILEGE_ENABLED;
+
+ /* Fail if we do not the SeSecurityPrivilege */
+ if (!SepPrivilegeCheck(Token,
+ &Privilege,
+ 1,
+ PRIVILEGE_SET_ALL_NECESSARY,
+ AccessMode))
+ {
+ *AccessStatus = STATUS_PRIVILEGE_NOT_HELD;
+ return FALSE;
+ }
+
+ /* Adjust access rights */
+ RemainingAccess &= ~ACCESS_SYSTEM_SECURITY;
+ PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY;
+
+ /* Succeed if there are no more rights to grant */
+ if (RemainingAccess == 0)
+ {
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ }
+
/* Get the DACL */
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
&Present,
&Defaulted);
if (!NT_SUCCESS(Status))
{
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
*AccessStatus = Status;
return FALSE;
}
/* RULE 1: Grant desired access if the object is unprotected */
- if (Present == TRUE && Dacl == NULL)
+ if (Present == FALSE || Dacl == NULL)
{
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
if (DesiredAccess & MAXIMUM_ALLOWED)
{
*GrantedAccess = GenericMapping->GenericAll;
{
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
}
-
+
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
+#ifdef OLD_ACCESS_CHECK
CurrentAccess = PreviouslyGrantedAccess;
+#endif
/* RULE 2: Check token for 'take ownership' privilege */
- Privilege.Luid = SeTakeOwnershipPrivilege;
- Privilege.Attributes = SE_PRIVILEGE_ENABLED;
-
- if (SepPrivilegeCheck(Token,
- &Privilege,
- 1,
- PRIVILEGE_SET_ALL_NECESSARY,
- AccessMode))
- {
- CurrentAccess |= WRITE_OWNER;
- if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
- (CurrentAccess & ~VALID_INHERIT_FLAGS))
+ if (DesiredAccess & WRITE_OWNER)
+ {
+ Privilege.Luid = SeTakeOwnershipPrivilege;
+ Privilege.Attributes = SE_PRIVILEGE_ENABLED;
+
+ if (SepPrivilegeCheck(Token,
+ &Privilege,
+ 1,
+ PRIVILEGE_SET_ALL_NECESSARY,
+ AccessMode))
{
- if (SubjectContextLocked == FALSE)
+ /* Adjust access rights */
+ RemainingAccess &= ~WRITE_OWNER;
+ PreviouslyGrantedAccess |= WRITE_OWNER;
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess |= WRITE_OWNER;
+#endif
+
+ /* Succeed if there are no more rights to grant */
+ if (RemainingAccess == 0)
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
}
-
- *GrantedAccess = CurrentAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
}
}
- /* RULE 3: Check whether the token is the owner */
- Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
- &Sid,
- &Defaulted);
- if (!NT_SUCCESS(Status))
+ /* Deny access if the DACL is empty */
+ if (Dacl->AceCount == 0)
{
- DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
- if (SubjectContextLocked == FALSE)
+ if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ else
+ {
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
}
+ }
- *AccessStatus = Status;
+ /* Fail if DACL is absent */
+ if (Present == FALSE)
+ {
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
return FALSE;
}
- if (Sid && SepSidInToken(Token, Sid))
+ /* Determine the MAXIMUM_ALLOWED access rights according to the DACL */
+ if (DesiredAccess & MAXIMUM_ALLOWED)
{
- CurrentAccess |= (READ_CONTROL | WRITE_DAC);
- if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
- (CurrentAccess & ~VALID_INHERIT_FLAGS))
+ CurrentAce = (PACE)(Dacl + 1);
+ for (i = 0; i < Dacl->AceCount; i++)
{
- if (SubjectContextLocked == FALSE)
+ if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ Sid = (PSID)(CurrentAce + 1);
+ if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
+ {
+ if (SepSidInToken(Token, Sid))
+ {
+ /* Map access rights from the ACE */
+ TempAccess = CurrentAce->AccessMask;
+ RtlMapGenericMask(&TempAccess, GenericMapping);
+
+ /* Deny access rights that have not been granted yet */
+ TempDeniedAccess |= (TempAccess & ~TempGrantedAccess);
+ }
+ }
+ else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
+ {
+ if (SepSidInToken(Token, Sid))
+ {
+ /* Map access rights from the ACE */
+ TempAccess = CurrentAce->AccessMask;
+ RtlMapGenericMask(&TempAccess, GenericMapping);
+
+ /* Grant access rights that have not been denied yet */
+ TempGrantedAccess |= (TempAccess & ~TempDeniedAccess);
+ }
+ }
+ else
+ {
+ DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
+ }
}
- *GrantedAccess = CurrentAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
+ /* Get the next ACE */
+ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
- }
- /* Fail if DACL is absent */
- if (Present == FALSE)
- {
- if (SubjectContextLocked == FALSE)
+ /* Fail if some rights have not been granted */
+ RemainingAccess &= ~(MAXIMUM_ALLOWED | TempGrantedAccess);
+ if (RemainingAccess != 0)
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
}
- *GrantedAccess = 0;
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
+ /* Set granted access right and access status */
+ *GrantedAccess = TempGrantedAccess | PreviouslyGrantedAccess;
+ if (*GrantedAccess != 0)
+ {
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ else
+ {
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
}
/* RULE 4: Grant rights according to the DACL */
CurrentAce = (PACE)(Dacl + 1);
for (i = 0; i < Dacl->AceCount; i++)
{
- Sid = (PSID)(CurrentAce + 1);
- if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
+ if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
{
- if (SepSidInToken(Token, Sid))
+ Sid = (PSID)(CurrentAce + 1);
+ if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
{
- if (SubjectContextLocked == FALSE)
+ if (SepSidInToken(Token, Sid))
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+#ifdef OLD_ACCESS_CHECK
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+#else
+ /* Map access rights from the ACE */
+ TempAccess = CurrentAce->AccessMask;
+ RtlMapGenericMask(&TempAccess, GenericMapping);
+
+ /* Leave if a remaining right must be denied */
+ if (RemainingAccess & TempAccess)
+ break;
+#endif
}
-
- *GrantedAccess = 0;
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
}
- }
-
- else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
+ else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
- AccessMask = CurrentAce->AccessMask;
- RtlMapGenericMask(&AccessMask, GenericMapping);
- CurrentAccess |= AccessMask;
+ if (SepSidInToken(Token, Sid))
+ {
+#ifdef OLD_ACCESS_CHECK
+ AccessMask = CurrentAce->AccessMask;
+ RtlMapGenericMask(&AccessMask, GenericMapping);
+ CurrentAccess |= AccessMask;
+#else
+ /* Map access rights from the ACE */
+ TempAccess = CurrentAce->AccessMask;
+ RtlMapGenericMask(&TempAccess, GenericMapping);
+
+ /* Remove granted rights */
+ RemainingAccess &= ~TempAccess;
+#endif
+ }
+ }
+ else
+ {
+ DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
}
}
- else
- {
- DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
- }
- CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
- }
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
+ /* Get the next ACE */
+ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
+#ifdef OLD_ACCESS_CHECK
DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
CurrentAccess, DesiredAccess);
*GrantedAccess = CurrentAccess & DesiredAccess;
- if (DesiredAccess & MAXIMUM_ALLOWED)
- {
- *GrantedAccess = CurrentAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
- else if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
- (DesiredAccess & ~VALID_INHERIT_FLAGS))
+ if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
+ (DesiredAccess & ~VALID_INHERIT_FLAGS))
{
*AccessStatus = STATUS_SUCCESS;
return TRUE;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
+#else
+ DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
+ DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
+
+ /* Fail if some rights have not been granted */
+ if (RemainingAccess != 0)
+ {
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
+
+ /* Set granted access rights */
+ *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+
+ DPRINT("GrantedAccess %08lx\n", *GrantedAccess);
+
+ /* Fail if no rights have been granted */
+ if (*GrantedAccess == 0)
+ {
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
+
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+#endif
+}
+
+static PSID
+SepGetSDOwner(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
+{
+ PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PSID Owner;
+
+ if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
+ Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
+ (ULONG_PTR)SecurityDescriptor);
+ else
+ Owner = (PSID)SecurityDescriptor->Owner;
+
+ return Owner;
+}
+
+static PSID
+SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
+{
+ PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PSID Group;
+
+ if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
+ Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
+ (ULONG_PTR)SecurityDescriptor);
+ else
+ Group = (PSID)SecurityDescriptor->Group;
+
+ return Group;
}
+
/* PUBLIC FUNCTIONS ***********************************************************/
/*
* @implemented
*/
-BOOLEAN NTAPI
+BOOLEAN
+NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
{
- /* Call the internal function */
- return SepAccessCheck(SecurityDescriptor,
- SubjectSecurityContext,
- SubjectContextLocked,
- DesiredAccess,
- PreviouslyGrantedAccess,
- Privileges,
- GenericMapping,
- AccessMode,
- GrantedAccess,
- AccessStatus,
- SecurityImpersonation);
+ BOOLEAN ret;
+
+ PAGED_CODE();
+
+ /* Check if this is kernel mode */
+ if (AccessMode == KernelMode)
+ {
+ /* Check if kernel wants everything */
+ if (DesiredAccess & MAXIMUM_ALLOWED)
+ {
+ /* Give it */
+ *GrantedAccess = GenericMapping->GenericAll;
+ *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+ *GrantedAccess |= PreviouslyGrantedAccess;
+ }
+ else
+ {
+ /* Give the desired and previous access */
+ *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+ }
+
+ /* Success */
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+
+ /* Check if we didn't get an SD */
+ if (!SecurityDescriptor)
+ {
+ /* Automatic failure */
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
+
+ /* Check for invalid impersonation */
+ if ((SubjectSecurityContext->ClientToken) &&
+ (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
+ {
+ *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
+ return FALSE;
+ }
+
+ /* Acquire the lock if needed */
+ if (!SubjectContextLocked)
+ SeLockSubjectContext(SubjectSecurityContext);
+
+ /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
+ if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
+ {
+ PACCESS_TOKEN Token = SubjectSecurityContext->ClientToken ?
+ SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
+
+ if (SepTokenIsOwner(Token,
+ SecurityDescriptor))
+ {
+ if (DesiredAccess & MAXIMUM_ALLOWED)
+ PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
+ else
+ PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
+
+ DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
+ }
+ }
+
+ if (DesiredAccess == 0)
+ {
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ ret = TRUE;
+ }
+ else
+ {
+ /* Call the internal function */
+ ret = SepAccessCheck(SecurityDescriptor,
+ SubjectSecurityContext,
+ DesiredAccess,
+ PreviouslyGrantedAccess,
+ Privileges,
+ GenericMapping,
+ AccessMode,
+ GrantedAccess,
+ AccessStatus);
+ }
+
+ /* Release the lock if needed */
+ if (!SubjectContextLocked)
+ SeUnlockSubjectContext(SubjectSecurityContext);
+
+ return ret;
}
/* SYSTEM CALLS ***************************************************************/
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
{
+ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor = NULL;
SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
+ ACCESS_MASK PreviouslyGrantedAccess = 0;
PTOKEN Token;
NTSTATUS Status;
PAGED_CODE();
return STATUS_SUCCESS;
}
+ /* Protect probe in SEH */
+ _SEH2_TRY
+ {
+ /* Probe all pointers */
+ ProbeForRead(GenericMapping, sizeof(GENERIC_MAPPING), sizeof(ULONG));
+ ProbeForRead(PrivilegeSetLength, sizeof(ULONG), sizeof(ULONG));
+ ProbeForWrite(PrivilegeSet, *PrivilegeSetLength, sizeof(ULONG));
+ ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK), sizeof(ULONG));
+ ProbeForWrite(AccessStatus, sizeof(NTSTATUS), sizeof(ULONG));
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ /* Return the exception code */
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
+
+ /* Check for unmapped access rights */
+ if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
+ return STATUS_GENERIC_NOT_MAPPED;
+
/* Reference the token */
Status = ObReferenceObjectByHandle(TokenHandle,
TOKEN_QUERY,
NULL);
if (!NT_SUCCESS(Status))
{
- DPRINT1("Failed to reference token (Status %lx)\n", Status);
+ DPRINT("Failed to reference token (Status %lx)\n", Status);
return Status;
}
/* Check token type */
if (Token->TokenType != TokenImpersonation)
{
- DPRINT1("No impersonation token\n");
+ DPRINT("No impersonation token\n");
+ ObDereferenceObject(Token);
+ return STATUS_NO_IMPERSONATION_TOKEN;
+ }
+
+ /* Check the impersonation level */
+ if (Token->ImpersonationLevel < SecurityIdentification)
+ {
+ DPRINT("Impersonation level < SecurityIdentification\n");
ObDereferenceObject(Token);
- return STATUS_ACCESS_DENIED;
+ return STATUS_BAD_IMPERSONATION_LEVEL;
+ }
+
+ /* Capture the security descriptor */
+ Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
+ PreviousMode,
+ PagedPool,
+ FALSE,
+ &CapturedSecurityDescriptor);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT("Failed to capture the Security Descriptor\n");
+ ObDereferenceObject(Token);
+ return Status;
+ }
+
+ /* Check the captured security descriptor */
+ if (CapturedSecurityDescriptor == NULL)
+ {
+ DPRINT("Security Descriptor is NULL\n");
+ ObDereferenceObject(Token);
+ return STATUS_INVALID_SECURITY_DESCR;
+ }
+
+ /* Check security descriptor for valid owner and group */
+ if (SepGetSDOwner(SecurityDescriptor) == NULL || // FIXME: use CapturedSecurityDescriptor
+ SepGetSDGroup(SecurityDescriptor) == NULL) // FIXME: use CapturedSecurityDescriptor
+ {
+ DPRINT("Security Descriptor does not have a valid group or owner\n");
+ SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
+ PreviousMode,
+ FALSE);
+ ObDereferenceObject(Token);
+ return STATUS_INVALID_SECURITY_DESCR;
}
/* Set up the subject context, and lock it */
SubjectSecurityContext.ProcessAuditId = NULL;
SeLockSubjectContext(&SubjectSecurityContext);
- /* Now perform the access check */
- SepAccessCheck(SecurityDescriptor,
- &SubjectSecurityContext,
- TRUE,
- DesiredAccess,
- 0,
- &PrivilegeSet, //FIXME
- GenericMapping,
- PreviousMode,
- GrantedAccess,
- AccessStatus,
- SecurityIdentification);
-
- /* Unlock subject context and dereference the token */
+ /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
+ if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
+ {
+ if (SepTokenIsOwner(Token, SecurityDescriptor)) // FIXME: use CapturedSecurityDescriptor
+ {
+ if (DesiredAccess & MAXIMUM_ALLOWED)
+ PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
+ else
+ PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
+
+ DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
+ }
+ }
+
+ if (DesiredAccess == 0)
+ {
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ }
+ else
+ {
+ /* Now perform the access check */
+ SepAccessCheck(SecurityDescriptor, // FIXME: use CapturedSecurityDescriptor
+ &SubjectSecurityContext,
+ DesiredAccess,
+ PreviouslyGrantedAccess,
+ &PrivilegeSet, //FIXME
+ GenericMapping,
+ PreviousMode,
+ GrantedAccess,
+ AccessStatus);
+ }
+
+ /* Unlock subject context */
SeUnlockSubjectContext(&SubjectSecurityContext);
+
+ /* Release the captured security descriptor */
+ SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
+ PreviousMode,
+ FALSE);
+
+ /* Dereference the token */
ObDereferenceObject(Token);
/* Check succeeded */
projects / reactos.git / blobdiff